Regulations last checked for updates: Jan 18, 2025

Title 45 - Public Welfare last revised: Jan 16, 2025
All TitlesTitle 45Chapter APart 172Subpart A - Subpart A—General Provisions
View all text of Subpart A [§ 172.100 - § 172.103]
§ 172.102 - Definitions.

For purposes of this part, the following definitions apply:

Applicable Law. All Federal, State, local, or Tribal laws and regulations then in effect and applicable to the subject matter in this part. For the avoidance of doubt, Federal agencies are subject only to Federal law.

Applicant QHIN. Any organization with a pending QHIN application before the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC).

Business Associate Agreement (BAA). A contract, agreement, or other arrangement that satisfies the implementation specifications described within 45 CFR parts 160 and subparts A, C, and E of 45 CFR part 164, as applicable.

Business day or business days. Monday through Friday, except the legal public holidays specified in 5 U.S.C. 6103 and any day declared to be a holiday by Federal statute or Executive order.

Common Agreement. The most recent version of the agreement referenced in section 3001(c)(9) of the Public Service Health Act as published in the Federal Register.

Confidential Information. Any information that is designated as Confidential Information by the person or entity that discloses it, or that a reasonable person would understand to be of a confidential nature and is disclosed to another person or entity pursuant to TEFCA Exchange. For the avoidance of doubt, “Confidential Information” does not include electronic protected health information (ePHI). Notwithstanding any label to the contrary, “Confidential Information” does not include any information that:

(1) Is or becomes known publicly through no fault of the recipient; or

(2) Is learned by the recipient from a third party that the recipient reasonably believes is entitled to disclose it without restriction; or

(3) Is already known to the recipient before receipt from the discloser, as shown by the recipient's written records; or

(4) Is independently developed by recipient without the use of or reference to the discloser's Confidential Information, as shown by the recipient's written records, and was not subject to confidentiality restrictions prior to receipt of such information from the discloser; or

(5) Must be disclosed under operation of law, provided that, to the extent permitted by Applicable Law, the recipient gives the discloser reasonable notice to allow the discloser to object to such redisclosure, and such redisclosure is made to the minimum extent necessary to comply with Applicable Law.

Connectivity Services. The technical services provided by a QHIN, Participant, or Subparticipant to its Participants and Subparticipants that facilitate TEFCA Exchange and are consistent with the technical requirements of the TEFCA framework.

Covered Entity. Has the meaning assigned to such term at 45 CFR 160.103.

Designated Network. The health information network that a QHIN uses to offer and provide Designated Network Services.

Designated Network Services. The Connectivity Services and/or Governance Services.

Designation (including its correlative meanings “Designate,” “Designated,” and “Designating”). The written determination that an Applicant QHIN has satisfied all requirements and is now a QHIN.

Disclosure (including its correlative meanings “Disclose,” “Disclosed,” and “Disclosing”). The release, transfer, provision of access to, or divulging in any manner of TEFCA Information (TI) outside the entity holding the information.

Electronic Protected Health Information (ePHI). Has the meaning assigned to such term at 45 CFR 160.103.

Exchange Purpose(s) or XP(s). The reason, as authorized by a Framework Agreement, including the applicable standard operating procedure(s) (SOP(s)), for a transmission, Query, Use, Disclosure, or Response transacted through TEFCA Exchange.

Exchange Purpose Code or XP Code. A code that identifies the Exchange Purpose being used for TEFCA Exchange.

Foreign Control. A non-U.S. Person(s) or non-U.S. Entity(ies) having the direct or indirect power, whether or not exercised, to direct or decide matters materially affecting the Applicant's ability to function as a QHIN in a manner that presents a national security risk.

Framework Agreement(s). With respect to QHINs, the Common Agreement; and with respect to a Participant or Subparticipant, the Participant/Subparticipant Terms of Participation (ToP).

Governance Services. The governance functions described in applicable SOP(s), which are performed by a QHIN's Designated Network Governance Body for its Participants and Subparticipants to facilitate TEFCA Exchange in compliance with the then-applicable requirements of the Framework Agreements.

Health information network or HIN. The meaning assigned to it in 45 CFR 171.102.

Individual has the meaning assigned to such term at 45 CFR 171.202(a)(2).

HIPAA. The Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Rule. The regulations set forth in 45 CFR part 160 and subparts A and E of 45 CFR part 164.

HIPAA Rules. The regulations set forth at 45 CFR parts 160, 162, and 164.

HIPAA Security Rule. The regulations set forth in 45 CFR part 160 and subparts A and C of 45 CFR part 164.

Individual. Has the meaning assigned to such term at 45 CFR 171.202(a)(2).

Individual Access Services (IAS). The services provided to an Individual by a QHIN, Participant, or Subparticipant that has a direct contractual relationship with such Individual in which the QHIN, Participant or Subparticipant, as applicable, agrees to satisfy that Individual's ability to access, inspect, or obtain a copy of that Individual's Required Information using TEFCA Exchange.

Individually Identifiable Information. Refers to information that identifies an Individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an Individual.

Node. A technical system that is controlled directly or indirectly by a QHIN, Participant, or Subparticipant and that is listed in the RCE Directory Service.

Non-U.S. Entity. Any entity that is not a U.S. Entity.

Non-U.S. Person. Any Individual who is not a U.S. Qualified Person.

Onboarding. The process a prospective QHIN must undergo to become a QHIN and become operational in the production environment.

Organized Health Care Arrangement. Has the meaning assigned to such term at 45 CFR 160.103.

Participant. A U.S. Entity that has entered into the Participant/Subparticipant Terms of Participation in a legally binding contract with a QHIN to use the QHIN's Designated Network Services to participate in TEFCA Exchange in compliance with the Participant/Subparticipant Terms of Participation.

Participant/Subparticipant Terms of Participation (ToP). The requirements to which QHINs must contractually obligate their Participants to agree; to which QHINs must contractually obligate their Participants to contractually obligate their Subparticipants and Subparticipants of the Subparticipants to agree, in order to participate in TEFCA Exchange including the QHIN Technical Framework (QTF), all applicable SOPs, and all other attachments, exhibits, and artifacts incorporated therein by reference.

Qualified Health Information Network® or QHIN TM. A Health Information Network that has been so Designated.

Query(s) (including its correlative uses/tenses “Queried” and “Querying”). The act of asking for information through TEFCA Exchange.

Recognized Coordinating Entity® (RCE®). The entity selected by ASTP/ONC that enters into the Common Agreement with QHINs in order to impose, at a minimum, the requirements of the Common Agreement, including the SOPs and the QTF, on the QHINs and administer such requirements on an ongoing basis. The RCE is a Party to the Common Agreement.

Required Information. The Electronic Health Information, as defined in 45 CFR 171.102, that is:

(1) Maintained in a Responding Node by any QHIN, Participant, or Subparticipant prior to or during the term of the applicable Framework Agreement; and

(2) Relevant for a required XP Code.

Responding Node. A Node through which the QHIN, Participant, or Subparticipant Responds to a received transaction for TEFCA Exchange.

Response(s) (including its correlative uses/tenses “Responds,” “Responded” and “Responding”). The act of providing the information that is the subject of a Query or otherwise transmitting a message in response to a Query through TEFCA Exchange.

Subparticipant: a U.S. Entity that has entered into the Participant/Subparticipant Terms of Participation in a legally binding contract with a Participant or another Subparticipant to use the Participant's or Subparticipant's Connectivity Services to participate in TEFCA Exchange in compliance with the Participant/Subparticipant Terms of Participation.

TEFCA Dispute Resolution Process. An informal, non-binding process under TEFCA through which QHINs can meet, confer, and seek to amicably resolve disputes.

TEFCA Exchange. The transaction of information between Nodes using an XP Code.

TEFCA Information or TI. Any information that is transacted through TEFCA Exchange except to the extent that such information is received by a QHIN, Participant, or Subparticipant that is a Covered Entity, Business Associate, or non-HIPAA entity that is exempt from compliance with the Privacy section of the applicable Framework Agreement and is incorporated into such recipient's system of record, at which point the information is no longer TEFCA Information with respect to such recipient and is governed by the HIPAA Rules and other Applicable Law.

TEFCA Security Incident. (1) An unauthorized acquisition, access, Disclosure, or Use of unencrypted TEFCA Information using TEFCA Exchange, except any of the following:

(i) Any unintentional acquisition, access, Use, or Disclosure of TEFCA Information by a Workforce Member or person acting under the authority of a QHIN, Participant, or Subparticipant, if such acquisition, access, Use, or Disclosure:

(A) Was made in good faith;

(B) Was made by a person acting within their scope of authority;

(C) Was made to another Workforce Member or person acting under the authority of any QHIN, Participant, or Subparticipant; and

(D) Does not result in further acquisition, access, Use, or Disclosure in a manner not permitted under Applicable Law and the Framework Agreements.

(ii) A Disclosure of TI where a QHIN, Participant, or Subparticipant has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.

(iii) A Disclosure of TI that has been de-identified in accordance with the standard at 45 CFR 164.514.

(2) Other security events that adversely affect a QHIN's, Participant's, or Subparticipant's participation in TEFCA Exchange.

Threat Condition. (1) A breach of a material provision of a Framework Agreement that has not been cured within fifteen (15) calendar days of receiving notice of the material breach (or such other period of time to which the Parties have agreed), which notice shall include such specific information about the breach that the RCE has available at the time of the notice; or

(2) A TEFCA Security Incident; or

(3) An event that the RCE, a QHIN, its Participant, or their Subparticipant has reason to believe will disrupt normal TEFCA Exchange, either due to actual compromise of, or the need to mitigate demonstrated vulnerabilities in systems or data, of the QHIN, Participant, or Subparticipant, as applicable, or could be replicated in the systems, networks, applications, or data of another QHIN, Participant, or Subparticipant; or

(4) Any event that could pose a risk to the interests of national security as directed by an agency of the United States government.

Trusted Exchange Framework. The most recent version of the framework referenced in section 3001(c)(9) of the Public Service Health Act published in the Federal Register.

U.S. Entity/Entities. Any corporation, limited liability company, partnership, or other legal entity that meets all of the following requirements:

(1) The entity is organized under the laws of a state or commonwealth of the United States or the Federal law of the United States and is subject to the jurisdiction of the United States and the state or commonwealth under which it was formed;

(2) The entity's principal place of business, as determined under Federal common law, is in the United States; and

(3) None of the entity's directors, officers, or executives, and none of the owners with a five percent (5%) or greater interest in the entity, are listed on the Specially Designated Nationals and Blocked Persons List published by the United States Department of the Treasury's Office of Foreign Asset Control or on the United States Department of Health and Human Services, Office of Inspector General's List of Excluded Individuals/Entities.

U.S. Qualified Person. Those individuals who are U.S. nationals and citizens at birth as defined in 8U.S.C. 1401,U.S. nationals but not citizens of the United States at birth as defined in 8 U.S.C. 1408,lawful,and.S. Entity as an employee in a specialty occupation pursuant to an H-1B Visa.

Use(s) (including correlative uses/tenses, such as “Uses,” “Used,” and “Using”). With respect to TI, means the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

authority: 42 U.S.C. 300jj-11; 5 U.S.C. 552.
source: 89 FR 101810, Dec. 16, 2024, unless otherwise noted.
cite as: 45 CFR 172.102
© 2014 CustomsMobile | Disclaimer | Privacy | About