Health tech and artificial intelligence companies see ripe opportunities to offer solutions that help patients access and share their medical data with digital health apps. And it comes at a time when the federal government is pushing for consumer-directed data exchange.
HealthEx, a company that built data rights management solutions, launched a platform to provide real-time patient access to complete health records. The company worked with a team of industry partners to develop a process that verifies patient identity, captures consent and retrieves clinical records, enabling the data to flow without the patient doing multiple patient portal logins.
The company aims to create an “Apple Wallet” for health records, executives said.
CLEAR, an identity verification tech company often found at airports, worked with HealthEx on the initiative, along with national electronic health record company athenahealth, healthcare interoperability company MedAllies and the CommonWell Health Alliance.
The new platform, and other efforts like it, advance individual access services (IAS) as one of the exchange purposes under the Trusted Exchange Framework and Common Agreement (TEFCA), a government-backed data exchange framework.
HealthEx says it's among the first technology providers to successfully deliver end-to-end patient data interoperability using the IAS exchange purpose.
"HealthEx is now one of the first platforms to make it possible for individuals to access, share and view their comprehensive health records for their own use, and really with any trusted third party," Priyanka Agarwal, M.D., CEO of HealthEx, told Fierce Healthcare in an interview.
The HealthEx platform for IAS orchestration will be available for early adopters next month, including payers, providers and digital health companies.
"This is very timely in the context of the CMS vision for a patient-centric healthcare ecosystem. This is really no longer a theory or policy, the work that we're doing, it's ready for early adopters starting in September," Agarwal said.
Last week, xCures, a company that uses AI to pull together patients' medical records, also launched a fully operational IAS within TEFCA. The company said it marked a "major step toward seamless, nationwide patient data access."
XCures also worked with CLEAR for secure patient identification along with EHR giant Epic and Kno2, a designated Qualified Health Information Network (QHIN), to query and retrieve patient data from the extensive network of healthcare organizations participating in TEFCA.
Overseen by the Office of the National Coordinator for Health Information Technology (ONC), a division of the Department of Health and Human Services, TEFCA is a nationwide network to exchange patient data that was mandated by the 21st Century Cures Act back in 2016.
Large national health information networks have stepped up to serve as the backbone for TEFCA connectivity. TEFCA connects these networks—known as QHINs—to each other by creating a common set of technology standards and policy requirements that allow those connections.
According to the ONC, 9,200 separate organizations have signed up to participate in TEFCA Exchange. These organizations represent more than 41,000 unique connections to clinicians, hospitals, clinics and other healthcare providers, the ONC says.
At a White House event late last month, the Centers for Medicare & Medicaid Services (CMS) announced an ambitious vision to make health data sharing easier, as Emma Beavins reported. The federal government secured voluntary commitments from 60 healthcare technology organizations, including Amazon, Anthropic, Apple, Google and OpenAI, to work collaboratively on a new health tech advancement initiative. The 60 companies will deliver results in the first quarter of 2026, though what those deliverables look like remains to be seen.
The CMS pushed two priorities—an interoperability framework to enable seamless information exchange between patients and providers and a health tech ecosystem to improve access to personalized tools for patients.
The goal is to enable patients to take control of their health data without middlemen and gatekeepers.
"HealthEx is really acting as a bridge for [CMS'] two priorities," Agarwal said. "We're enabling patients to not just view their records, but put them to work in digital health apps, AI agents, or with any third parties they trust."
Agarwal said building the platform was a "cross-industry" effort.
HealthEx's platform verifies patient identity and authenticates users through CLEAR, which meets the National Institute of Standards and Technology's (NIST) Identity Assurance Level 2 (IAL2) standards, while also capturing patient consent.
It then retrieves clinical records from athenahealth via cross-network exchange with MedAllies and CommonWell Health Alliance, two TEFCA QHINs.
"What we've done is really innovative and pushing the envelope forward. We did cross-QHIN data access from MedAllies to CommonWell Health Alliance. That really shows the complexity of accessing data in this manner," Agarwal said.
HealthEx's platform enables patients to have full transparency into data access and control over consent decisions. Patients have the ability to update and change consents at any time, according to the company.
"Individuals can view their data. They can access their data, and they have full audit trails for when they access their data. If they made it available to any third party, they can change their mind about any of those past decisions. I think this notion of trust and patient empowerment is really central to the effort," Agarwal said.
These efforts are supported by the work over the past several years the build out the foundations of TEFCA, according to Sam Lambson, vice president of data and ecosystem platform at athenahealth.
Athenahealth has pushed forward to be one of the first EHRs to fully adopt TEFCA across its entire customer base. It recently hit a key milestone with more than 100,000 provider customers now connected to TEFCA. It says it's the first healthcare IT company to implement TEFCA at scale.
"What's really neat about this is we have no special relationship with HealthEx. We haven't signed any special agreement other than this common agreement as part of TEFCA that everyone that's connecting there has to abide by certain principles and standards and technical implementation guides," Lambson told Fierce Healthcare.
"What we've done at athena is made the effort to comply with all of those technical specifications, and work with our customers to get them opted in and on the network. That brings scale to companies like HealthEx [that] are trying to gain access to all the ambulatory providers, which otherwise would have been very, very challenging," he said.
Policies supporting individual access to medical records have been in place, but there were technical roadblocks to getting it operational, according to John Blair, M.D., CEO of MedAllies.
"There are so many nuances on the technical side when you're rolling out these networks. Treatment [as an exchange purpose] had been going on for well over a decade, so a lot of that had been hammered out. It took about two years to get all the bugs out and all the enhancements that were necessary to hop from network to network, and EHR to EHR. Individual access services, for better or worse, is even more involved because you've got a credentialed service provider to do the identity management. CLEAR, for example, has to tie in to the HealthEx platform and it then has to tie into our network. That has to pour over to the next QHIN," Blair said.
For the past year and a half, the industry partners have been "working heads down to get all those different 'hops' to work," he added. "Once that's done, it can roll out broadly across the install base pretty quickly, but all of those little nuanced pieces have taken a while."
He expects other IAS efforts like HealthEx and xCures to ramp up soon.
"There's two or three other major EHR vendors that we're working with that should be coming on live soon. We're working with another half a dozen individual access service providers that are going live. What you're going to see now is that work for the last year and a half opening everything up," Blair said.
"If you look at the transaction volume for treatment, it's several million a day transactions. If you look at it for individual access, you're looking at a couple a day. I would submit that by the end of this year, you're going to be pushing up there again around a million. A year from now, it will probably be several million," Blair added.
While the technical connections behind the scenes are complex, the experience for patients is fairly straightforward, according to executives.
CLEAR, which has been building out its solutions for healthcare, uses secure biometric verification to authenticate users. Once verified, individuals can use their identity across participating systems and services, eliminating redundant verification steps.
Agarwal offered a real-world example of a Medicare patient who recently had cataract surgery and needed to coordinate medications between her surgeon and primary care doctor at different hospitals. "Rather than having to call multiple systems to make sure the records were available, using a service like ours, the patient can view those records and then directly share them with the provider of their choice," she said.
This opens up the market for digital health apps and AI agents to use patients' data to offer more personalized health services. "Different companies will distinguish themselves on how much extra wraparound they're adding to that, but we're right on the cusp with this really opening up widely," Blair said.
This individual access service offers a big "unlock" to patients to share information without getting "bogged down in remembering the log-in they had or the different providers they've seen," Lambson said.
These connections also enable easier data sharing for ambulatory providers who are often left out of the conversation, he noted.
"It's the acute medical centers that have big IT budgets to focus on technology. When you're an ambulatory provider, two or three providers or a small practice, those types of technology and those interfaces are hard," Lambson said.
These efforts to make healthcare data more useful go beyond simply accessing medical data, Agarwal noted.
"We want to go beyond this notion of data access, which is where I think a lot of this world has been focused on, 'Hey, how do we make the data move?' But patients don't care about data moving. They care about being able to manage their meds with their doctor, or they care about being able to use a diabetes app. We want to go that extra step in delivering real value to individual patients, and to have this be extremely consumer-centric in nature," she said.
There are ongoing concerns about protecting the security and privacy of patients' medical records with the growth of digital health apps and AI tools, as many of these consumer-facing tech tools are not subject to federal health data rules like the Health Insurance Portability and Accountability Act.
The TEFCA Common Agreement requires strong privacy and security protections for all entities that elect to participate in TEFCA, including entities not covered by HIPAA, according to ONC/ASTP.
Organizations must obtain HITRUST certification, and TEFCA adds more protections on top of HIPAA. Participants must follow higher privacy and security standards, according to industry experts.
"Under TEFCA, they put the bar pretty high. You've got to be bare minimum HITRUST-certified and you've got to undergo that reassessment every year. They have a security work group of chief information security officers that are very knowledgeable. So on the security side, they are working very hard on it," Blair said.
"The frustration people have is [interoperability] is not moving fast enough and expanding the exchange purposes. But the main reason is that there's a great deal of care on what's going to happen with the data, and a lot of that comes from patients, consumers and also the providers. The data holders are concerned about the release of data that would not be what the patient wishes. So there's a lot of time and energy spent on all of that," he added.