AHA Urges Delay on TEFCA Individual Access SOP over Patient Privacy Concerns

The Trusted Exchange Framework and Common Agreement (TEFCA) is the nation’s blueprint for interoperable health data exchange, and the Sequoia Project serves as its operational hub. Version 3.0 of the Individual Access Services (IAS) Standard Operating Procedures was scheduled for implementation in August 2027, aiming to streamline patient‑direct access by introducing automated matching algorithms. Proponents argue that faster, more accurate matching can reduce administrative burden and improve patient engagement, positioning TEFCA as a catalyst for a more connected health ecosystem.

However, the American Hospital Association has raised red flags about the proposed methodology. By allowing patient‑matching to occur with limited provider verification, the SOP could conflict with existing HIPAA mandates that require covered entities to confirm identity, consent, and authority before releasing protected health information. The AHA warns that such gaps may lead to unauthorized disclosures, data‑breach investigations, and costly litigation, especially as hospitals already face heightened scrutiny from state and federal regulators. The association’s call for a statutory safe‑harbor reflects a broader industry desire for clear, legally binding guidance that reconciles innovative data‑exchange models with entrenched privacy obligations.

If the Sequoia Project heeds the AHA’s request, the delay could reshape the TEFCA rollout timeline, prompting policymakers to issue interim guidance or amend the framework to incorporate explicit verification safeguards. For health systems, a postponed SOP offers a window to adapt internal workflows, invest in robust identity‑management tools, and negotiate contractual protections. Meanwhile, vendors developing matching algorithms may need to redesign solutions to meet stricter verification criteria. Ultimately, the debate underscores the tension between accelerating health‑information interoperability and preserving patient privacy—a balance that will define the next phase of digital health policy.