WASHINGTON, October 6, 2024 — More than 60 health systems are urgently calling for increased security measures within national health record exchanges, fearing sensitive patient data is vulnerable to unauthorized access. The plea follows a recently filed lawsuit alleging deliberate misuse of the system by entities posing as legitimate healthcare providers.
Growing Concerns Over Patient Data Security
Table of Contents
Health systems are raising alarms about potential breaches within networks designed to share electronic health records.
- The Sequoia Project, which runs the Carequality exchange, and officials overseeing the Trusted Exchange Framework and Common Agreement (TEFCA) are being asked to take action.
- Current regulations allow anyone claiming to be a healthcare provider to join the network and request patient records.
- An ongoing lawsuit brought by Epic alleges that organizations like Health Gorilla have facilitated improper access to patient data.
The letter requesting action was addressed to Mariann Yeager, CEO of The Sequoia Project, the organization that operates the Carequality private health exchange framework, and Steve Posnack, Principal Deputy Assistant Secretary for Technology Policy, who oversees TEFCA within the nation’s health IT office. The core issue? The current system, as it stands, doesn’t effectively prevent individuals or organizations without a legitimate right to view records from gaining access to them.
Why is this happening? Because existing frameworks and health privacy laws permit anyone identifying as a healthcare provider to join the network and request electronic health records. This loophole potentially allows malicious actors to obtain confidential patient information they shouldn’t legally see.
Did you know? The Trusted Exchange Framework and Common Agreement (TEFCA) is a set of standards designed to enable nationwide health information exchange.
The concerns are directly linked to a lawsuit filed against Health Gorilla, an organization involved in onboarding new members onto the exchange network. Electronic health record company Epic initiated the legal action, outlining alleged actions of “bad actors” exploiting the system’s vulnerabilities. The lawsuit, filed earlier this year, details how these entities allegedly misused their access to patient data.
The Role of Carequality and TEFCA
The Sequoia Project, as the operator of Carequality, and Steve Posnack, overseeing TEFCA, are now under pressure to address these security flaws. TEFCA, operating under a government contract with The Sequoia Project, aims to establish a universal floor for health information exchange. However, the current structure allows for relatively easy access to the network, raising questions about its effectiveness in safeguarding patient privacy.
The health systems’ letter underscores a growing anxiety within the industry about the balance between interoperability – the ability of different health IT systems to exchange and use data – and data security. While seamless data exchange is crucial for coordinated care, it must not come at the expense of protecting sensitive patient information.
Looking Ahead
The outcome of the Epic lawsuit and the response from The Sequoia Project and the health IT office will likely shape the future of health information exchange in the United States. Strengthening verification processes and implementing stricter access controls are seen as critical steps to mitigate the risk of unauthorized access and maintain patient trust.
