Published on in Vol 24, No 11 (2022): November

Preprints (earlier versions) of this paper are available at, first published .
The Patient Role in a Federal National-Scale Health Information Exchange

The Patient Role in a Federal National-Scale Health Information Exchange

The Patient Role in a Federal National-Scale Health Information Exchange

Authors of this article:

Joshua C Mandel1, 2 Author Orcid Image ;   J P Pollak3 Author Orcid Image ;   Kenneth D Mandl4 Author Orcid Image


1Microsoft Healthcare, Redmond, WA, United States

2Department of Biomedical Informatics, Harvard Medical School, Boston, MA, United States

3Cornell Tech, New York, NY, United States

4Computational Health Information Program, Boston Children's Hospital, Boston, MA, United States

Corresponding Author:

Kenneth D Mandl, MPH, MD

Computational Health Information Program

Boston Children's Hospital

401 Park Drive

LM5506, Mailstop BCH3187

Boston, MA, 02215

United States

Phone: 1 617 355 4145


The federal Trusted Exchange Framework and Common Agreement (TEFCA) aims to reduce fragmentation of patient records by expanding query-based health information exchange with nationwide connectivity for diverse purposes. TEFCA provides a common agreement and security framework allowing clinicians, and possibly insurance company staff, public health officials, and other authorized users, to query for health information about hundreds of millions of patients. TEFCA presents an opportunity to weave information exchange into the fabric of our national health information economy. We define 3 principles to promote patient autonomy and control within TEFCA: (1) patients can query for data about themselves, (2) patients can know when their data are queried and shared, and (3) patients can configure what is shared about them. We believe TEFCA should address these principles by the time it launches. While health information exchange already occurs on a large scale today, the launch of TEFCA introduces a major, new, and cohesive component of 21st-century US health care information infrastructure. We strongly advocate for a substantive role for the patient in TEFCA, one that will be a model for other systems and policies.

J Med Internet Res 2022;24(11):e41750



Since medical records are usually stored where they are produced, when patients traverse sites of care their information often becomes fragmented. The 21st Century Cures Act called for a Trusted Exchange Framework and Common Agreement (TEFCA) to enable turnkey access to medical histories across organizations. TEFCA, which is expected to be implemented starting in 2023, provides a framework for participating organizations to exchange patient data and also anticipates patients retrieving their own records.

After an overview of TEFCA and the history leading to it, we define 3 principles to promote patient autonomy and control as “rules of the road” for national-scale health information exchange (HIE).

Query-based exchanges emerged in the 1990s. Successful examples, such as the Indianapolis Network for Patient Care and Research [1], led to community health information networks [2], then to regional health information organizations, later renamed HIEs.

Query-based exchanges have primarily supported treatment, and most were deployed in limited contexts or vendor-defined boundaries [3]. Though myriad exchange organizations [4] have proved financially unsustainable [5], many today are sustainable, such as the government-supported Massachusetts Health Information Highway and the nonprofit Manifest Medex. Carequality, a membership-based nonprofit, underpins exchange among HIEs, electronic health record (EHR) vendors, and others. Epic Systems, leveraging extensive market share, enables its customers to participate in exchange. The Commonwell Health Alliance manages HIE for non-Epic members. Prior to TEFCA, common agreements for cross-organizational data exchange have been proposed within individual networks, by the Carequality Interoperability Framework [6] and the Markle Foundation [7].

Entities, including HIEs, will apply to become Qualified Health Information Networks (QHINs), committing to standardize a technical framework and implement the Common Agreement.

The number of accessible patient records is anticipated to grow to over 200 million with nationwide reach [5]. TEFCA expands the purposes of use; information may be exchanged for treatment, operations, payment, public health, government benefits determination, and individual access.

Importantly, TEFCA expands the number of users authorized to query. Authorization is handled within a hierarchical trust model; a small number (~10) of QHINs will offer connectivity for on the order of 10,000 organizational participants including EHR vendors and health systems. These, in turn, authorize many users, likely on the order of millions of clinicians, insurance company staff, public health officials, and others under the current proposals. Responses to queries would be obligatory in the context of treatment or individual access, and permitted in other cases, except where prohibited by applicable laws [8]. Responsibilities for security enforcement are delegated. For example, a QHIN would trust a hospital to provision accounts and maintain credentials for its authorized users. In turn, the hospital would trust its users to comply with policies and laws.

As is evident in public comments [9], TEFCA’s goal of broad access brings challenges around privacy, security, and autonomy. As there is no consistent approach to verifying patient identity in health care, matching is probabilistic, based on demographics. Each query result might represent a “true positive” (correctly returning data), “true negative” (correctly returning no data), “false positive” (returning data from the wrong patient ), or “false negative” (not returning existing data). Systems to verify user identity and match records across care sites can be expensive and raise privacy concerns because they sometimes aggregate large amounts of identifiable data, including biometrics.

Though queries are audited, any authorized user may look up data about any patient with an expectation of automated, immediate responses. One organization’s security lapse or a user’s compromised credentials could allow a malicious actor to find information about any patient, a risk that grows as networks expand.


Because sharing protected health information for treatment is exempt from HIPAA’s (Health Insurance Portability and Accountability Act) requirement for patient-facing accounting of disclosures, patients have little visibility into when or with whom their health data are shared through HIE. A health care provider sharing a patient’s information need not obtain consent. HIPAA does not compel a provider to heed patient requests to restrict sharing. Notifying patients during front-desk registration through signed “consent for treatment” yields patients no opportunity to negotiate. Patient concerns about privacy breaches and misuse of their information in exchanges have been well documented [10,11].

As implementers of TEFCA continue to address challenges through technical and business controls leading up to the network’s launch, we propose 3 principles for meeting core objectives while recognizing and supporting patient autonomy and control, even if only a subset of patients are unsatisfied with default sharing permissions.

Principle 1. Patients Can Query for Data About Themselves

Today, patients face substantial challenges in assembling their records across sites of care [12,13], and as a result, uptake of individual access to patient records has been slow [14]. Exercising “individual access” using query-based exchange under TEFCA affords transparency about what records exist and allows patients to determine where their records are stored, identify errors [15], and correct missing information from failed matching. A single point of access to one’s entire history of care may lead more individuals to seek out digital copies of their records [14].

To manage patient access, TEFCA anticipates that third-party “individual access providers” will verify a patient’s identity, execute queries, and share results with the patient. We prefer a design affording individual access as a first-class feature of all QHINs rather than adding the technical, security, and organizational complexity of third-party coordination. This design would enable QHINs to absorb the costs of patient identity verification, rather than outsourcing them to a new category of businesses that must establish revenue streams to offset these costs.

Principle 2. Patients Can Know When Their Data Are Queried and Shared

The ability to see how one’s own data are being queried can serve as a check that the system is working as intended or as a leading indicator that something has gone wrong. Patients are well positioned to notice unexpected queries or to detect the absence of an expected query. Under TEFCA’s current policies, such details would be invisible to patients.

Principle 3. Patients Can Configure What Is Shared About Them

It is not yet established whether the widespread availability of data for care always improves outcomes, and there may be unintended consequences. Research is needed to see whether unfettered access to prior opinions and diagnoses improves care and whether restricted access introduces risks or degrades care. Given concerns about insurability, legal consequences, and stigmatization, patients may even avoid care to prevent widely accessible documentation. Additionally, national-scale data availability raises concerns about access and disclosure by political, journalistic, or adversarial actors. The option to configure what is shared may help establish a new patient-doctor relationship if a soured prior relationship is apparent in the chart. During a diagnostic odyssey, sharing less may reduce second-opinion clinicians from becoming prejudiced by previous specialists’ assessments. Control over sharing may also help patients restrict queries about pregnancy-related care.

TEFCA currently does not provide control to patients. We recognize that permissive default settings that maximize access might satisfy a majority [16] and jumpstart network growth. We propose that patient concerns could be addressed pragmatically, starting with an all-or-nothing ability to opt out of exchange. More sophisticated controls could include (1) the ability to approve individual requests as queries are submitted and potentially (2) enabling access to a subset of encounters. For aspects of the record where a full picture is critical, purpose-built registries (eg, prescription drug–monitoring programs) provide accurate information irrespective of TEFCA.

If TEFCA-based exchange proves to become a data source for research and public health, patient autonomy to opt out of sharing may need to be balanced with requirements for unbiased data sets [17].

Launching query exchange capability on a national scale is a vast and worthy undertaking. While details are in flux and there is a TEFCA roadmap for future improvements, we believe these principles enforcing patient rights to autonomy and control should be addressed in policy and technology from the initial TEFCA launch. This will increase the likelihood of programmatic success by preemptively addressing legitimate concerns by advocacy groups. Though HIE is widespread today, and generally without a well-defined and protected patient role, TEFCA could serve as a model to underpin a 21st-century, patient-centered health information economy.

Conflicts of Interest

JCM is employed by Microsoft Corporation. KDM reports that Boston Children’s Hospital receives corporate philanthropic support for his laboratory from SMART Advisory Committee members, which include the American Medical Association, the BMJ Group, Eli Lilly and Company, Google Cloud, Hospital Corporation of America, Microsoft Corporation, Cambia Health Solutions, Humana, and Quest Diagnostics. KDM previously served as an advisor to Ciox. JPP reports no conflicts.

  1. Overhage JM, Tierney WM, McDonald CJ. Design and implementation of the Indianapolis Network for Patient Care and Research. Bull Med Libr Assoc 1995 Jan;83(1):48-56 [FREE Full text] [Medline]
  2. Dullabh P, Moiduddin A, Nye C, Virost L. The evolution of the state health information exchange cooperative agreement program: state plans to enable robust HIE. NORC at the University of Chicago. 2011 Aug.   URL: [accessed 2022-05-30]
  3. Holmgren AJ, Adler-Milstein J. Health information exchange in US hospitals: the current landscape and a path to improved information sharing. J Hosp Med 2017 Mar;12(3):193-198. [CrossRef] [Medline]
  4. Overhage LM, Covich-Bordenick J, Li X, Overhage JM. Factors influencing progress of health information exchange organizations in the United States. Stud Health Technol Inform 2017;245:1236. [Medline]
  5. Adler-Milstein J, Garg A, Zhao W, Patel V. A survey of health information exchange organizations in advance of a nationwide connectivity framework. Health Aff (Millwood) 2021 May;40(5):736-744. [CrossRef] [Medline]
  6. Carequality interoperability framework. Carequality. 2018.   URL: [accessed 2022-09-26]
  7. Markle common framework. Markle. 2022.   URL: [accessed 2022-09-26]
  8. Standard operating procedure (SOP): exchange purposes. The Sequoia Project. 2022.   URL: [accessed 2022-10-21]
  9. TEFCA comments summary: public comments on the Trusted Exchange Framework and Common Agreement draft 2.   URL: [accessed 2022-08-07]
  10. Simon SR, Evans JS, Benjamin A, Delano D, Bates DW. Patients' attitudes toward electronic health information exchange: qualitative study. J Med Internet Res 2009 Aug 06;11(3):e30 [FREE Full text] [CrossRef] [Medline]
  11. Wen K, Kreps G, Zhu F, Miller S. Consumers' perceptions about and use of the internet for personal health records and health information exchange: analysis of the 2007 Health Information National Trends Survey. J Med Internet Res 2010 Dec 18;12(4):e73 [FREE Full text] [CrossRef] [Medline]
  12. Mandl KD, Szolovits P, Kohane IS. Public standards and patients' control: how to keep electronic medical records accessible but private. BMJ 2001 Feb 03;322(7281):283-287 [FREE Full text] [CrossRef] [Medline]
  13. Mandl KD, Kohane IS. Time for a patient-driven health information economy? N Engl J Med 2016 Jan 21;374(3):205-208. [CrossRef]
  14. Adler-Milstein J, Longhurst C. Assessment of patient use of a new approach to access health record data among 12 US health systems. JAMA Netw Open 2019 Aug 02;2(8):e199544 [FREE Full text] [CrossRef] [Medline]
  15. Bell SK, Delbanco T, Elmore JG, Fitzgerald PS, Fossa A, Harcourt K, et al. Frequency and types of patient-reported errors in electronic health record ambulatory care notes. JAMA Netw Open 2020 Jun 01;3(6):e205867 [FREE Full text] [CrossRef] [Medline]
  16. Cimino JJ, Frisse ME, Halamka J, Sweeney L, Yasnoff W. Consumer-mediated health information exchanges: the 2012 ACMI debate. J Biomed Inform 2014 Apr;48:5-15 [FREE Full text] [CrossRef] [Medline]
  17. McGraw D, Mandl KD. Privacy protections to encourage use of health-relevant digital data in a learning health system. NPJ Digit Med 2021 Jan 04;4(1):2 [FREE Full text] [CrossRef] [Medline]

EHR: electronic health record
HIE: health information exchange
HIPAA: Health Insurance Portability and Accountability Act
QHIN: Qualified Health Information Network
TEFCA: Trusted Exchange Framework and Common Agreement

Edited by G Eysenbach; submitted 15.08.22; peer-reviewed by A Malec, I Mircheva, K Taira; comments to author 05.09.22; revised version received 26.09.22; accepted 07.10.22; published 04.11.22


©Joshua C Mandel, J P Pollak, Kenneth D Mandl. Originally published in the Journal of Medical Internet Research (, 04.11.2022.

This is an open-access article distributed under the terms of the Creative Commons Attribution License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on, as well as this copyright and license information must be included.