Charting the Way Forward: New Efforts to Advance Electronic Health Information Sharing

In July 2025, the Trump administration announced a new effort (“Making Health Tech Great Again”) towards health data interchange (referred to in this brief as “interoperability”). This announcement accompanied voluntary commitments from more than 60 providers, payers, and software companies—vendors of electronic health records (EHR) systems, health care analytics platforms, and those traditionally outside the realm of health care, such as artificial intelligence (AI) companies. The announcement focused on two concepts: establishing (1) a Centers for Medicare and Medicaid Services (CMS) “Interoperability Framework,” which refers to a set of criteria and other agreements; and (2) “CMS Aligned Networks,” which are networks of entities that voluntarily agree to adhere to the Interoperability Framework and other agreements that support a standardized system to share information electronically. The new ecosystem would serve users—including providers, health insurance plans (“payers”), and patients—who would connect through applications (or “apps”) or other software. These efforts are intended to facilitate more seamless sharing of health information between these users, and to increase the availability of patient-facing digital health tools. This issue brief examines the new initiative, provides an overview of key health information technology (IT) laws and regulations, and highlights some challenges to health data interoperability.

What Is Interoperability?

In general, interoperability refers to the capability for different technology systems to communicate with each other and share information, even if those systems were made by different companies. In the health care context, interoperability enables different health care providers, hospitals, health insurers, health apps, and patients to efficiently and securely share a broad array of electronic health information without special effort. For example, say a patient moves across the country and finds a new doctor. With interoperability, the patient’s new doctor should be able to quickly and securely retrieve the patient’s medical history electronically. Without interoperability, the doctors might have to send faxes or make phone calls to exchange that information, which could delay care.

Interoperability requires standardization of the information that is shared so that it is in the same format and can be passed seamlessly between unaffiliated systems. For example, a standard “Continuity of Care Document” (CCD) contains a summary of specific clinical information about a patient that can be sent electronically to a patient’s regular doctor after being hospitalized so that the doctor is aware of why the patient was hospitalized, what care was provided, what medications the patient was given, and other important clinical information. These CCDs may be made available to an organization facilitating exchange of electronic health information (a “health information exchange”) that coordinates aggregation and distribution of health information, and sent to a health care provider, for example.

Electronic information sharing is not limited to the movement of clinical information between patients and providers but also includes the sharing of administrative information between these entities and payers to determine whether a claim for benefits, including prior authorization, is covered by the plan, or to make information available about a plan’s provider network.

What is the New CMS Interoperability Framework?

CMS issued a request for information (RFI) in May 2025 seeking input on ways to advance a seamless, secure digital health infrastructure. Based on the input received from the RFI, CMS announced its voluntary new Interoperability Framework in July 2025 and reported that more than 60 private sector entities had agreed to participate. While full specifications still need to be developed, the CMS Interoperability Framework contains some details as to who the users will be and how they could interact with the CMS Aligned Networks.

• Providers will have access to discrete (e.g., medication dosages) and non-discrete (e.g., x-ray imaging) data in a timely fashion, as well as derived quality measures.
• Payers will distribute claims data and respond to requests from other entities, such as providers and other payers.
• Patients will be able to control their medical information on the network securely and transparently. They interface with these networks through apps with one of the following initial uses:
  • Management of diabetes and obesity, delivering tailored guidance to the patient
  • Conversational use of AI assistants to provide personalized help based on the patient’s medical record
  • A so-called “Kill the clipboard” initiative to increase the use of automation for administrative tasks, such as a patient retrieving their past health records via a QR code on their smartphone. This could eliminate the need for patients to fill out paper forms at the doctor’s office.

It remains to be seen how these new voluntary commitments will play out and what impact they will have on patients. This is not the first time organizations have pledged to work towards interoperability. Much of what was announced echoes previous pledges many of the same companies have already made to increase interoperability. Initiatives to allow electronic platforms to connect with each other in a standardized way have been around for some time. However, this iteration includes specific target applications for this technology, involving technology and standards that did not exist in the previous round of commitments, as well as expanding the scope of what types of organizations get a seat at the table, such as AI companies.

CMS hopes to showcase the efforts of “early adopters” meeting the Interoperability Framework’s goals in the first quarter of 2026 and to collaborate with early adopters in developing implementation guidelines for criteria that are currently less mature. In its announcement, CMS lists 26 “visionary” criteria, with four items related to data availability and standards compliance that early adopters will plan to meet by July 4, 2026:

• Facilitating or providing access to data using specific technical standards
• Making chart notes and other clinical documents available in human-readable formats (e.g., PDFs)
• Providing appointment and encounter notifications for outpatient, telehealth, emergency department, and inpatient visits using specific technical standards
• Collaborating with CMS to implement medical record locator functionality to more efficiently identify the electronic location of records

In addition to this new initiative, in a June 2025 press conference discussing the May RFI, CMS announced other initiatives related to the health technology ecosystem, including taking steps toward the creation of a national provider directory.

What is the History of Health IT and Interoperability in the U.S.?

Is health IT interoperability a new federal policy initiative?

No. Initiatives to develop standards-based connections to improve how the fragmented U.S. health system functions have been around for some time. Health insurance information, such as eligibility and claims, has had electronic specifications via the American National Standards Institute’s (ANSI) X12 standards for decades. Health Level 7 (HL7), an international organization dedicated to developing standards for the exchange of electronic health information, has evolved its standards since the late 1980s.

While the Health Insurance Portability and Accountability Act (HIPAA) is mostly discussed as a law regulating health information privacy and security, it was passed by Congress in 1996 to set standards for and to promote electronic data interchange (EDI)—standardized formats for certain health care transactions to promote “administrative simplification” in the health care system.

These early actions were followed by a 2004 executive order and several federal laws and regulations that have been the primary building blocks for federal interoperability standards. Two laws in particular—the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the 21^st Century Cures Act (Cures Act) of 2016— created a patchwork of specific standards and incentives for voluntary actions by various stakeholders to create an interoperable health care system.

The HITECH Act incentivized “meaningful use” of electronic health records (EHR) systems among those providing services for Medicare patients—almost all non-pediatric providers—by tying Medicare reimbursement to demonstration of use of certified EHR technology. In 2009, 12% of hospitals used a certified EHR; by 2014, the share had risen to 97%. Broad adoption of EHR technology has led to increased digitization of health information, resulting in the opportunity for electronic data interchange.

The Cures Act added several parts of the interoperability framework that are still being implemented through different initiatives and regulations by CMS and the Office of the National Coordinator for Health Information Technology (ONC), now also the Assistant Secretary for Technology Policy (ASTP), which directly oversees health IT standards development and data policy. A selection of these initiatives is discussed below.

What are the key parts of federal interoperability?

Key parts of the federal interoperability landscape include:

1. A Health IT Certification Program. ONC oversees a program for the voluntary certification of health IT. The program sets a baseline standard for how health IT software, such as electronic health records, operates. A final rule issued in 2020 included initial development of the United States Core Data for Interoperability (USCDI), standards for describing the types of health data that may be exchanged. The Fast Healthcare Interoperability Resources (FHIR) specification maintained by HL7 provides the technical framework for transmitting information according to USCDI, and is a commonly-used standard for exchanging health information covering a broad assortment of clinical and administrative data.  

2. Prohibitions on “Information Blocking.” Information blocking is any practice that interferes with, prevents, or discourages the access, exchange, or use of electronic health information—practices that may interfere with interoperability. Federal information blocking restrictions apply to health care providers, developers of certified health IT, and organizations that exchange health information. For example, information blocking can take the form of charging patients excessive fees to access their medical records or preventing patients from sharing their records with other health care providers. Notably, the Cures Act clarified that health IT developers and health care providers can independently engage in information blocking. According to a federal report to Congress before the Cures Act, information blocking specifically by EHR developers presented barriers to access to and exchange of health information. The Cures Act established a complaint and enforcement mechanism for violations.

3. Requirements on CMS-regulated payers to maintain application programming interfaces (APIs). CMS has directly influenced interoperability by mandating data exchange in programs it regulates: issuers of qualified health plans (QHPs) on the federal ACA Marketplace, Medicaid and the Children’s Health Insurance Program (CHIP) fee-for-service and managed care plans, and Medicare Advantage. Part of a broader push under the Cures Act to enhance interoperability and transparency, the 2020 CMS Interoperability and Patient Access final rule mandated that CMS-regulated payers implement standardized APIs for the exchange of health information (e.g., patient claims history and encounter data) and details about their provider networks (e.g., provider names and contact information) between payers (except issuers of QHPs on the federally Marketplace). APIs, in general, allow different software programs to communicate and share information more seamlessly. Other key provisions of the 2020 rule include requiring: most CMS-regulated payers to exchange certain clinical data with other payers at the patient’s request; CMS to publicly report health care providers, hospitals, and critical access hospitals (CAHs) who may be engaged in information blocking; and most hospitals to send electronic notifications of a patient’s admission, discharge, and transfer information to all applicable health care providers and facilities.

The 2024 CMS Interoperability and Patient Access final rule, which will take full effect by January 2027, builds upon the 2020 Interoperability and Patient Access final rule and adds new provisions aimed at increasing data sharing and streamlining and automating prior authorization processes for insurance programs overseen by CMS. In both rules, affected payers are required to use FHIR APIs to securely exchange health data.

4. Development of a “Trusted Exchange Framework and Common Agreement” (TEFCA). Established as part of the Cures Act but not fully implemented until 2023, the Trusted Exchange Framework and Common Agreement (TEFCA) is aimed at promoting the security and seamless exchange of electronic health information across the networks of health systems, plans, and other health care entities. Intermediary organizations that facilitate information exchange, called Qualified Health Information Networks (QHINs), agree to meet certain technical and legal requirements for facilitating information sharing. The roster of TEFCA’s QHINs continues to grow. QHINs agree to comply with the “Common Agreement,” which includes standard operating procedures concerning privacy and security. Providers can then use the QHINs to share information, for example, by retrieving their patients’ records from unaffiliated systems. By establishing a single nationwide framework, TEFCA helped close some of the gaps in prior health information exchange practices, such as fragmented use, uniform policies surrounding whose data are collected and who gets to see them, and standards to avoid incompatibility between proprietary health information exchanges. Participation in the Agreement is voluntary.

What federal privacy and security protections exist for patient information shared through these interoperable processes?

Regulations from 2000 established a federal floor of protections for patients’ protected health information (PHI), including safeguards under the Security Rule (2003) for the exchange of electronic PHI between covered entities: health plans, health care clearinghouses, health care providers, and their business associates. The HIPAA Security Rule standards apply to patient health information regardless of whether it is shared with other entities. Even before interoperability was well defined, HIPAA put provisions in place—such as requiring covered entities to implement technical safeguards to prevent unauthorized access during electronic transmission—that remain important for protecting patient data today in the context of interoperability.

HIPAA regulations are now almost 25 years old. Updates to the HIPAA privacy rules were proposed at the end of the first Trump administration, and updates to HIPAA’s security standards were proposed at the end of the Biden administration. Neither has been finalized. It is unclear whether renewed proposals in this area are imminent. HIPAA also does not reach many of the key players in health interoperability, including developers and other business entities that are not providers, plans, or health care clearinghouses. For example, a direct-to-consumer health app from a software developer does not fall under HIPAA. Although non-HIPAA entities that misrepresent or do not follow their privacy policies or mishandle patient data would not face repercussions under HIPAA, they could face federal legal repercussions for “unfair and deceptive” practices under the Federal Trade Commission (FTC) Act. The FTC website offers a health app interactive tool to assist developers in navigating the laws and regulations that may apply to them or their app.

The HITECH Act also introduced new requirements that a covered entity or its business associate must notify affected individuals, within a specified timeframe, of data breaches, which are instances where unsecured, protected health information has been accessed, acquired, or disclosed without proper authorization. The notification must include a brief description of how the breach occurred, the types of unsecured protected health information involved, the steps individuals should take to protect themselves from potential harm, how the entity is investigating the breach, and contact information for individuals with questions. The HITECH Act also requires covered entities and business associates to report data breaches to the U.S. Department of Health and Human Services (HHS) and external sources such as the media.

Additionally, TEFCA includes privacy and security standards in its Common Agreement. Each non-HIPAA entity working with data from a TEFCA entity also must protect identifiable health data, much like HIPAA-covered entities do.

How does value-based care relate to interoperability?

Although the Affordable Care Act (ACA) contains some provisions building upon HIPAA to standardize and simplify electronic data interchange, it also aimed to improve quality through value-based provider payment models (such as Accountable Care Organizations), which need data to coordinate between multiple providers and health care settings. The shift away from traditional fee-for-service payments towards alternative payment models that place financial risk on providers was reinforced with the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015, tying reimbursement to quality measures. The Merit-Based Incentive Payment System, authorized by MACRA, incentivizes providers to engage in interoperability initiatives, such as electronic prior authorization. These changes have helped spur the development of new analytic platforms and services that require timely, accurate health data collection and exchange across providers and health care settings.

What interoperability standards apply to Medicare?

While Medicare Advantage plans must meet API standards from 2020 regulations, enrollees with traditional Medicare have already had access to information exchange through APIs. Early demonstration of patient ownership of health data came from the CMS Blue Button specifications, established by CMS and the Veterans Administration in 2010. The CMS Blue Button was intended to give traditional Medicare beneficiaries and veterans easy access to their personal health records as a text file and to share their records. Blue Button grew to be more sophisticated with the implementation of Blue Button 2.0 in 2018, which additionally allowed data sharing with third-party apps, broadening participants in regulated health data exchange for those covered by traditional Medicare. However, in 2023, CMS reported low enrollee participation in the Blue Button program; as of February 2022 (the most recent data available), fewer than 250,000 Medicare beneficiaries had used it.

What interoperability standards apply to employer-sponsored coverage?

The CMS 2020 Interoperability and Patient Access rules do not apply to health plans sponsored by employers, the largest source of health coverage in the U.S. Payers and third-party administrators (TPAs) may choose to implement interoperability standards, but are not compelled to by the 2020 regulation. Some employer plan sponsors do offer consumer-facing tools that use technologies that may or may not meet federal IT certification standards, consumer protection standards in the 2020 interoperability rule (e.g., opt-out vs. opt-in), or HIPAA standards. These could include digital tools, such as apps similar to Medicare’s Blue Button initiative, that help employees navigate coverage options, clinical decisions, or provide general wellness advice and care. Federal ERISA standards, such as fiduciary requirements, likely apply to decisions by employers to offer these tools, although the reach of these fiduciary standards is still unclear. The voluntary initiative recently announced by the Trump administration could presumably encourage employers to implement more interoperable technologies, although no pledges were made specifically by employers related to the coverage they offer their employees.

What are the Challenges in All These Efforts?

Coalescing around standards requires cooperation between all entities involved. CMS stepping in with this announcement to coordinate efforts could advance interoperability, even if it is not entirely novel. A perennial problem has been that regulation often lags behind technological developments, leading to incompatibility at best and security and privacy issues at worst. As health care information technology continues to shift focus towards AI applications, the arena of organizations that deal with health care data has evolved to include even more players outside of HIPAA’s jurisdiction, which could lead to new privacy and security problems for which there are no federal regulations to address.

Privacy and Security Gaps in the CMS Interoperability Framework

Although the new CMS Interoperability Framework includes security specifications, it does not cover what happens when data travel beyond CMS Aligned Networks. AI tools and advanced analytics may use cloud computing or systems that distribute data processing across connected computers, necessitating transfers of health information beyond the reach of regulation in CMS Aligned Networks and HIPAA-covered entities. When data are moved across connections, information is spread across different systems with differing data management and storage practices. And while the CMS Interoperability Framework requires auditing access within the CMS Aligned Network, this requirement does not extend to data transmitted beyond its boundaries. Accounting of where data has gone may be incomplete, and outdated or inaccurate data may be stored at various sites.

Limitations of HIPAA Privacy and Security Protections

Control and retention of health data are also not cohesively governed by federal law. Some states, such as California, maintain regulations granting patients the right to review and delete their data, even outside of HIPAA-covered entities. However, there is no federal equivalent. (The American Data Privacy and Protection Act, introduced in 2022, would have codified this right, but has not been passed into law.) This latest round of corporate pledges accompanying the announcement includes organizations that have built their businesses by monetizing data. Consumer health apps, fitness trackers, wearable devices, and other health technologies that operate outside traditional health care settings produce data that lie on the periphery of what could be considered protected health information. While they may not be “individually identifiable health information,” the data can still have sensitive information (e.g., mental health ratings, menstrual cycles, stress scores). The sale of these non-HIPAA protected data poses a legitimate privacy concern, as does identifiability in aggregate or in conjunction with other personal information, such as what may be obtained from data brokers. Some protections do exist for these data, such as the Health Breach Notification Rule; however, regulation only retrospectively covers breaches and does not proactively stipulate privacy and security safeguards that might prevent a breach in the first place.

Consumer Consent and Awareness of Privacy and Security Risks

User consent also poses a challenge for data privacy and security. While apps may explain how they use data in their terms and conditions and privacy policies, users might not have the time or expertise to fully understand them. Apps developed outside of the CMS Interoperability Framework may have weaker security and privacy protections than those that follow security measures integrated into the CMS Interoperability Framework. Users of health data applications may not immediately understand whether their apps follow this CMS Interoperability Framework and, consequently, could be unaware of how their data are handled with respect to privacy and security. To direct users to certified apps, directories may help (the approach with CMS Blue Button apps), but users may obtain their apps outside these listings. Even apps with strict privacy policies are no guarantee that data remain private. Recent action by the FTC illustrates the risk of health data apps, investigating companies such as GoodRx, BetterHelp, and Flo Health for selling data obtained through their services to third parties, such as social media and data analytics companies, allegedly in violation of their own privacy policies.

Complexity for Patients and Consumers

In addition to privacy and security challenges, the increased use of health apps and other digital tools that rely on personal health information could add more complexity for patients and consumers, many of whom already have challenges navigating the health care system. The onus falls on the consumer to understand how to use these apps and digital tools, obtain health information from providers, and input it into the app, all of which could require substantial time commitments. Few resources are available to help consumers understand how to use these tools and get their health information. Additionally, the “consumer friendliness” of apps and tools can vary between products; while some developers may test their products with consumers, there is no explicit requirement for developers to make them easy to use for people of all ages, health literacy levels, and technological abilities, or to make consumer support available. Another challenge is expanding the use of digital health tools to people with lower incomes and those who live in rural areas, who are less likely than their peers to own a smartphone or have internet access.

Looking Forward

As apps come online, they may be sold directly to consumers or offered through an insurer or employer. It is unclear how large the appetite for health apps will be, and whether patients will choose to integrate these apps into their health care. Incentives for providers to recommend these apps to their patients are also not well defined. Opportunities for app developers to influence provider practices, such as recommending their product, may pose ethical challenges. At the same time, some of the biggest names in the business have made pledges, and this announcement will almost certainly boost the companies that sell these apps.

Open questions about data privacy, security, and accuracy are key concerns as the details of the CMS Interoperability Framework and associated CMS Aligned Networks are developed. While development of certified health IT software has generally had a focus on privacy and security (and even requires attestation of security for federal ONC certification), how reliable the “early adopters” from outside this sphere are in maintaining tight privacy and security controls remains to be seen.

Unlike federal regulations, these pledges are voluntary and do not create any new legally binding requirements for these entities. Additionally, mechanisms for the CMS Interoperability Framework to evolve with technological advancements have not been defined, since it is not based on regulation. However, a voluntary private sector initiative could evolve more quickly than regulation, which is inherently slower and harder to change. CMS invites early adopters to collaborate to document and publish implementation guidelines, which could be effective in maintaining standards, but may encourage a race to market so that one early adopter’s technology becomes the standard for all.

Even with advancements in health IT, consumers may still have trouble understanding how to access their health information (such as medical records), what their rights are with respect to electronic health information, and how their data are handled. Many consumers are likely unaware of the patchwork of laws, regulations, and voluntary private sector commitments shaping the digital health landscape and to whom they apply. A 2023 Pew Research Center survey found that 72% of Americans say they understand very little or nothing about laws and regulations protecting their data privacy, and that 81% are concerned with how companies use data collected about their users. In the event products fail to comply with external standards or internal policies for data exchange, how does a consumer know? Do consumers know what to do if they suspect their rights are being violated? Do they know how to delete their health information or opt out of automated sharing of their information? The extent to which recent CMS efforts achieve their stated goals will rely heavily on bolstering consumer education and understanding, as well as expanding legal protections that may encourage patients to take on the role that has been the vision of health data interoperability for decades.