This subpart establishes Designation qualifications.

(a) Applicant QHIN. An Applicant QHIN must meet all requirements in § 172.201 to be Designated. An Applicant QHIN that proposes to offer Individual Access Services must also meet all requirements in § 172.202 to be Designated.

(b) QHIN. A QHIN must continue to meet all requirements in § 172.201 to maintain its Designation. A QHIN that offers Individual Access Services must also continue to meet all requirements in § 172.202 to maintain its Designation.

(c) Performance of TEFCA Exchange. The Designation qualifications in §§ 172.201 and 172.202 describe certain requirements for Designation.

(a) Ownership requirements. An entity must:

(1) Be a U.S. Entity;

(2) Not be under Foreign Control.

(b) Exchange requirements. An entity must, beginning at the time of application, either directly or through the experience of its parent entity:

(1) Be capable of exchanging information among more than two unaffiliated organizations;

(2) Be capable of exchanging all Required Information;

(3) Be exchanging information for at least one Exchange Purpose authorized under TEFCA;

(4) Be capable of receiving and responding to transactions from other QHINs for all Exchange Purposes authorized under TEFCA; and

(5) Be capable of initiating transactions for the Exchange Purposes authorized under TEFCA that such entity will permit its Participants and Subparticipants to use through TEFCA Exchange.

(c) Designated Network Services requirements. An entity must:

(1) Maintain the organizational infrastructure and legal authority to operate and govern its Designated Network;

(2) Maintain adequate written policies and procedures to support meaningful TEFCA Exchange and fulfill all responsibilities of a QHIN in this part;

(3) Maintain a Designated Network that can support a transaction volume that keeps pace with the demands of network users;

(4) Maintain the capacity to support secure technical connectivity and data exchange with other QHINs;

(5) Maintain an enforceable dispute resolution policy governing Participants in the Designated Network that permits Participants to reasonably, timely, and fairly adjudicate disputes that arise between each other, the QHIN, or other QHINs;

(6) Maintain an enforceable change management policy consistent with the responsibilities of a QHIN;

(7) Maintain a representative and participatory group or groups with the authority to approve processes for governing the Designated Network;

(8) Maintain privacy and security policies that permit the entity to support TEFCA Exchange;

(9) Maintain data breach response and management policies that support meaningful TEFCA Exchange; and

(10) Maintain adequate financial and personnel resources to support all its responsibilities as a QHIN, including sufficient financial reserves or insurance-based cybersecurity coverage, or a combination of both.

The following requirements apply to QHINs that offer Individual Access Services:

(a) A QHIN must obtain express consent from any individual before providing Individual Access Services.

(b) A QHIN must make publicly available a privacy and security notice that meets minimum TEFCA standards.

(c) A QHIN, that is the IAS provider for an Individual, must delete the individual's Individually Identifiable Information maintained by the QHIN upon request by the individual except as prohibited by Applicable Law or where such information is contained in audit logs.

(d) A QHIN must permit any Individual to export in a computable format all of the Individual's Individually Identifiable Information maintained by the QHIN as an Individual Access Services provider.

(e) All Individually Identifiable Information the QHIN maintains must satisfy the following criteria:

(1) All Individually Identifiable Information must be encrypted.

(2) Without unreasonable delay and in no case later than sixty (60) calendar days following discovery of the unauthorized acquisition, access, Disclosure, or Use of Individually Identifiable Information, the QHIN must notify in plain language each Individual whose Individually Identifiable Information has been or is reasonably believed to have been affected by unauthorized acquisition, access, Disclosure, or Use involving the QHIN.

(3) A QHIN must have an agreement with a qualified, independent third-party credential service provider and must verify, through the credential service provider, the identities of Individuals seeking Individual Access Services prior to the Individuals' first use of such services and upon expiration of their credentials.