HealthEx’s mission is to unlock access to health data—securely and ethically—to deliver greater value and better outcomes across the healthcare ecosystem.

A cornerstone of this mission is empowering individuals to access, retrieve, and utilize their own medical information and to share it with whomever they choose. This “consumer‑directed data exchange” functions like Apple Wallet for your health data: secure, portable, and at your fingertips. Just as Apple Wallet lets you store and share boarding passes, ID cards, or payment methods with a simple tap, consumer-directed exchange gives patients a seamless way to maintain and share their health information, with user-friendly patient consent and modern digital‑identity protocols providing the necessary security and compliance. 

While there have been previous attempts at similar concepts, there is more momentum for this vision than ever before, thanks to the support for Individual Access Services (IAS) in the new national health data interoperability framework known as the Trusted Exchange Framework and Common Agreement, or TEFCA. While responses to IAS queries are required for all participants, the utilization of this exchange purpose has been limited during the first year of TEFCA exchange. Nearly every major electronic health record (EHR) vendor and qualified health information network (QHIN) has committed to rolling out support for IAS over the coming year, including Epic. But IAS has its challenges: Although IAS is officially live, most consumers still cannot easily access, compile, utilize, or exchange their health data. 

A recent request for information from the Center for Medicare and Medicaid Services (CMS) prioritizes “building a future where seniors and families have the digital tools they need at their fingertips—tools that help them make informed choices, manage chronic conditions, and stay healthy.” Consumer-directed data exchange, facilitated via IAS, is the engine that can power this vision—if it becomes widely adopted.⁣ Scaling IAS will require a series of targeted actions, and the administration is in a prime position to accelerate progress and ensure consumer-directed data exchange becomes not just a legal right, but a standard practice across the healthcare system.

To help chart that path, the HealthEx team—together with trusted advisors collaborators Melissa Soliz, Partner at Coppersmith Brockelman PLC & HealthEx legal counsel; Steven Lane, MD, MPH, Chief Medical Officer at Health Gorilla & HealthEx advisor; Deven McGraw, Chief Regulatory & Privacy Officer at Citizen Health and HealthEx Advisor; Teresa Carlson, President of General Catalyst Institute; Candace Richardson, Principal at General Catalyst; John Blair, MD, CEO at MedAllies; Brendan Keeler, Interoperability Practice Lead at HTD Health; Tim Kessler, Field CTO at Redox, and Lisa Bari, Head of External Affairs at Innovaccer—has drafted the following policy recommendations.

HealthEx is  also a member of the CARIN Alliance - an industry collaboration focused on enabling consumer-directed data exchange, at scale. Our intent here is to be collaborative with these and other efforts, and to contribute our views to the national discourse. 

We'd love to have your input and feedback on consumer-directed data exchange, IAS and what's needed to make sure it's serving consumers as intended. And stay tuned for more from HealthEx regarding how it's supporting consumer-directed data exchange.

Why Consumer-Directed Data Exchange Matters to Individuals

Historically, organizations have controlled access to the health data that they create or receive. As a result, patients and individuals today face fragmented access to their records: They must log into multiple portals, with unique usernames and passwords, and piece together their health history manually, since organizations haven’t given patients the means or the agency to combine or manage their data across institutions. This is especially burdensome for individuals with chronic conditions, or complex care needs, particularly those who see multiple providers.

Consumer-directed data exchange, facilitated by IAS, enables patients to access their data across all their points of care, and then maintain it for their own use, or provide access or direct it to third parties of their choice – securely and electronically. The advent of consumer-directed data exchange signals a shift from organizations controlling access to patient data, to now individuals having the power to do so (see Steven Lane’s post that discusses the potential impact of giving patients more control over interoperability, and Hemant Taneja and Teresa Carlson’s recent white paper on the role of patient-data access, in the context of broader healthcare innovation). 

Consumer-directed exchange, facilitated via IAS, streamlines the experience of how individuals access and share their health records; its key drivers of value for individuals are:

• Convenience: Individuals can request and receive their health records from across providers through a single, secure workflow.

• Clarity: Individuals gain a consolidated view of their health information—essential for coordinating care, managing conditions, and making informed decisions. There is also a growing opportunity to utilize AI or other apps to support individuals’ understanding of their information and to provide actionable insights upon this consolidated view.

• Control: Individuals direct where their data goes, enabling them to authorize trusted third parties, like CMS, or caregivers, to use their data to provide better care. Individuals should also be able to selectively share their data and be able to easily revoke access to third parties.

When IAS functions as designed, it will enable patients to be active participants in their own care, not passive recipients: Individuals will have the power to direct data to new providers to allow them to easily gain a comprehensive view of their health history, to payers to support care coordination and process prior authorizations more efficiently, to research organizations enabling groundbreaking advances, or to any health app of their choice.

Policy recommendations to support consumer-directed exchange

HealthEx believes that addressing key policy gaps will allow the rapid scaling of IAS and will usher in a new era of consumer-directed data exchange. Below are five specific recommendations for the administration, each with a supporting rationale grounded in operational feasibility and regulatory alignment.

We believe CMS is best positioned to carry through these recommendations.

1. Incentivize or Mandate TEFCA participation

Rationale: While responding to IAS queries is presently required of all TEFCA participants, participation in TEFCA is currently voluntary. To ensure that IAS is supported at scale, it is necessary for CMS to mandate that CMS-regulated health plans & health care providers participate in TEFCA, or create meaningful financial incentives for doing so. Such CMS support will inevitably drive other payers to follow suit. 

2. Mandate responses to IAS requests and recognize TEFCA protocols as sufficient to satisfy HIPAA privacy requirements

Rationale: Not all TEFCA Participants and Subparticipants are currently responding to TEFCA IAS requests due to concerns that legal preconditions regarding verification of identity and authority are not being met, potentially opening up responders to such queries to an increased risk of a privacy breach. TEFCA has specified technical security measures to support such verification: A single IAL2 verified, AAL2 authenticated digital identity token satisfies identity verification and authentication requirements, and an additional IAS consent administered to the patient, that is auditable and digitally enforceable, meets all applicable authorization verification requirements.

A CMS mandate requiring responses to IAS requests made via TEFCA, with an express presumption that such verification requirements are met when the request satisfies TEFCA standards, would ensure consumers have secure access to their health data.

3. Adopt a presumption that IAS requests made through TEFCA adequately fulfill identity verification and authorization requirements to facilitate patient matching for an individual accessing their own data, without additional requirements for individuals to provide their patient portal credentials.

Rationale: Some plans, providers and their business associates, such as their EHR vendors (e.g., Epic, Oracle/Cerner), encourage or require an additional verification step where patients must provide their portal logon credentials for each provider organization from which they want to request access to their health information. This added step may be required by the data holding organization in their efforts to assure satisfaction of HIPAA’s identity and authority verification requirements. However, this added burden is not always required by other data holders, such as the users of Athena Health and Veradigm EHRs.

Per policy recommendation #2 above, these additional steps may and should be removed when patients are trying to access their own data as both verification and authorization requirements can be met by the IAL2 token + AAL2 authentication + IAS consent passed in via TEFCA IAS.

4. Grant qualified immunity, or safe harbor, to those individuals and organizations performing patient matching as part of responding to IAL2-enabled IAS requests

Rationale: Granting qualified immunity, or safe harbor, to those responding to IAS requests, and other permitted exchange purposes via TEFCA, will reduce the hesitancy of health plans, providers, and other TEFCA participants/sub-participants to respond to defined use cases with a published SOP, beyond the Treatment use case.

5. Mandate that providers publish and maintain FHIR API endpoints that will respond to IAS queries, for inclusion in a CMS-mandated national endpoint directory that can be repurposed by various Record Locator services. (This could be as simple as making existing TEFCA and Carequality RLS directories public.)

Rationale: CMS should mandate the publication and maintenance of a comprehensive endpoint directory that allows accurate record location for patients, to support IAS requests at scale. Without this discoverability to facilitate accurate record location, patients cannot obtain access to records across all their places of care.

What Comes Next

The administration has a moment of opportunity. With clear policy action, IAS at scale can support patients and the entire healthcare ecosystem. The recommendations laid out here are actionable, grounded in current policy levers, and designed to reduce ambiguity for all stakeholders.

But more than that, the administration can lead a cultural shift—redefining the role of patients from data subjects to empowered participants in their own care. By aligning incentives, setting clear expectations for industry stakeholders, and ensuring patients have the tools and support to access and use their data, CMS can ensure that the promise of consumer-directed exchange becomes reality, thereby unleashing American innovation in health care.

We recognize this work won’t be easy. But it is essential. And we’re ready to support federal policy makers, the RCE, TEFCA Participants, and the broader health IT community in making it happen. HealthEx is also actively working to support efforts in this space - the team is supporting the creation of shared resources, such as the CARIN patient-access tracker, and aggregating test patient accounts across network sandboxes.

With clear policy action, and collaboration across teams in the ecosystem actively working to support these efforts, consumer-directed data exchange can support patients and the entire healthcare ecosystem.

Prepared by HealthEx in partnership with trusted collaborators. For feedback or inquiries, please contact us at info@healthex.io.