More than 75 health systems sent a letter to federal officials calling for stronger oversight of nationwide data sharing networks, flagging issues with "bad actors" gaining access to patients' medical information.
The health systems, including AdventHealth, Cedars-Sinai Medical Center, The MetroHealth System, NYU Langone, UMass Memorial Health, Stanford Health Care and Sutter Health, are calling for more centralized oversight and governance for the nationwide health data exchange frameworks, including the Trusted Exchange Framework and Common Agreement (TEFCA) and Carequality.
The letter, addressed to The Sequoia Project CEO Mariann Yeager and Steve Posnack, deputy assistant secretary for technology policy at the U.S. Department of Health and Human Services (HHS), calls for stepped-up safeguards for data sharing include more rigorous oversight and governance of who gets access to patients' medical information, better monitoring for fraud and more transparency into network activity.
The organizations argue that self-attestation and decentralized oversight, which is the current process, is not sufficient to safeguard patient data. Health systems want more established rules of the road and stronger protections to prevent fraud on the networks.
As the healthcare industry pushes to accelerate interoperability—to make it easier for clinicians and patients to access critical health information—concerns are growing about the need for a better gatekeeping process and more transparency about how health data are being used. Healthcare executives who spoke to Fierce Healthcare said a key concern is improving trust on the networks.
"There is a clear pattern of bad actors improperly obtaining patients’ medical information. To protect patients’ privacy, there is an urgent need for the frameworks to implement centralized vetting, onboarding and monitoring controls. Details on exchange activity must be made publicly available, and when potential privacy issues are identified they must receive timely, effective, and transparent resolutions," the health systems wrote in the letter sent Jan. 22.
Along with the health systems, OCHIN, a health IT solutions provider and consultancy, and KeyCare, a telehealth platform, also signed the letter.
"For more than 25 years, OCHIN has advocated for trusted and secure health care information exchange because it is fundamental to effective care coordination, especially in rural and lower-resourced communities," Jennifer Stoll, chief external affairs officer at OCHIN, told Fierce Healthcare. "Data exchange networks hold great potential to measurably improve our nation's health—but only if everyone with access to patient data is playing by the same rulebook with rigorous national standards to protect patient privacy."
TEFCA is a nationwide network to exchange patient data that was mandated by the 21st Century Cures Act back in 2016. TEFCA, which went live in December 2023, acts as a "network of networks," connecting various Qualified Health Information Networks to enable data sharing among providers, payers and patients.
The Sequoia Project oversees its operations. There are now 12,130 organizations live on TEFCA representing over 71,000 unique connections to clinicians, hospitals, clinics, post-acute care/long-term care facilities, public health authorities and others, according to The Sequoia Project's website.
Carequality is a private nationwide health data exchange service that was incubated by The Sequoia Project but is now an independent organization. Carequality is used by more than 600,000 care providers, 50,000 clinics and 4,200 hospitals to access patients’ medical records, and it supports the exchange of 1.2 billion clinical documents each month, the organization said.
The concerns raised in the letter are also at the center of a lawsuit Epic filed against health information network Health Gorilla and several of its clients. In that suit, also brought by OCHIN, Reid Health, Trinity Health and UMass Memorial Health, the EHR giant and the providers claim that Health Gorilla and its clients improperly accessed and monetized nearly 300,000 patient medical records by exploiting Carequality and TEFCA.
Most of the organizations who signed the letter sent to The Sequoia Project and the assistant secretary for technology policy are Epic customers. The co-plaintiffs in the Health Gorilla lawsuit are also among the signatories.
An Epic spokesperson said in an email to Fierce Healthcare that the letter was a "collaboration of the Epic community and was coordinated through the Epic Health Policy Workgroup, which is an informal group of organizations using Epic that meets to develop solutions to policy challenges."
Sixty-three organizations initially signed the letter, but the number of signatories has grown to nearly 80 as of Wednesday.
In the letter, the organizations urge TEFCA and Carequality to hire staff to vet prospective organizations looking to exchange medical records. "Relying on self-attested business descriptions is insufficient. The frameworks need staff to review prospective connections and confirm it is appropriate for them to join. These reviewers should consider the organization’s publicly available business descriptions, national provider identifiers (NPIs), and any past criminal activity," the health systems said in the letter.
TEFCA participants also should attest to their business descriptions and their data exchange purposes to the HHS, as TEFCA is federally sponsored. This would carry more weight as making false representations to a federal agency is a prosecutable offense, the organizations said.
The health systems also are urging TEFCA and Carequality to step up ongoing monitoring for potential fraud. Each framework should implement automated detection of anomalous exchange patterns, reporting hotlines and regular verification of credentials and other information, the organizations said.
Another recommendation called for TEFCA and Carequality to set up public directories to have better visibility into who is accessing medical data and why. Publicly reported metrics on how many health records parties have sent and received also would improve transparency, the health systems said. And the organizations want TEFCA and Carequality to set up publicly available websites where intermediaries disclose their data retention policies, including whether data in any format are retained and why.
Health systems also want dispute mediation processes to be more open and public, rather than kept private, and are calling for the government to manage the dispute process going forward. This would ensure there are federal consequences if organizations misrepresent the facts, the health systems said.
"All dispute resolutions should be made publicly available so that participants can understand any privacy and security risks caused by the inappropriate taking of data, and the community can learn from the process," they wrote in the letter.
Health systems also recommend creating a digital health fraud task force made up of federal agencies and state attorneys general. This task force would investigate problems like falsified documentation, identity impersonation and high-volume data harvesting.
In an emailed response to Fierce Healthcare, a Sequoia Project spokesperson said, "We always appreciate engagement from the community. These recommendations will be considered along with other plans to ensure the highest level of trust in health information exchange. We’re deeply committed to trust and patient privacy while advancing the many benefits of health data sharing for the patients’ good. We encourage those who signed who are active members of the various governance workgroups to make sure they share their feedback in those meetings as well."