Health Data Exchange: Systems Demand Safeguards Against Unauthorized Access

Over 60 health systems have formally requested action from officials overseeing national health record exchanges to address vulnerabilities that could allow unauthorized access to patient data. This move follows a recent lawsuit filed by electronic health record company Epic, detailing alleged instances of such unauthorized access.

Concerns Over Data Security

The letter was addressed to both Mariann Yeager, CEO of The Sequoia Project, and Steve Posnack, Principal Deputy Assistant Secretary for Technology Policy. The Sequoia Project operates Carequality, a private health exchange framework, while Posnack oversees the Trusted Exchange Framework and Common Agreement (TEFCA) within the nation’s health IT office. Notably, Yeager, as CEO, also manages the operation of TEFCA under a government contract.

How Access is Currently Granted

Current frameworks and existing health information exchange laws permit individuals claiming to be healthcare providers to join the network and request patient records. This structure creates a potential pathway for organizations falsely presenting themselves as providers to gain access to sensitive health information they are not legally entitled to view.

Did You Know? The Sequoia Project operates both Carequality, a private health exchange framework, and TEFCA under contract with the government.

The recent lawsuit brought by Epic against Health Gorilla, an organization involved in onboarding new members to the exchange network, centers on this very issue. The complaint outlines alleged actions by entities exploiting this access point.

Potential Implications

The concerns raised by the health systems and highlighted in the Epic lawsuit point to a fundamental challenge in balancing the goals of interoperability – seamless data sharing between providers – with the critical need to protect patient privacy. If vulnerabilities are not addressed, it could erode trust in the health information exchange system.

Expert Insight: The current system’s reliance on self-identification as a healthcare provider creates an inherent risk. While designed to facilitate information sharing, it lacks robust verification mechanisms, potentially opening the door to misuse of sensitive patient data.

A possible next step could involve strengthening verification processes for entities seeking access to the exchange network. Another potential outcome is increased scrutiny of organizations like Health Gorilla, which play a role in member onboarding. Analysts expect further debate regarding the appropriate balance between open access and stringent security measures.

Frequently Asked Questions

What is Carequality?

Carequality is a private health exchange framework run by The Sequoia Project.

What is TEFCA?

TEFCA, or the Trusted Exchange Framework and Common Agreement, is overseen by Steve Posnack and operated by The Sequoia Project under a government contract.

What is the core issue highlighted in the Epic lawsuit?

The Epic lawsuit against Health Gorilla centers on the potential for organizations posing as healthcare providers to gain unauthorized access to patient records.

How might these concerns impact the future of health information sharing?