Readers Write: Open Access in Healthcare: What TEFCA Got Right, Where It’s Stuck, and What Comes Next

Open Access in Healthcare: What TEFCA Got Right, Where It’s Stuck, and What Comes Next
By Robin Monks

Robin Monks is CTO at Praia Health.

If you’ve ever moved to a new city and tried to get your medical records transferred to a new provider, you already understand the problem that the Trusted Exchange Framework and Common Agreement (TEFCA) is trying to solve. In theory, health data should follow you. In practice, it often doesn’t.

TEFCA is the federal government’s most ambitious attempt to date at fixing nationwide health information exchange. Mandated by the 21st Century Cures Act and formally launched in late 2023 when the first Qualified Health Information Networks (QHINs) were designated, TEFCA aims to be the “interstate highway system” for health data, allowing providers, payers, and patients to share information regardless of which network they are on.

After two years of operation, there’s a lot to like about what TEFCA has accomplished. More than 70,000 healthcare locations are now connected through TEFCA, and Epic reported that 1,000 hospital customers have transitioned to TEFCA. Carequality, a framework connecting over 50 networks, 600,000 care providers, and 4,200 hospitals, is actively aligning its policies with TEFCA.

The framework has also expanded beyond its initial treatment-focused exchange. TEFCA now supports data exchange for payment, healthcare operations, government benefits determination, individual access, and public health purposes.

Perhaps most importantly, TEFCA is creating a universal floor for interoperability. Before TEFCA, a health system that wanted to exchange data nationally had to join multiple networks and maintain dozens of point-to-point connections. TEFCA simplifies that into a single participation model. For smaller practices and rural hospitals that couldn’t afford the overhead of managing multiple network memberships, this is a meaningful reduction in cost and complexity.

But TEFCA’s scale means that providers are now responding to queries from organizations they’ve never interacted with before. When a requester says they’re querying for treatment purposes and the responder disagrees that the request qualifies as “treatment” under HIPAA, you get what the ASTP calls an “information exchange impasse.”

This lack of trust means that providers are easily talked into not automatically replying to TEFCA requests, even to an individual access request with a verified identity attached. Information blocking remains a persistent and thorny issue. TEFCA participants who interfere with QHIN choice now risk violating the federal information blocking rule, with potential Medicare payment disincentives, but the cultural shift from “default deny” to “default share” is slow.

Then there’s the FHIR question. TEFCA launched using IHE-based document exchange, a 1990s-era architecture that predates smartphones and modern web standards. This was a pragmatic choice to minimize disruption and build on the existing exchange infrastructure (IHE-based exchange still represents enormous transaction volume annually).

But it means that the initial TEFCA experience is document-centric, returning C-CDA documents rather than discrete, FHIR-based data. The HTI-5 proposed rule from December 2025 signals a strong push toward FHIR-based APIs, but the gap between where TEFCA is today and where modern application developers need it to be is real. Companies that build on FHIR and OIDC are watching this closely.

The regulatory environment is also in flux. That same HTI-5 proposed rule would remove the TEFCA manner exception, a provision that allowed TEFCA participants to limit data exchange to only through TEFCA. The administration is signaling that using information blocking exceptions to incentivize TEFCA participation may be unnecessary, which is an interesting stance that simultaneously shows confidence in TEFCA’s trajectory and a desire to not disadvantage non-TEFCA exchange networks.

TEFCA has achieved enough adoption to be taken seriously, but not enough to be taken for granted. Here’s what needs to happen for it to reach its potential:

• FHIR needs to be a first-class citizen, not a roadmap item. The healthcare technology ecosystem has moved to FHIR. App developers, patient-facing platforms, and clinical decision support tools all expect FHIR APIs. Until TEFCA’s QHIN-to-QHIN exchange natively supports FHIR alongside IHE, there will be a gap between what TEFCA enables at the network level and what the market needs at the application level.
• Trust needs to be engineered, not assumed. The interpretive disagreements around treatment definitions and provider qualifications aren’t going to resolve themselves through goodwill alone. TEFCA’s governance needs to produce clear, specific guidance that participating organizations can implement without extensive legal review. The SOP updates from January 2026 are a step in the right direction, but there’s more work to be done.
• Patient transparency and choice must be central. Individual Access Services (IAS), the mechanism by which patients can access their own data through TEFCA, is likely to be one of the fastest-growing use cases. The patient access market is forecast to reach $4.16 billion by 2032. But IAS also carries the highest risk of information blocking complaints, because patients have the right to choose any IAS provider, regardless of their provider’s QHIN. Making this work requires a level of patient-facing transparency that healthcare hasn’t historically been great at. We also need to expand this to not only reading data, but performing actions with target EHRs.
• Enforcement has to be real. TEFCA operated for its first year as an entirely voluntary framework. The increasing enforcement posture around information blocking and the integration of TEFCA obligations into Medicare compliance programs is changing the calculus. But voluntary frameworks succeed when the incentives to participate outweigh the friction. Right now, the friction is still high for many organizations, particularly smaller ones. Last year we were promised that we would start seeing strict enforcement on information blocking, but so far we’re not seeing examples of enforcement from CMS.

TEFCA is doing something genuinely important. It is establishing the principle that health data should be exchangeable at a national scale, with a common set of rules, as a baseline expectation rather than a special achievement. For health systems that are thinking about their consumer experience strategy, and all should be, the ability to access data from across a patient’s entire care journey is critical.

The dream of open access in healthcare is within reach, but getting from good-intentioned definitions to it running and working where patients need is slow.