The Trump administration unveiled new efforts to increase oversight of the Trusted Exchange Framework and Common Agreement (TEFCA), including hiring a federal IT contractor to provide audit, review, and compliance support.
TFCA is a government-sponsored health data sharing initiative that allows patients, health care providers, and payers to share health records. This was mandated by the 21st Century Cures Act in 2016 and went into effect in December 2023.
The Department of Health and Human Services’ Office of Medical Information Technology announced Friday that the number of medical records exchanged through TEFCA has increased from 10 million in early 2005 to more than 1 billion.
The Office of the National Health Information Technology Coordinator (ONC), HHS’ health IT policy arm, has signed a new contract to increase network oversight and ensure that organizations participating in TEFCA are following required policies and procedures, the agency said in a press release.
ONC is also conducting additional reviews of Qualified Health Information Networks (QHINs) and their participants to ensure compliance with TEFCA regulations and operational requirements.
“Americans deserve safe and timely access to their health records,” Department of Health Secretary Robert F. Kennedy Jr. said in a statement. “We are strengthening TEFCA to give patients control over their health information, improve care coordination, and ensure that health data moves securely where it is needed. Access to one’s own health records is a fundamental right.”
Alliance Global Tech Inc., a company specializing in federal IT services such as cybersecurity, cloud solutions and data analytics, has signed a five-year contract to provide TEFCA audit, review and compliance support to HHS, according to a new listing on USASpending.gov. USASpending.gov is the official open data source for federal spending information, including information on federal awards such as contracts, grants, and loans.
The five-year agreement is worth up to $5.62 million and is structured with a one-year baseline of approximately $1.28 million, with annual renewal options through June 2031.
HHS officials said the new investment will support ONC’s “ongoing efforts to maintain a secure and reliable national health information network.”
Citing the company’s website, Christian Robles, a health tech reporter for Inside Health Policy, reported that the company uses AI to flag whether TEFCA participants need to be vetted by subject matter experts or federal authorities. Alliance Global Tech has since removed information about TEFCA from its website.
There are growing calls for increased oversight of national data-sharing networks. Healthcare technology leaders have expressed concern that companies are abusing TEFCA and misrepresenting their intentions by using the “treatment” pathway to access and monetize patient medical records.
Back in January, more than 75 health care organizations sent a letter to federal regulators citing problems with “bad actors” accessing patient health information and highlighting the need for centralized oversight and governance of national health data exchange frameworks, including TEFCA and Care Quality.
The organization argues that current processes of self-certification and decentralized monitoring are not sufficient to protect patient data. Healthcare systems are demanding more established rules of the road and stronger protections to prevent fraud on their networks.
Under the Trump administration, HHS has also stepped up its enforcement of information blackouts. In September, the department announced it would devote more resources to investigating and enforcing information blackout rules. ONC has sent notifications to certified health IT developers about potential nonconformities under the ONC Health IT certification program, Dr. Thomas Keane, National Coordinator for Health IT, told HIMSS26 attendees at the March conference.
If a breach is confirmed, health IT developers could be fined up to $1 million per violation, and health care providers could lose their Medicare payments. He noted that more than 1,500 complaints alleging blackouts have been filed since HHS launched the blackout complaint portal.
“Seamless interoperability is essential to quality health care. Medical records must be easily exchangeable between health care providers and patients,” Chris Klomp, HHS Principal Counsel and Center for Medicare Director, said in a statement. “When critical health information is blocked or withheld, patients suffer the consequences. We are committed to leveraging all appropriate regulatory and policy tools available to eradicate information blocking and protect patients’ right to access their health data.”
Keene said in a statement that when ONC identifies conduct on the network that has potential civil or criminal consequences, such as information blackout or fraud, the agency refers to appropriate executive branch agencies, such as the HHS Office for Civil Rights, the HHS Office of Inspector General, or the Department of Justice, for investigation.
Individuals who believe that they have been denied the right to access their health information or that its security has been compromised may file a complaint with the HHS Office for Civil Rights.
