The Glass House of Digital Health: A Leader’s Guide to TEFCA, Trust, and Risk in the New Data Era

Written By April Noel

The promise of seamless health data exchange is finally materializing. With the operational launch of the Trusted Exchange Framework and Common Agreement (TEFCA), the theoretical "network of networks" is becoming a tangible reality. As of early 2025, several major health information networks have been officially designated as Qualified Health Information Networks (QHINs), actively exchanging data under this new paradigm.

Read article.

But for digital health companies, this new era of interoperability is a double-edged sword. While it unlocks unprecedented opportunities for innovation, it also creates a glasshouse of transparency and risk. The stakes have never been higher. A single misstep in data handling can lead to catastrophic financial penalties, irreparable reputational damage, and a complete loss of user trust.

This guide provides a clear-eyed look at what digital health leaders must understand, the specific concerns they should have, and the risk mitigation strategies they must implement to thrive.

The Unavoidable Force: Information Blocking and Financial Realities

To understand the urgency, one must look beyond TEFCA to its legislative driver, the 21st Century Cures Act. The Act's information blocking provisions are not a suggestion; they are a mandate with severe financial consequences. The Office of the National Coordinator for Health Information Technology (ONC) has finalized rules that establish clear penalties:

  • Health IT Developers and HIEs/HINs: Fines of up to $1 million per violation (ONC, 2023).

  • Healthcare Providers: Subject to disincentives and other penalties determined by the Department of Health and Human Services.

A "violation" is not a one-time event; it can be interpreted as each instance of improperly withheld data. This creates a powerful financial incentive to connect and share. The argument is no longer if a company should participate, but how it can do so safely and strategically.

Where Companies Should Be Concerned: A Look Inside the Glass House

While TEFCA aims to create a trusted ecosystem, digital health leaders should be prudently skeptical and focus on several key areas of concern:

  1. Security in a Magnified Threat Landscape: Increased connectivity inherently expands the attack surface. While QHINs must be HITRUST r2 certified—a rigorous standard—the responsibility for data security remains with every participant in the chain. Healthcare continues to be a prime target for cyberattacks, with the average cost of a healthcare data breach reaching a staggering $10.93 million in 2023, the highest of any industry for the 13th consecutive year (IBM, 2023). Your company is only as secure as your least secure partner in the network.

  2. The Nuances of Patient Consent: TEFCA operates on a baseline of consent established under HIPAA's treatment, payment, and healthcare operations (TPO) provisions. However, many digital health apps, particularly direct-to-consumer wellness tools, may not have a clear TPO relationship with the user. This is a critical, often-overlooked gap. Relying on a broad reading of consent is a risky strategy. The Consumer Technology Association notes that robust, transparent, and specific consent processes are essential for building consumer trust in digital health devices and apps (Consumer Technology Association, 2020). A mismatch in consent expectations between what the network allows and what the user understands is a significant legal and ethical pitfall.

  3. Data Integrity and Misinterpretation: When data flows from multiple sources—EHRs, wearables, patient-reported outcomes—the risk of data corruption, mismatch, or misinterpretation increases. An inaccurate data point, once propagated through the network, could lead to adverse clinical events. Who is liable when a treatment decision is based on faulty data aggregated from three different sources via a QHIN? The legal precedents are still being set, creating a landscape of uncertainty.

Actionable Risk Mitigation Strategies

Navigating this new era requires a proactive, defense-in-depth strategy. Here are concrete steps digital health companies should be taking now:

  • Conduct a Comprehensive Data Flow Audit: Before connecting to any exchange, map every piece of health data your company collects, stores, and transmits. Understand its origin, its legal basis for processing (e.g., TPO, specific consent), and its security classification. This is foundational to any risk management plan.

  • Vet Your QHIN Partner Diligently: Not all QHINs are created equal. Go beyond the HITRUST certification. Scrutinize their specific security protocols, their processes for handling privacy incidents, their performance metrics (like uptime and query success rates), and their liability frameworks. Ask for their audit reports and question them on their vendor risk management programs.

  • Engineer for Granular Consent: Do not rely on a blanket terms-of-service agreement. Implement a robust consent management platform that allows users to make granular choices about what data they share, with whom, and for what purpose. This "opt-in" or "opt-out" capability at a granular level is becoming the consumer expectation and a key differentiator (The Sequoia Project, 2022).

  • Strengthen Your Security Posture with Zero Trust: Adopt a "Zero Trust" architecture. This security model operates on the principle of "never trust, always verify," treating every access request as if it originates from an open network. This involves multi-factor authentication (MFA), micro-segmentation of networks, and strict endpoint security, significantly reducing the blast radius of a potential breach.

  • Invest in Liability Insurance: Review your current cyber liability and errors and omissions (E&O) insurance policies. Ensure they specifically cover incidents arising from participation in a health information network and the unique risks of shared data integrity.

The launch of TEFCA is not the end of the journey toward interoperability; it is the beginning of a much more complex and demanding chapter. The companies that succeed will be those that see the challenges as clearly as the opportunities. They will build their future not on the fragile hope of a perfectly secure network, but on the resilient foundation of proactive risk management, unwavering user trust, and a deep-seated commitment to being a responsible steward of the most sensitive data of all.

Have more questions? Reach out to info@ctel.org today and we can help your organization navigate your digital health, privacy, and policy challenges today.

References

Consumer Technology Association. (2020). Guiding Principles on the Privacy and Security of Personal Health and Wellness Data. https://www.cta.tech/Resources/Guiding-Principles-on-the-Privacy-and-Security-of-Personal-Health-and-Wellness-Data

IBM. (2023). Cost of a Data Breach Report 2023. IBM Security. https://www.ibm.com/reports/data-breach

Office of the National Coordinator for Health Information Technology (ONC). (2023, December 13). HHS Finalizes Rule to Strengthen Transparency in Health Care. U.S. Department of Health & Human Services. https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-strengthen-transparency-health-care.html

The Sequoia Project. (2022). Common Agreement for Nationwide Health Information Interoperability. https://rce.sequoiaproject.org/common-agreement/

April Noel
Next

Revolutionizing Nursing Education: Nightingale College Pioneers VR for Superior Outcomes and Cost Savings