elenabs/istock via getty images
White House health tech initiative sparks data privacy concerns
The federal government's efforts to improve the health tech ecosystem and build an interoperability framework come with potential data privacy and security concerns, experts say.
On July 30, 2025, at a White House event, CMS announced that it secured commitments from major tech companies, patient-facing app developers, payers and health systems to voluntarily participate in its new health tech ecosystem initiative. The initiative centered around two directives: creating an interoperability framework to improve information sharing and increasing the availability of personalized digital health tools.
Tech companies like Amazon, Google, Apple and OpenAI joined the initiative, agreeing to lay "the foundation for a next-generation digital health ecosystem that will improve patient outcomes, reduce provider burden, and drive value," the CMS announcement stated.
Dozens of companies pledged to deliver results in the first quarter of 2026. However, while the goals are clear, details on how they will be achieved are scarce, and experts are concerned about implementation challenges.
In particular, bringing non-HIPAA-covered entities into the mix to solve interoperability challenges could result in data security and privacy issues, adding complexity to existing compliance hurdles.
"It seems likely that as the number of participants in the initiative grows and barriers to sharing patients' data are removed, there will also be an increase in data breaches due to inappropriate access or use of information," Betsy Hodge, partner at Akerman, said in an interview.
"The more valuable health information that is available, the greater the risk that some will abuse that access. At this time, it's unclear how enforcement of such inappropriate access or use of individuals' health data, and particularly sensitive health data, will be addressed."
While the initiative is still in the early stages, experts are working to decipher the material impacts it could have on the health tech space and the implementation and data privacy concerns that come with it.
Core tenets of the interoperability framework, health tech initiative
CMS described its interoperability framework as a "voluntary blueprint for modern health data exchange that puts patients and providers first."
Efforts to improve interoperability have been underway for years. For example, Health Level Seven International's Fast Healthcare Interoperability Resources (FHIR) first emerged as a draft standard in 2014. What's more, there are now guardrails around information blocking in the health IT space. Most notably, the Trusted Exchange Framework and Common Agreement (TEFCA) enabled the exchange of 7.8 million documents in its first year since becoming operational in December 2023.
Still, interoperability remains a challenge that CMS' new framework aims to address.
Some of the framework's criteria include facilitating access to data using FHIR application programming interfaces (APIs), enabling patients to access their medical information using applications of their choice and enforcing access control and consent policy appropriate to the data access context.
CMS' interoperability framework has five key focus areas: patient access and empowerment, provider access and delegation, data availability and standards compliance, network connectivity and transparency and identity, security and trust.
CMS said that the identified criteria are intended to illustrate the initiative's overarching goals. Early adopters will work with CMS to publish concrete implementation guidelines.
Notably, the framework is not intended to preempt federal or state privacy laws, such as HIPAA. All HIPAA-covered entities and business associates implementing the framework are still required to adhere to HIPAA.
"The Office of Civil Rights (OCR) supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security," OCR Director Paula M. Stannard said in the announcement.
"If an individual receives another individual's electronic protected health information in error, generally, OCR's primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification."
More than 20 early adopters, including Epic, Innovaccer and athenahealth, agreed to adopt the interoperability framework criteria in the first quarter of 2026, designating them as "CMS aligned networks."
In addition to the interoperability framework, tech companies and healthcare organizations pledged to deliver digital health tools and apps to patients for diabetes and obesity management and conversational AI assistants that can help patients check systems and schedule appointments. These companies also pledged to "kill the clipboard" by replacing paper intake forms with digital check-in methods.
"For too long, patients in this country have been burdened with a healthcare system that has not kept pace with the disruptive innovations that have transformed nearly every other sector of our economy," CMS Administrator Mehmet Oz, M.D., said in the announcement.
"With the commitments made by these entrepreneurial companies today, we stand ready for a paradigm shift in the U.S. healthcare system for the benefit of patients and providers."
Increased complexity drives data privacy concerns
While the health tech ecosystem initiative holds promise for improving interoperability and streamlining patient experiences, it has also sparked questions about the role of non-HIPAA-covered technology companies in the U.S. healthcare system.
For example, the initiative garnered pledges from companies such as Noom, a weight loss management application, and Oura, a fitness tracker. These companies are not beholden to HIPAA on their own. However, they pledged to "connect to CMS aligned networks or personal health apps and, with patient consent, securely access relevant health data to deliver personalized support," bringing them deeper into the U.S. health data ecosystem.
"From the patient perspective, especially with apps that are not subject to HIPAA, individuals are going to have to do their homework to understand the promises that the app companies are making with respect to collection and use of their data," Hodge noted.
"That is a real challenge for consumers, particularly when trying to understand secondary uses of individuals' data and the monetization of their data. At the same time, some patients may elect not to share their information because they don't want 'the government' or 'big tech' to have their sensitive health data."
Hodge added that healthcare organizations subject to HIPAA will increasingly have to interact with entities that have limited experience handling sensitive health information, contributing to compliance complexities.
In addition to privacy and compliance concerns, the initiative presents security challenges.
"First, the expanded app and vendor ecosystem introduces uneven protections -- many consumer apps sit outside traditional HIPAA guardrails -- so data can move faster than governance if organizations aren't explicit about consent and obligations," said Joel Burleson-Davis, CTO at Imprivata.
"Second, the API layer becomes a high-value target: over-broad scopes, long-lived tokens, bulk-export staging, and proliferating service accounts create an outsized blast radius if not governed with least privilege and strong oversight of third-party and privileged access."
Moving forward
Despite these concerns, experts shared optimism about the initiative's core principles: championing interoperability and making it easier for patients and providers to navigate the healthcare ecosystem.
"The direction is right, and the near-term goals are realistic in meaningful slices," Burleson-Davis said.
However, careful, privacy-minded implementation will be the key to the initiative's success.
"Healthcare organizations that are not subject to HIPAA will need to understand what data privacy and security commitments to patients they can honor," Hodge said.
"Overpromising and underdelivering on data privacy and security promises can lead to enforcement actions by the FTC and state attorneys general, among other regulators."
Hodge noted that it could be helpful for early adopters to develop guidelines to ensure the privacy of patient information across the ecosystem, given that the participating entities are subject to different privacy requirements.
As the current administration works to modernize the health tech ecosystem, privacy and security must remain priorities.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
