⌘K
Sign upSign in

TEFCA Interoperability Gateway

Trusted Exchange Framework & Common Agreement — QHIN-ready health information exchange

QHIN Infrastructure ReadyPhases 1-3 Complete · QHIN partner: KONZA HealthIntegration guide Exchange playground OpenAPI SpecLegacy path migration

KONZA go-live — Tuesday, June 17, 2026

Production cutover ready

OAuth, POU enforcement, sandbox stub, XCA retrieve, webhooks, and exchange logging are in place. Follow the go-live runbook to activate KONZA in production on Tuesday.

Go-live runbook Certification checklist KONZA status @parkerapex/tefca-client

Designated QHIN Partner

KONZA Health

Parker Apex routes outbound TEFCA exchange through KONZA Health — a Designated QHIN since 2023-12-12. Formal production integration: Tuesday, June 17, 2026. Resolve the live organization OID via GET /tefca/directory before XCPD/XCA outbound calls.

xcpdxcafhirdirect
KONZA QHIN portal

Live API Status — TEFCA Gateway

Probing production endpoints…

Rate Limits & SLA

Rate limit

30 XCPD/min · 20 XCA/min

Burst

10 req/sec

Uptime SLA

99.95%

Support

24×7 P1 · 1h

P95 latency

< 2.5s XCA

Retention

Exchange audit 7y

TEFCA exchange playground

Four-step flow against the sandbox gateway: directory → XCPD → XCA → document retrieve. Requires bearer tokens with tefca.xcpd.read and tefca.xca.read. Run seed_konza_sandbox.py first for the KONZA stub partner.

Integration guide

Patient Discovery (XCPD)

Cross-community patient identity resolution following IHE XCPD. Inbound /tefca/xcpd/discover and outbound /tefca/xcpd/search.

IHE ITI-55

Document Query (XCA)

Cross-community access to clinical documents and FHIR resources. Inbound /tefca/xca/query and outbound /tefca/xca/search.

IHE ITI-38/39

Network Directory

Public QHIN partner directory — locate KONZA Health OID via GET /tefca/directory.

TEFCA RCE

Implementation Status

Phase 1

Core Infrastructure

  • FHIR R4 API (96.7%)
  • SMART on FHIR OAuth
  • HAPI FHIR Server
  • US Core Profiles
Phase 2

Exchange Patterns

  • Patient Discovery (XCPD)
  • Document Query (XCA)
  • Network Directory
  • Certificate Management
Phase 3

QHIN Readiness

  • Trust Framework Policies
  • Audit Trail Integration
  • SLA Monitoring
  • Compliance Certification

All exchange calls require GPID for outbound queries and purpose_of_use (TREAT, HPAYMT, etc.). See scope reference for tefca.xcpd.* and tefca.xca.* scopes.

TEFCA API Endpoints

6 routes · aligned with production Flask gateway
POST
/tefca/xcpd/discoverOAuth

Inbound Patient Discovery (XCPD)

500ms/1500ms30/min200
POST
/tefca/xcpd/searchOAuth

Outbound Patient Discovery (XCPD)

600ms/1800ms30/min200
POST
/tefca/xca/queryOAuth

Inbound Document Query (XCA)

800ms/2500ms20/min200
POST
/tefca/xca/searchOAuth

Outbound Document Query (XCA)

900ms/2800ms20/min200
GET
/tefca/directory

QHIN Network Directory

80ms/200ms120/min200
GET
/tefca/directory/{oid}

QHIN Partner Detail

60ms/150ms120/min200

Integration toolkit

SandboxAPI PlaygroundOpenAPI Try-it-outCertificationWebhooks
Postman collection (9 requests)Import the same JSON into Insomnia

Official SDKs

Generate TypeScript client →·Python →·All SDKs

TEFCA / KONZA certification track

16 required items · platform + product-specific checks

Full checklist →
  • First authenticated API call in sandbox
  • OAuth or API key with least-privilege scopes
  • FHIR R4 read against sandbox lake
  • GPID boundary headers on write paths
  • Webhook HMAC-SHA256 verification implemented
  • Webhook idempotency by delivery ID

+14 more on the certification page

Complete all required items before production go-live

Webhook events for TEFCA / KONZA

Subscribe at /webhooks — verify HMAC-SHA256 signatures

Event catalog →
tefca.exchange.completedTEFCA / KONZA

Outbound or inbound XCPD/XCA exchange finished (success or empty result).

{
  "event": "tefca.exchange.completed",
  "exchange_type": "xcpd",
  "direction": "outbound",
  "gpid": "APX-1A2B3C4D",
  "target_organization_oid": "2.16.840.1.113883.3.2791.1",
  "purpose_of_use": "TREAT",
  "success": true
}
tefca.consent.deniedTEFCA / KONZA

Exchange blocked by patient consent or policy for the declared purpose of use.

{
  "event": "tefca.consent.denied",
  "exchange_type": "xca",
  "gpid": "APX-1A2B3C4D",
  "purpose_of_use": "TREAT",
  "reason": "Patient consent does not permit this disclosure"
}