Health systems demand more stringent regulation of patient data exchange

Over 75 health systems in the U.S have collaborated to urge federal officials to provide greater control over the national health data-sharing networks, claiming that the current system is weak, and this has enabled bad actors to gain unauthorized access to sensitive patient medical records. These organizations urged stricter regulation, improved security, and increased transparency in a formal letter to safeguard patient privacy.

Signatories are some of the largest health systems, including AdventHealth, Cedars-Sinai Medical Center, MetroHealth, NYU Langone, UMass Memorial Health, Stanford Health Care, and Sutter Health. They are requesting a greater centralized oversight of countrywide health information exchange systems, especially the Trusted Exchange Framework and Common Agreement (TEFCA) and Carequality. The health systems claim that these networks at present depend too much on decentralized control and self-attestation, which they believe is insufficient to stop the abuse of information.

The letter, which is addressed to the CEO of The Sequoia Project, Mariann Yeager, and the deputy assistant secretary of technology policy, Steve Posnack, at the Department of Health and Human Services, requests more regulation of individuals who gain access to patient information. The authors state that the effectiveness of fraud detection, more active surveillance of the exchange activity, and a better understanding of how and why data are being shared need to be improved. They argue that clear guidelines and more robust enforcement layers are necessary in the preservation of trust as interoperability in the healthcare system spreads.

With the growing expectations among healthcare organizations regarding the seamless exchange of information in an effort to enhance care coordination and access to medical information by the patient, issues of security and accountability have become more pronounced. According to the leaders of healthcare with Fierce Healthcare, trust in such networks is being destroyed because of frequent cases of unacceptable access to data. In the letter, the pattern of abuse is underlined, which highlights the urgency of the centralized vetting, standardized onboarding practices, and ongoing monitoring. Another demand of the authors is the open declaration of the exchange activity, as well as the timely and open reactions in response to privacy invasion.

Other parties that signed the letter included the health systems, OCHIN, a health IT consultancy, and KeyCare, a telehealth platform. OCHIN noted the importance of safe and reliable data sharing, particularly in rural and underserved communities, and pointed out that national standards are needed to guarantee the privacy of patients and unlock the potential of interoperability.

TEFCA was developed as part of the 21 st Century Cures Act of 2016, and is scheduled to launch in December 2023 as a network of networks connecting qualified health information networks across the country. It is managed by The Sequoia Project, and it presently comprises thousands of organizations and tens of thousands of clinical connections. Now a separate entity, Carequality began as a part of The Sequoia Project, but it helps to exchange data with hundreds of thousands of providers and exchange more than a billion clinical documents every month.

These concerns in the letter can also be combined with a lawsuit, which was initiated by Epic, as well as various healthcare providers, against Health Gorilla and some of its clients. It is claimed by the plaintiffs that patient records have been accessed and used against the patient without the appropriate approval and used to generate money using Carequality and TEFCA affiliations.

In their advice, the health systems suggest employing specific personnel to carefully screen those organizations that want to gain access to such networks, formal attestations to federal authorities, the introduction of automated fraud detection systems, and the establishment of public directories and metrics to enhance the visibility of the data use. They also make recommendations to make the dispute resolution procedures more transparent, the government needs to be more involved in its implementation, and the establishment of a digital health fraud task force to examine how health data is abused.

In their turn, The Sequoia Project admitted the feedback and said that it would take the recommendations into account in the framework of its further work to build trust and ensure patient privacy as well as benefit nationwide health information exchange.

Health Systems Demand More Stringent Patient Data Exchange Regulation

More than 75 major health systems have sent a joint letter to federal officials calling for more stringent regulation of patient data exchange practices nationwide. The group highlighted health systems’ concerns over inadequate oversight of existing data sharing networks, emphasizing the need for stronger governance, better protection against unauthorized access, and transparency in network monitoring.

Rising Security and Privacy Concerns Among Health Systems

In the letter, participating health systems emphasized that current data exchange frameworks — used to share electronic patient records and clinical data across providers — lack sufficient safeguards against “bad actors” gaining access to sensitive medical information. This push reflects broader industry concerns about health data security and recent breaches that have exposed millions of records, fueling calls for updated regulation and enforcement.