By Lee Barrett, Marsali Hancock
Lesley Berkeyheiser, CCSFP
and Elinela Perez, LL.M, CIPP/E.

About TNAP
Goal 1: Empower Individuals
Goal 2: Enable Providers and Communities
Goal 3: Public and Population Health
Goal 4: Open and Accessible APIs
About the Authors
Copyright © 2019 All rights reserved.
The Trusted Network Accreditation Program (TNAP), founded
by EHNAC, SAFE BioPharma Association, WEDI, eHealth Initiative
and the EP3 Foundation, leverages existing industry-wide identity
verification, authentication, privacy and security frameworks and
best practices already in use across the healthcare ecosystem. The
program provides third party review with accreditation for Trusted
Exchange participants, and a person-centered governance model
for security, privacy, regulatory compliance and rights
management, including compliance with new privacy regulatory
The initiative directly aligns with the development of the 21st
Century Cures Act including the Trusted Exchange Framework
and Common Agreement (TEFCA) and, promotes
interoperability, assuring the security and privacy of trusted
networks, and the use of enabling technologies in the healthcare
ecosystem. Confirmed participants include HINs, HIES, ACOS,
Data Registers, Lab, Providers, Payers, Vendors, and Suppliers.
This document is modeled after the Office of the National
Coordinator’s Draft Trusted Exchange Framework to empower
patients and provide a baseline of healthcare interoperability
along with acknowledgment of the data dams or areas of
challenge (blocking the desired flow of information) so needed to
move high volumes of sensitive data in a secure manner.
Each of the areas set forth below provides a summary of today’s
current environment, a real-life example, and the corresponding
data dams/blockages to the free flow of sensitive data. Lastly, this
document includes how the TNAP provides core features that
address each of these challenge areas.
In today’s healthcare world, some industry sectors
(like life insurance and research) have the ability to
consolidate longitudinal healthcare data about a
specific patient. However, that information is
typically not made available to the patient.
Real Life Scenario
A middle-aged woman with comprehensive private
insurance needs longitudinal data to observe trends
and make data-informed choices to improve her
health and well being. To do so, she must find,
access, and aggregate all of her health information.
This includes health records from her primary-care
doctor, specialists like ophthalmologist,
dermatologist, gynecologist, mental health
providers (who include psychiatrist and
psychologist), dentists and endodontist, podiatrist,
and physical therapist. It also includes her gym
records where she works weekly with her trainer and
nutritionist, logging detailed health records that
include weight, BMI, blood pressure, heart rate, daily
supplements, diet, and sleep patterns in an
Top Data Dams
Despite of the fact that our patient is technically
savvy and tracks wellness information, she is limited
by her providers' proprietary or legacy technology.
Her insurance company gave her the Health
Records, but they only include claims information
from in-network providers. Her primary-care
physician, endodontist, podiatrist, and other
specialists belong to different hospitals and
healthcare systems. Her psychiatrist, psychologist,
and ophthalmologist have their own private
practice. When she asked for records from her
longtime dentist, only paper copies were made
available for which she had to pay. Some of her
clinics offered apps to communicate directly with
her. However, she has no ability to consolidate her
information even as a baseline for her own personal
use. When she chooses to pursue genetic testing,
this information cannot be amassed into the others
based on its sensitivity, even though it is all hers!
Improve patient ability to coordinate their own care
Not limited to what it is stored in electronic health records
Access data from different resources (including technologies that individuals use every day)
Enable Individuals to access and aggregate longitudinal data
The Trusted Network Accreditation Program Resolution
The Trusted Network Accreditation Program provides a “measurement” or standard setting the
“Privacy and Security” bar related to the handling of healthcare data. Each participant or
“contributor” is required to follow identity, privacy, and security rules making information available
to patients in a method that supports all facets of healthcare delivery and receipt.
Many healthcare providers have become certified in
Meaningful Use in various stages improving some
types of data exchange. However, exported data
remains inconsistent in quality, format, and content.
Additionally, stringent federal and state laws make
sharing certain kinds of information impossible
unless one can verify, in near real-time, the identity,
roles, and permissions of the providers, patients, and
all recipients of highly protected information.
Real Life Scenario
An 18-year-old patient was released from nine days
of inpatient, psychiatric crisis care. Now, she must
coordinate services to address her eating disorder
and alcohol addiction within her parents’ health
insurance. This entails the daunting task of
identifying providers and programs taking new
patients. Sadly, no in-network providers were
available and the only residential substance use
program with an opening is out of state.
Unfortunately, she is unable to receive electronic
health information from her substance use and
mental health providers and share them with her
new private practice psychiatrist.
Her safety is at risk! She has no communication
vehicle to coordinate her other health care providers
able to write prescriptions, such as a dentist or
podiatrist. She and her doctors are unaware of
serious unintended drug interactions when
combined with her privacy-protected medication.
Top Data Dams
Some providers, mitigating stringent state and
federal privacy laws, seem confused about the
HIPAA Individual Right to Access. They provide
sensitive data only in paper form. But even if
providers want to share data, it is difficult to agree
on the identity of the patient and the process to
confirm matching, linking and confidentiality
requirements. Additionally, apps that allow patients
to populate their own information create data
quality problems. When and how can
patient-entered information be imported to
electronic health records? What are the
requirements to ensure quality data with
provenance for peer-reviewed studies, population
safety, and patient care? Significant data obstacles
are caused by the lack of rules about who to share
with, when and how to share including Levels of
Assurance for Identity and Authentication.
Improve patient and provider safety
Increase efficiency
Gather and aggregate comprehensive data from many sources
Provide a common method authenticating trusted health information networks participants
The Trusted Network Accreditation Program Resolution
The Trusted Network Accreditation Program requires participants to produce evidence that they
meet HIPAA Privacy and Security requirements including enhanced standards to verifying roles
and identity, patient linking, permissions, sharing and authentication.
Recent natural disasters demonstrated that
electronic health information exchange in
emergency situations might be impossible.
Real Life Scenario
Long-term care facilities in California wildfires were
unable to verify their patients' identity or access
their medical records immediately following
evacuation. Providing care, without a verified patient
and provider identity creates liability risks. Mental
health medication, insulin, and even dialysis require
prescribing orders. Many facilities do not have
electronic health records, and not all patients have
hospital records. During Hurricane Maria, in Puerto
Rico, officials were unable to determine deaths or
health needs as a result of the disaster. Additionally,
data regarding immunizations are not credible.
Top Data Dams
Having a standardized method to record and
maintain the longitudinal patient information is a
necessity to allow for improved patient and provider
safety. Once again, we find that the need for set
patient matching, healthcare network contributor
credentialing (ability to be sure those who are
sharing/contributing or receiving data on the
network are who they say they are), is the core
Provide real-time, quality data collection
Deliver real-time actionable data
Provide privacy-protected, secure access to comprehensive health information
The Trusted Network Accreditation Program Resolution
The Trusted Network Accreditation Program provides a “measurement” or standard setting the
“Privacy and Security” bar related to the handling of healthcare data. Each participant or
“contributor” is required to follow privacy and security rules, to provide evidence that they are who
they say they are, and to promote efficient and secure exchange of information to facilitate direct
patient care and quality data collection in support of public need.
In today’s healthcare world, those who build
healthcare systems that support gathering and
exchange do not allow for systems to seamlessly
connect to other systems. This includes electronic
health record systems, as well as device
Real Life Scenario
Our healthy middle-aged patient wants to add
fitness information to her favorite provider portal.
However, today, only certain devices work with her
current provider portal thus requiring her to
purchase a different fitness tracker in order to
promote data tracking
Another situation is that discharge data from one
inpatient provider to a rehabilitation center is not
seamless since the providers belong to different
healthcare systems. Therefore, instead of having an
efficient secure electronic data interchange, the
records drop back to paper form and delay delivery
of the most appropriate provider care possible.
Top Data Dams
Because vendors and device manufacturers are not
currently required to follow standard systems life
cycle development processes including building
Application Programming Interfaces that are “open”
and usable by all, systems cannot seamlessly or
easily pass data from one to another. Often, if this is
desired, someone, usually the patient has to pay for
the custom programming to be reworked to meet
the goal.
Enable open and accessible application programming interfaces (APIs)
User-focused innovation to make health information more accessible
Improve electronic health record usability
The Trusted Network Accreditation Program Resolution
The Trusted Network Accreditation Program requires standard privacy and security rules to be
followed including the best practice life cycle development. This means, whether working with an
electronic health network system or a medical device, data is moved in and out of that system in
the same method. This is similar to how financial data is moved around in today’s world.
Promoting the use of standards for this data sharing such as the FHIR (Fast Healthcare
Interoperability Resource Specification) standard is also contained within the TNAP program.
EP3 Foundation a 501(c)3 nonprofit, is a multi-sector
community of standards organizations, industry leaders,
researchers, and government agencies committed to
privacy-preserving data sharing. The EP3 Foundation networks
use new data paradigms to give you the power to access,
protect, and share data without revealing personal or sensitive
The Electronic Healthcare Network Accreditation Commission
(EHNAC) is a voluntary, self-governing standards development
organization (SDO) established to develop standard criteria and
accredit organizations that electronically exchange healthcare
data. These entities include accountable care organizations, data
registries, electronic health networks, EPCS vendors,
e-prescribing solution providers, financial services firms, health
information exchanges, health information service providers,
management service organizations, medical billers, outsourced
service providers, payers, practice management system vendors
and third-party administrators. The Commission is an authorized
HITRUST CSF Assessor, making it the only organization with the
ability to provide both EHNAC accreditation and HITRUST CSF
Contact us to participate
/ 0