Our Take
The volume growth is real, but trust problems persist: healthcare organizations are pushing for stricter onboarding to prevent fraud.
Why it matters
Federal health data exchange is scaling faster than governance can keep up. Healthcare IT leaders need to weigh network benefits against security risks as oversight mechanisms lag behind adoption.
Do this week
Healthcare IT teams: audit your TEFCA data sharing agreements this month so you understand liability exposure before new oversight rules arrive.
TEFCA hit 1 billion health record exchanges
The federal health information exchange network TEFCA processed nearly one billion health records in its first 16 months of operation, up from approximately 10 million at the start of 2025 (per ONC chief Dr. Thomas Keane). The network now supports six approved exchange purposes including treatment, payment, operations, individual access, government benefits determination, and public health.
The Social Security Administration is using TEFCA for disability benefits determination, cutting processing time from weeks or months to under one day (company-reported). Eleven organizations have become Qualified Health Information Networks (QHINs) through TEFCA's onboarding process, with all also pledging to be CMS-Aligned Networks.
Healthcare organizations have pressed HHS to implement stricter TEFCA onboarding requirements to prevent fraudulent exchange of protected medical data. ONC acknowledges trust challenges and is "actively exploring options to layer in more network oversight moving forward."
Growth outpaced governance design
The 100x volume increase in 16 months exposes a fundamental tension in federal health data policy: the network scaled before trust mechanisms could prove themselves at volume. While technical standards exist, Keane admits the main challenges "are not technical in nature, but rather inherent to the process of exchange between counterparties that may not otherwise be affiliated."
Every data request within TEFCA creates a legally binding assertion that can be audited, but enforcement relies on participant self-policing and an operational organization (the Recognized Coordinating Entity) with untested oversight capabilities. Violators can be disconnected or barred, but prevention mechanisms remain limited.
Individual access services launching next
ONC is prioritizing Individual Access Services (IAS), which will let patients use authorized websites or apps to retrieve health records from multiple providers directly through TEFCA. Keane reported successfully testing an IAS-enabled app to download his own records.
For compliance, ONC is partnering with HHS Office of Inspector General to increase information blocking enforcement, with fines up to $1 million per instance. ONC can also decertify health IT vendors found blocking information, making their customers ineligible for government payment incentives.
Healthcare organizations should expect stricter oversight as the network grows. The current complaint-driven enforcement model through ONC's Report Information Blocking Portal will likely expand as exchange volumes continue scaling.