As the Trump administration tries to make Medicare more modern through the use of digital health apps, it faces a horde of unresolved policy issues that could present challenges to its stated goal to "stop theoretical debates and start delivering real results."
On July 30, 60 healthcare and tech companies committed to engage in a Health Tech Ecosystem Initiative led by Centers for Medicare & Medicaid Services' (CMS') Administrator Mehmet Oz, M.D. The CMS will create an app store of vetted digital health solutions, require apps to use modern identity solutions and integrate AI chatbots to give beneficiaries information about healthcare access.
The initiative will give Medicare beneficiaries more choice about where to get their healthcare. However, the Trump administration has embarked on a journey of thorny issues that have plagued healthcare interoperability for years, even decades: patient privacy and information blocking.
While the initiative might not in itself present legitimate privacy concerns, it has stirred the conversation around the need for a national data privacy law and raised skepticism about the Trump administration’s handling of sensitive data.
Companies will also have to discern how to make patient records easily accessible and portable through modern technology, while staying competitive.
The administration has thrown significant political weight behind the Health Tech Ecosystem Initiative, even featuring President Donald Trump at the “Make Health Tech Great Again” event hosted at the White House on July 30, along with the acting Department of Government Efficiency Administrator Amy Gleason and artificial intelligence and crypto czar David Sachs.
“The key breakthrough we've made is getting many of the biggest names in healthcare and technology to agree to that real, those standards of electronic medical records that we talk about and you've heard about for so many years, and now it's happening," Trump said July 30.
Sixty companies signed a pledge to “meaningfully improve” patient access to data and data sharing through an ecosystem of health technology partners. The event sparked undeniable excitement from the industry to have the administration speak out prominently on health IT.
“There's certainly palpable energy,” Kyna Fong, CEO of electronic health record company Elation Health, said in an interview. “And people were engaged, and probably the folks you want to see around the table were there, including CMS.”
The CMS has also committed to a long list of health IT modernization initiatives, such as expanding Blue Button 2.0 and creating a national provider directory. The agency also put forward an interoperability framework for a soon-to-be newly designated set of data sharing networks called CMS Aligned Networks.
“I think one of the biggest jobs of leadership is often setting priorities,” Aaron Carroll, M.D., president of AcademyHealth, said the day after the announcement. “It is clear that right now, CMS and the administration, and their announcement yesterday, have made this a priority.”
Issues with privacy and public trust
Six healthcare technology advocates who spoke with Fierce Healthcare said the Trump administration’s push for interoperability does not endanger patient data.
“We still have HIPAA, we still have the FTC requirements that have been identified,” Tom Leary, senior vice president and head of government relations at the Health Information Management Systems Society (HIMSS), said. “The enforcement that we've seen over the last 12 months by the Federal Trade Commission on some apps should be reassuring for patients that we have a framework in place.”
Under the Health Insurance Portability and Accountability Act (HIPAA), providers, payers and health information exchanges are on the hook for protecting the privacy of patient information. The CMS, which is spearheading the push to further integrate digital health apps into Medicare, is a HIPAA-covered entity. Unauthorized access to patient data held by HIPAA-covered entities is a violation of the law that could result in penalties.
Amazon, Anthropic, Apple, Google and OpenAI pledged to meet the CMS’ standards for health data exchange. While the administration is pushing for tech companies to be able to share patient data with more traditional healthcare players, it’s not the first time outsiders have been invited in.
“Using a third-party app was always part of that conversation,” Andrew Tomlinson, senior director of regulatory and international affairs at the American Health Information Management Association, said in an interview. “As a patient, being able to direct their data to the app of their choice, through an API, was one of the fundamental pieces discussed underneath the Cures Act. I think what's different between what was happening with, say, information blocking, and what's happening on this voluntary framework is maybe just this seat at the table that the app companies have.”
Most advocates assume the non-HIPAA-covered businesses that signed the Health Tech Ecosystem pledge will have business associate contracts with providers or payers, which subjects them to heightened requirements. Moreover, the announcement clarifies that entities must follow federal and state privacy laws.
Congress has debated the need for a comprehensive federal data privacy law for years. The now-retired Republican chair of the House Energy and Commerce Committee, Rep. Cathy McMorris-Rodgers, Wash., introduced new privacy legislation last year, which passed the innovation subcommittee but stalled in the full committee.
The American Privacy Rights Act would give consumers more rights over their health information that falls outside of HIPAA’s purview, which could include search queries, interactions with chatbots, information recorded on fitness and mental health apps and trackers on health-related websites and telehealth platforms. It would also grant consumers a private right of action against companies that unlawfully transmit or collect covered data.
“The European Commission has a pretty clear point of view on their balance between privacy and accessibility or availability of data,” Robert Havasy, senior director of connected health at HIMSS, said. “The United States, I think, lacks that consensus, and we have not used the political process and the public forums over the last 30 years to really figure out where the people want to be and to help your average person, your average voter, understand there is a balance to be struck here.”
While the question remains open whether the U.S. needs stronger protections of non-HIPAA-covered data, the Trump administration’s health tech initiative doesn’t change the state of play from a legal point of view. It may, however, raise concerns for Medicare beneficiaries who don’t trust Trump’s health department with their data.
“We're now in a world where public data systems, the trust in them, has been strained, and those dynamics can't be ignored if we want those initiatives to succeed,” Carroll said.
Some individuals may be suspicious of the federal government having access to more data, while others may be more concerned about having Big Tech involved in the ecosystem.
“These days, a lot of groups don't have a lot of trust for other groups,” Carroll said. “So if you say, all of a sudden, the government's going to have a national [patient] identifier, there's a lot of people that might not trust the government. If you say these companies are going to have a national [patient] identifier, a lot of people don't trust each other, so we would have to do a significant amount of work on rebuilding that kind of trust for this to work.”
Carroll said he expects industry and the federal government to have conversations about de-identification standards, secure data enclaves, transparent government structures and clear policies for secondary data use, among other privacy considerations.
“As newer vendors emerge, there could be cause for concern,” Havasy said. “I'm not super worried for the first step. But as this grows and companies that haven't been doing this as long as like glucose companies and the Fitbits of the world, as newer players get in and maybe aren't as sensitive to what's identifiable and what's not, that may become a problem."
Existing technical standards, existing information blocking issues
The CMS Interoperability framework leans on existing technical standards. By July 4, 2026, CMS Aligned Networks must provide or facilitate access to data using FHIR (Fast Healthcare Interoperability Resources) APIs (application programming interfaces), which is a standard for exchanging electronic health information, and USCDI V3 with terminology compliance. USCDI refers to United States Core Data for Interoperability, a standardized set of data elements. Separately, participants in the ecosystem must use IAL2 or AAL2 for modern digital login capability, which refers to different assurance levels for digital identity.
The Trusted Exchange Framework and Common Agreement (TEFCA) wasn’t mentioned in the Health Tech Ecosystem Initiative announcement or the CMS’ interoperability framework. However, most advocates assumed that TEFCA will continue to be a part of the HHS health IT strategy.
“I think mostly what we're doing is sort of repackaging what we tried to do through other means and regulation,” Havasy said.
Nearly all of the people Fierce Healthcare spoke to agreed that achieving the standards will not be technically difficult—in fact, it’s likely already done at many organizations. What’s harder than the tech itself is figuring out how each company will want to share data while staying competitive, Havasy and Carroll explained.
“There's a lot of pushback from industry and other areas against interoperability,” Carroll said. “Because while we all like the idea of [interoperability], let's be very honest, if Company A sells you an electronic medical record or some kind of thing, and you want to buy an add-on component, they want you to also buy it from Company A, and if you can easily work with Company B, that makes that less likely.”
In a blog post last year, former Assistant Secretary for Technology Policy Micky Tripathi, Ph.D., described a slew of concerning practices around information blocking and APIs that his office had become aware of, like onerous fees, lack of information about business policies and technologies, and failure to respond to API access requests.
“Our country has made tremendous strides and invested billions of private and public dollars in establishing the digital future of the health care system,” Tripathi, who headed the HHS health IT office under President Joe Biden, wrote. “We are thus highly concerned about ongoing and recent reports that we have received about potential violations of both the letter and spirit of the various laws and regulations now in place to ensure information-sharing to improve our health care system and enhance the lives of all Americans.”
Tripathi asserts that, “what is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress.”
Beyond behavior, some advocates worry that the differing formats of data across the healthcare ecosystem could present a challenge to the interoperability effort.
“Coming up with a standard by which everyone could have their data transformed into something that everyone else could read would take money, would take work, would take effort,” Carroll said. “There are natural pressures that push against it that may need to be overcome with regulation.”
Several people mentioned that advances in AI could make data transformation significantly easier than past methods. Many health tech companies have undertaken data transformation to help healthcare organizations make their data usable.
OMNY is one such vendor that uses AI and a secure computing platform to make health data usable by providers and researchers.
"While the White House and CMS' health tech ecosystem initiative is a great start, the reality is that interoperability alone doesn't equal usability of data,” OMNY’s CEO Mitesh Rao, M.D., said in an emailed statement. “Across the healthcare landscape, there is a lot of heterogeneity and incompleteness that will make connecting data quite challenging, and could result in a messier data pool that won't benefit the industry in the way we hope. These frameworks for interoperability are just the first step. Only once we address the more complex issue of transforming data into usable grade information will the industry see the benefit.”