TEFCA crossed one billion health records exchanged in under a year, and federal regulators are moving to add auditing capacity after multiple lawsuits alleged some network participants were accessing patient data for purposes other than treatment.
What happened
The Office of the National Coordinator for Health Information Technology announced on June 26, 2026, that more than one billion patient health records have been exchanged through the Trusted Exchange Framework and Common Agreement (TEFCA), the federal government's nationwide network for sharing electronic health information between providers, payers, and patients. According to Healthcare Dive, that figure represents rapid growth from approximately 10 million exchanges in January 2025. Alongside the milestone, ONC awarded a contract worth $1.28 million in its first year, potentially renewing annually through June 2031 for a total of $5.5 million, to Alliance Global Tech, a Maryland-based federal IT and cybersecurity contractor, to verify that organizations participating in TEFCA follow the network's required policies and procedures. ONC is also conducting additional reviews of Qualified Health Information Networks (QHINs), the organizations that connect healthcare providers to the TEFCA network, and their participants to confirm compliance with the framework's operating requirements.
Going deeper
The oversight investment follows a year of legal disputes over how TEFCA network participants have been using patient data. According to Fierce Healthcare, Epic Systems and a group of healthcare organizations including OCHIN, Reid Health, Trinity Health, and UMass Memorial Health filed a lawsuit in January against Health Gorilla, a QHIN, and several of its clients, alleging the defendants accessed medical records under the pretense of treatment while actually using the data for other purposes, including marketing to law firms seeking claimants for mass tort litigation. One defendant, GuardDog Telehealth, admitted to providing patient records to law firms and signed a federal court order permanently barring it from accessing records through TEFCA and a related framework called Carequality. Separately, Particle Health has an ongoing antitrust lawsuit against Epic in the Southern District of New York, alleging Epic cut off legitimate data access to suppress competition, a case that survived a motion to dismiss on its core monopolization claims. In January, more than 75 health systems sent a letter to federal officials specifically flagging concerns about bad actors gaining unauthorized access to patient records through the network.
What was said
HHS Secretary Robert F. Kennedy Jr. stated in the HHS press release, "Americans deserve secure, timely access to their health records. We are strengthening TEFCA to put patients in control of their health information, improve care coordination and ensure health data moves securely where it is needed. Access to your own health records is a fundamental right." National Coordinator for Health IT Dr. Thomas Keane said ONC will refer any behaviors identified as "potentially civilly or criminally actionable, including information blocking and fraud" to the HHS Office for Civil Rights, the HHS Office of Inspector General, and the Department of Justice. OCR Director Paula Stannard added that "trust in those principles is foundational and nonnegotiable. Individuals who believe that their right to access their health information has been denied or that its security has been violated can file a complaint with OCR."
In the know
Health Gorilla CEO Bob Watson, whose company has been named as a defendant in the Epic litigation, argued publicly that federal oversight of TEFCA governance is necessary regardless of the ongoing legal disputes. Watson compared the needed function to that of the Securities and Exchange Commission, telling Healthcare IT News that compliance costs are currently disproportionately burdensome for small businesses handling TEFCA participation on their own, and that centralizing governance under federal oversight would reduce the outsized influence that large EHR vendors currently hold over network decision-making. His comments indicate a broader industry tension between the network's rapid growth and the governance infrastructure needed to police it.
The big picture
A network exchanging one billion patient records in under a year, without a dedicated federal auditing function until now, represents the kind of scale-outpacing-governance gap that healthcare compliance officers should treat as a warning sign rather than reassurance. TEFCA's "treatment" access pathway, the mechanism organizations allegedly exploited to access records under false pretenses in the Health Gorilla litigation, shows how a legitimate interoperability framework can be misused when verification depends on participant self-attestation rather than independent audit. According to the American Hospital Association's letter to federal officials, more than 75 health systems raised concerns in January 2026 that self-attestation and decentralized oversight could not adequately protect patient data across nationwide exchange frameworks, for covered entities and business associates connected to TEFCA or considering connection, the new oversight contract signals that ONC intends to move from a trust-based model to an actively monitored one, with clear referral pathways to OCR, the HHS Office of Inspector General, and the Department of Justice for violations. Organizations should treat their own TEFCA data access logs and purpose documentation as material that federal reviewers may now examine directly, not simply as records to produce if asked.
FAQs
What is TEFCA, and why does it matter for healthcare organizations?
TEFCA is a nationwide framework mandated by the 21st Century Cures Act that establishes common rules for exchanging electronic health information between providers, payers, and patients. Organizations connect to the network through Qualified Health Information Networks, allowing them to request and share patient records more efficiently than through point-to-point connections with each individual healthcare organization.
What is the "treatment" pathway that was allegedly misused in the Health Gorilla litigation?
TEFCA allows organizations to request patient records for treatment purposes without needing separate patient consent for each request, since treatment access is considered a permitted use under HIPAA. The lawsuit alleges some organizations requested records citing treatment purposes but then used the data for other purposes, including marketing to law firms, which would constitute a misuse of that access pathway.
What does the new oversight contract actually change about how TEFCA is monitored?
Previously, TEFCA participant compliance relied heavily on self-attestation, meaning organizations affirmed they were following the rules without independent verification. The new contract funds active auditing and review of QHINs and their participants, moving toward external verification rather than trusting participant statements alone.
What happens if ONC identifies information blocking or fraud during its reviews?
ONC has stated it will refer potentially actionable violations to the HHS Office for Civil Rights, the HHS Office of Inspector General, and the Department of Justice for investigation. Certified health IT developers found in violation could face penalties up to $1 million per incident, while providers found to be information blocking risk losing Medicare payments.
How should a healthcare organization connected to TEFCA prepare for increased federal oversight?
Organizations should review and document the actual purpose behind every data request made through the network, ensure internal policies align with TEFCA's stated access pathways, and treat data access logs as records that may be subject to direct federal review rather than an internal audit alone. Any organization uncertain whether its current data-sharing practices would withstand independent scrutiny should address that gap before ONC's expanded reviews reach them.
