By Marilee Benson
Individual Access Services Under TEFCA – How it’s Working (and When it’s Not)
Individual Access Services (a consumer’s ability to request their own health data from a digital health app) is one of the biggest shifts in healthcare interoperability in years. It’s also one of the most challenging and controversial.
The premise is straightforward: patients should be able to pull their own medical records from any provider, through any app they choose, without juggling a dozen patient portal logins. TEFCA made this a mandatory exchange purpose. TEFCA infrastructure and network participation is growing fast. Over 70,000 healthcare facilities are now live on TEFCA, representing connections to many providers, hospitals, and care facilities. Eleven 11 QHINs are formally designated, with the potential for more in the future.
The momentum is real. The enthusiasm is real. But the gap between the vision and the implementation / acceptance for expanded exchange purposes is wider than most people realize. The Individual Access Services (IAS) exchange purpose is the most important reason TEFCA exists. Doing it at scale is the most important way we can put “trust” back into nationwide data exchange – as it puts patients at the center of data sharing. But it’s harder and more controversial than it looks.
Why IAS Is the Right Idea
For years, patients have been an afterthought in health data exchange. Provider-to-provider sharing for treatment? Mature. But patient-directed access & sharing? Barely functional.
Individual Access Services changes that. Under TEFCA, patients become first-class participants in data exchange. They can authorize digital health apps (“ISP Vendor”) to retrieve their records across the TEFCA framework without needing to pull directly from each of their provider portals.
This puts the patient at the center of managing their health data. If a patient wants to share their records with a clinical trial, a care coordination app, a legal representative, or a chronic disease management platform, they can do so without having to remember every single provider they’ve ever seen, and managing many different patient portals across different provider EHRs. IAS under TEFCA makes this much easier with very specific privacy and disclosure requirements, keeping patients in control of their own data.
A Work in Progress
The concept is sound. But the demand is growing faster than the governance and standards, which are complex by design. In short, we are right in the middle of “working out the details” as real IAS data exchange ramps up in 2026.
To overcome early resistance to provider organizations sharing data with non-HIPAA entities like Digital Health Apps, the IAS Vendor requirements were the primary focus. New steps were created, like making sure that the identity of the consumer is validated prior to making a TEFCA IAS query. The technical specifications were a departure from “provider” exchange, and therefore, much less mature. Thus, the IAS specifications under TEFCA were untested – creating early issues. For example, less than clear patient matching requirements allowed responders to set the bar unrealistically high – blocking successful exchange.
The Identity verification requirement is another gap. IAL2 verification via Clear or ID.ME sounds straightforward in conference presentations. In the real world, it can be a challenge. Accessibility issues. Disability or aging considerations. IAS works for ideal users. Real populations are messier. But to address potential data breach risks – it is a necessary step today until something better comes along.
Once IALS2 Identity vetting is done – the IAL2 token handling (such as token expiration timing) has been another area where initial requirements are evolving to meet real world experience.
And proxy access? Still unsolved. As one privacy attorney noted at a recent TEFCA workshop: “We don’t have a similar token we can use for proxy authority verification.” A caregiver or legal representative proving they can act on someone’s behalf? Common scenario, no good answers yet.
But the community is responding to many of these challenges, with TEFCA & QHIN IAS working groups coming together to dig in and make specific recommendations. As those changes get incorporated into updated TEFCA SOPs, the new TEFCA Change Management process provides a level of transparency that is extremely helpful to those of us on the front lines of IAS adoption.
One of the key hurdles for the promise of IAS under TEFCA to be fully realized is the fact that even with all these special TEFCA IAS requirements, large Health systems (and their vendors) continue to insist on extra authentication steps, making it challenging for even the most tech literate people to understand and execute the process to obtain their data from these systems.
And let me speak very frankly and personally here. As a health consumer – it’s very frustrating that some of my providers do not trust me to make good decisions, read disclosures, and take responsibility for my own data. It is absolutely essential that we get past this final hurdle for IAS – and TEFCA offers the only viable path to do it in my opinion.
Consumer Access Governance Is Necessary.
There’s an important nuance that can get lost in the hype: TEFCA is essential for IAS to scale safely. Without it, every IAS digital health app would need to integrate separately with every EMR. No uniform privacy enforcement would exist. No uniform identity vetting would be required. This is high risk for patients and providers alike.
TEFCA provides the trust framework – the governance and oversight. Non-HIPAA apps that participate must comply with HIPAA-level privacy and security rules. Scalable, one-to-many connectivity via a national trust framework. Clear rules of the road.
Only regional Health Information Exchanges can replicate the governance of TEFCA. But by definition, to get nationwide coverage, digital health apps must connect to multiple HIEs. But they do provide an important option. Do not be surprised to see multiple pathways emerging that do provide other options beyond TEFCA, particularly if TEFCA stumbles. The “IAS rules” established in TEFCA can also be adopted across other networks.
But today, TEFCA has a huge head start. The framework is solid. The execution is a “work in progress”, but with a lot of pressure to catch up to consumer access (IAS) demand.
What To Do Now
If you’re a provider, focus on these steps:
First, find out if you’re already participating. If your organization connects to a network that is also a QHIN, and has opt-ed into TEFCA, you may already be receiving IAS queries. But your patients and your staff might not know. It is a huge benefit to many of your patients, so be sure to include that in your patient communications.
Second, if your organization has not opted into TEFCA, but it’s available through your EMR, what’s stopping you? If you have concerns about patient access via TEFCA, take time to get familiar with the details. The TEFCA IAS requirements are designed to protect both patients and providers.
If you are a Digital Health App, focus on these steps:
First, you should already be exploring your options to join a QHIN to enable Individual Access Services. While you won’t get 100% success on day one, you can expect a year of continuous improvement.
Second, do a soft go-live, figure out what works, what doesn’t, and fix it, or ask for it to be fixed. You can’t impact the TEFCA community if you are not part of it.
Bottom line – there isn’t a better, faster way to enable consumer access to their medical history, and using your tech to put that data to work for them to improve their health outcomes.
All stakeholders should stay engaged. Monitor the RCE’s evolving IAS related SOPs. Things are evolving very quickly.
The Right Idea, Done Right
Zen Healthcare IT is an early adopter of IAS via TEFCA, leveraging our deep and broad experience as a validated and certified multi-network onramp. But we also know that this is just the start of the journey. IAS is necessary, inevitable, and structurally important. It’s also challenging. The industry is working together to remove barriers and improve results.
If you’re figuring out how consumer access (IAS via TEFCA) fits into your interoperability strategy, talk to our team. We can help you sort out what’s ready, what’s not, and what to do next.
Not Sure Where You Stand?
Most of the health tech leaders we talk to aren’t starting from zero – they’re trying to figure out which of these shifts actually affects their roadmap, and how urgently.
That’s exactly what our Interop Workshops are for. No pitch, no pressure – just a quick conversation to help you sort signal from noise. We’ve been doing this work since before TEFCA had a name.
Request an invite to a Zen Interoperability Workshop by emailing us at info@zenhealthcareit.com.
Want to go deeper?
Book a free 15-minute call with a Zen interoperability expert
