Panuwat Sikham/istock via Getty
In or out? TEFCA participation rules limit some providers
Some providers may not seem to fit under the current definition of a HIPAA-covered entity, but one expert recommends a thorough review of transactions to check TEFCA eligibility.
TEFCA implementation is moving forward, but some providers remain on the outside. With current participation requirements, those who don't bill insurance, such as free clinics, behavioral health providers, community care organizations and concierge care, can find it difficult to pass vetting. These requirements can also complicate onboarding for large health systems with sub-participants and business partners in these categories.
Criteria changes narrow participation
With the release of TEFCA's Common Agreement Version 2.0, TEFCA governance narrowed the criteria for requesting medical records under the Required Treatment use case. Previously, requestors had to be licensed providers, but the change restricted the category to HIPAA-covered entities.
According to the Department of Health and Human Services, only healthcare providers who engage in specific types of electronic transactions meet the definition of a covered entity. This definition can leave out those who don't bill insurance but still provide medical care -- a market segment that is growing rapidly with the advent of care models like concierge health services and direct primary care.
"The TEFCA 'Required Treatment' definition needs to change due to the exclusion of providers like concierge medicine, free clinics and certain assisted living facilities," said Marilee Benson, president of Zen Healthcare IT.
According to Benson, the HIPAA "covered entity" definition doesn't apply well for this purpose. "That law was created many years ago... It wasn't written in the world of clinical exchange. And that is hurting this definition," she said.
Meanwhile, some vendors are applying TEFCA-like restrictions in other networks. Benson said Epic now requires Carequality participants to also be covered entities, limiting access for organizations that were previously able to exchange data under the framework. "Participants who were approved for Carequality last year are suddenly not getting through Epic's phone book review process," Benson said.
When asked about this issue, Rob Klootwyk, Epic's director of interoperability responded: "TEFCA came out with a definition of required response treatment last summer. We're trying to balance that as an industry. Physicians and covered entities are accountable to patients for keeping medical information private. To ensure these organizations can keep their commitments to patients, they should sign off on the expansion of TEFCA use cases that require automatic disclosure of patient records on request."
In a past interview, Klootwyk described this type of access as "the keys to the kingdom," cautioning that it cannot be given lightly.
Practical implications
For large health systems with diverse subsidiaries, business units or external partners, leaders may find that while the parent organization qualifies under HIPAA, some departments or affiliates fall into grey areas.
Benson recommended a thorough look at the provider's transactions in these situations. Although they may not appear to qualify initially due to lack of insurance billing, other HIPAA transactions via Electronic Data Interchange may still qualify them. Examples include insurance coverage verification, claims submission and processing, payment remittance, referral authorizations and coordination of benefits.
"Many providers think they are not covered entities because they don't bill insurance," Benson explained. "But some do qualify through other HIPAA transactions, like checking eligibility via EDI. It's worth looking closely."
Benson also urged health systems onboarding multiple partners and connecting via third-party assistance to familiarize themselves with the Delegation of Authority policy -- an operational change introduced in 2025. If a healthcare provider chooses to use a third party -- such as a health IT vendor, HIE or integration partner -- to access TEFCA on their behalf, a formal DoA notice must be completed and signed by the provider organization.
While a DoA doesn't make an organization eligible, it's a mandatory step to authorize a representative to act on its behalf for any eligible organization connecting through another party.
Predicting future policy shifts
As the industry navigates the balance between patient privacy and efficient information exchange, these limitations may shift. In July 2025, the Centers for Medicare and Medicaid Services released its Interoperability Framework, which embraces a federated, multi-network approach that includes a wide range of healthcare organizations, from data networks to patient-facing apps -- not just traditional covered entities.
This commitment may indicate broader participation and more use cases over time. "We're hopeful that policies will evolve to include providers who are actively engaged in care delivery -- even if they don't meet the current claims-based definition," said Benson.
Elizabeth Stricker, BSN, RN, comes from a nursing and healthcare leadership background, and covers health technology and leadership trends for B2B audiences.
