Skip to main content

Opinion: Will TEFCA Rule-Making Stop Patient Digital Access?

Analysis  |  By Donald Rucker MD  
   August 07, 2023

Former ONC Chief Donald Rucker questions whether federal regulations around interoperability and information blocking are doing more harm than good.

Editor's Note: Donald Rucker, MD, led the Health and Human Services Department's Office of the National Coordinator for Health Information Technology (ONC) from April of 2017 until January of 2021. He is currently an adjunct professor of emergency medicine at Ohio State University and chief strategy officer for digital health software company 1upHealth.

The 21st Century Cures Act, passed almost unanimously by Congress after the 2016 election, included a key principle granting patients the right to direct digital access to their medical record using the apps of their choice.

Importantly, Congress identified two must-haves to allow patients to get that data. The first mandate requires 'APIs without special effort,' or standard APIs provided by each EHR rather than the proprietary one-off APIs that EHRs had grudgingly been offering. The second mandate gives patients a right to get the data even if the data was no longer available. Withholding information was defined as 'information blocking' and subject to civil penalties.

Donald Rucker, MD, former head of the Health and Human Services Department's Officer of the Coordinator of Health IT (ONC). Photo courtesy 1upHealth.

This modern app-enabling vision of computing in healthcare was defined in rulemaking by the ONC in the 2020 ONC Cures Act Final Rule. (By disclosure, I was the National Coordinator at the ONC during this work.) For APIs, the ONC required RESTful FHIR APIs with OAuth 2 security. This is the same architecture that powers the entire modern Internet economy, from apps on smartphones to websites on computers.

For information blocking, the ONC was required by the Cures Act to define allowable exceptions – i.e. when EHRs would not have to share data – and laid out common-sense exceptions based on privacy, security, and feasibility.

In conjunction with parallel rules from the Centers for Medicare & Medicaid Services (CMS) requiring similar modern APIs from payers, the stage was set for broad-based digital innovation using patient medical records. Access to patient medical records allows for richer and more effective apps. Think of medical apps without your chart in the same way as banking apps without your balance, airline apps without your frequent flyer number, entertainment apps without tailored recommendations, or shopping apps that don’t remember your address and billing information.

Congress anticipated that the tremendous consumer benefits we get from apps everywhere else would flow into healthcare. But now the ONC has released a rule that effectively removes this access.

How did this happen? That we can answer. Why did this happen? ONC and HHS Secretary Xavier Becerra will have to answer that.

The ONC’s proposal to effectively block patient digital access ties into a third provision in the Cures Act for the Trusted Exchange Framework and Common Agreement (TEFCA). The ONC was required to designate a coordinating entity, which was The Sequoia Project. The Sequoia Project proposed using a 1990s IHE document exchange-only interchange protocol mediated by a network of brokers known as QHINs (Qualified Health Information Networks).

This is an arcane protocol that has hardly been used over the last 20 years. The IHE protocol supports document-only exchange. As a practical matter, use of the IHE protocol is limited to incumbent EHRs.

The IHE protocol predates core technologies including RESTful APIs, JSON and FHIR, and smartphones. It dates back to an era when the Internet was comprised of page-views and not individually computable data. Document-only exchange is very much like paper faxes. Fax documents provide minimal ability to compute without elaborate parsing software and limited clinical value since ultimately the file has to be read by a human.

TEFCA’s structure is anchored by QHIN brokers who are contracted to exchange documents. By stark comparison, most smartphone apps rely on extremely simple RESTful and similar API styles that are real-time and effectively near-zero cost.

Modern Cures Act apps are anchored by the same privacy and security provisions used to protect banking information and the Internet at large. It is highly unlikely that app developers could find programmers interested in learning the IHE protocol, let alone build a successful business model encumbered by brokers. TEFCA’s policies also provide many opportunities for EHRs to delay or deny data access with manual permissioning.

The ONC's proposed HTI 1 rule would allow EHR vendors to stop providing modern APIs to anyone who has ever needed to use TEFCA for any reason. The subtle regulatory language creates a near-total limitation for modern apps that may want to avail themselves of multiple data acquisition strategies. Since almost all medical records sit in legacy EHRs, this rule proposes that anyone who has ever needed a QHIN or TEFCA for any reason can be totally blocked from modern API use and access. The specific way the ONC proposes to do this is to allow the EHRs to 'information block' modern software by providing an 'information blocking exception' to the EHRs. In some cases, these EHRs are also QHIN brokers.

The ONC’s proposal effectively overturns the Congressional requirement for 'APIs without special effort.' It would allow global information blocking by the largest holders of medical data – data for which patients, employers, and taxpayers spend $4 trillion a year.

Why do TEFCA participants need an 'information blocking' license? It's because 'information blocking' is defined in the Cures Act as blocking the ability of patients to 'access, exchange, and use' their records. TEFCA precisely fits the Congressional definition of information blocking with access requiring payments to QHINs, exchange in a non-computable-document-only format, and use requiring antiquated software approaches.

The Sequoia Project has stated they will at some point use modern data formats (FHIR) though they miss the point that modern computing is not just about data formats but also low-friction APIs. Ironically, realizing TEFCA provides largely non-computable data, The Sequoia Project is now proposing meetings to see if computing could be done on their documents.

Ultimately this is all about competition. Legacy EHRs and their consolidated delivery system providers have been battling patient digital access and potential new competitors since the start of the Cures Act. The arguments against giving patients digital control of their health have largely been paternalistic, with EHR vendors (ironically some of whom plan to sell patients information via their owned QHINs) stating they are 'protecting privacy.' The ONC is now proposing a regulatory permission to information block.

If TEFCA works as claimed, there should be no reason for anyone to be concerned about information blocking. The Sequoia Project also states they will 'modernize' TEFCA, though they haven't provided technical details or said why they didn’t start with modern protocols to begin with.

The ONC should not be denying the American public modern digital access to their medical records by granting incumbent EHRs and delivery systems carte blanche to deny access. Obscure regulations tucked deep in a 500-plus-page proposed omnibus rule which require ancient approaches to computing under the guise of 'interoperability' and a 'digital on-ramp' consisting of a network of toll-taking brokers seems far from what Congress wanted for us in 2016 and what will advance healthcare in 2023.

We need a consumer economy in healthcare, where we can get the same prompt service we have when using our phones to shop, rideshare, or get dinner. We need a modern digital world so that devices and monitors on our smartphones help us to get and stay healthy. Let’s not stop the digital revolution before we start.


Get the latest on healthcare leadership in your inbox.