Health systems urge TEFCA, Carequality to employ stricter privacy controls

More than 60 health systems cosigned a letter urging nationwide health data exchange frameworks to implement stronger privacy and security controls. Specifically, the letter highlighted a "clear pattern of bad actors improperly obtaining patients' medical information," necessitating frameworks such as the TEFCA and Carequality to implement stricter privacy practices. 

The Jan. 22 letter, which was shared with Health IT and EHR, was addressed to The Sequoia Project CEO Mariann Yeager. Leaders from Catholic Health, Cedars-Sinai Medical Center, NYU Langone Health, St. Luke's Health System and dozens more signed the letter. 

"To protect patients' privacy, there is an urgent need for the frameworks to implement centralized vetting, onboarding, and monitoring controls," the letter stated.  

"Details on exchange activity must be made publicly available, and when potential privacy issues are identified, they must receive timely, effective, and transparent resolutions." 

The health systems recommended that TEFCA and Carequality assign framework staff to vet prospective organizations looking to exchange medical records, rather than relying on self-attested business descriptions. These assigned reviewers should consider the organization's national provider identifiers and any past criminal activity, the letter stated. 

Additionally, the health systems suggested that organizations should be required to attest to their business descriptions and exchange purposes to HHS, with the knowledge that making false representations to a federal agency is a punishable offense. 

The organizations also urged TEFCA and Carequality to establish mechanisms to identify potentially fraudulent behavior. These mechanisms could include automated detection of anomalous exchange patterns, verification of credentials or reporting hotlines. 

The frameworks should also be required to be transparent about network activity, the letter suggested. The health systems urged the frameworks to create publicly available directories disclosing the parties that are transacting sensitive medical data, display public metrics on how many records each party has taken and contributed and report the data retention policies of intermediaries. 

Additionally, the entities urged TEFCA and Carequality to improve their issue resolution processes by establishing escalation pathways to resolve the disputes that come up as a result of ongoing monitoring. 

"All dispute resolutions should be made publicly available so that participants can understand any privacy and security risks caused by the inappropriate taking of data, and the community can learn from the process," the letter noted. 

Lastly, the health systems recommended that the frameworks create a digital health fraud task force with federal agencies and state attorneys general to crack down on falsified documentation, identity impersonation and high-volume data harvesting. 

The letter arrived days after Epic, alongside OCHIN, Reid Health, Trinity Health and UMass Memorial Health, filed a lawsuit against Health Gorilla, RavillaMed, LlamaLab AI and others, alleging that the companies exploited TEFCA and Carequality to steal sensitive patient data.

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.