In the evolving landscape of healthcare interoperability, there has long been a promise—a vision that, through the judicious implementation of national frameworks and trusted exchange networks, we would finally tear down the walls that have long isolated patient health data in proprietary silos. TEFCA, the Trusted Exchange Framework and Common Agreement, was heralded as a foundational step toward this vision, bringing with it the hope of seamless, modern, patient-centric access to health records. Yet, in the very early stages of its implementation, an insidious contradiction has emerged. While TEFCA promotes itself as a facilitator of equitable data access, its current operationalization actively excludes a growing segment of healthcare providers: cash-pay clinics. These are not rogue operations or fringe entities. They are state-licensed, HIPAA-compliant, often digitally forward clinical practices that, in many cases, offer superior patient engagement and continuity of care. And yet, these same clinics now find themselves shut out of the national networks they once accessed, not because they lack clinical legitimacy, but because they have opted out of the traditional insurance model.

This contradiction is not just philosophical; it is operational and profoundly damaging. Recently, I spoke with the leadership team of a primary care clinic that has structured itself around the principles of direct care. Their mission is simple: remove administrative waste, offer transparent pricing, and prioritize the doctor-patient relationship over bureaucratic documentation. And yet, in a situation that should alarm any serious policymaker, this clinic was forced to delay care for an elderly patient because they could not receive her records in time. The hospital where she had recently been admitted, tethered to legacy workflows and suspicious of the clinic’s “non-traditional” payment model, failed to send the records electronically. Instead, they were faxed—a method whose failure rate, latency, and lack of security is universally derided in the digital health space. Ironically, this clinic had been part of a Health Information Exchange just a year prior. Their credentialing had not changed. Their commitment to treatment and HIPAA compliance had not changed. What had changed was the policy landscape—swept up in the aftermath of a single interoperability scandal and the reactive governance that followed.

To understand how we arrived at this impasse, one must look at the ripple effects of what occurred between a data intermediary and one of the largest electronic health record vendors in the country. The dispute began with the onboarding of certain entities to a national interoperability network under the guise of treatment-based access. While the technical definitions of treatment under HIPAA are relatively broad, the application of those definitions, when filtered through the lens of risk aversion and competitive protectionism, can be interpreted far more narrowly. A handful of onboarded organizations were found to be engaging in what appeared to be non-treatment activities, such as funneling patient data for mass tort legal actions. The data intermediary facilitating their access faced scrutiny, and rightly so. There is no place for abuse in networks designed for clinical care. But the ensuing response from dominant network stakeholders—particularly from those who control access to massive swaths of hospital and EHR data—was both sweeping and blunt. Rather than targeting the misuse with scalpel-like precision, they wielded a hammer.

The result was the application of newly stringent Standard Operating Procedures, or SOPs, for vetting participants in interoperability frameworks. These SOPs, developed quickly and with limited transparency, redefined eligibility in ways that effectively equated clinical legitimacy with insurance participation. The logic, if it can be called that, was straightforward: entities participating in insurance billing were easier to vet, track, and control. They left digital trails through claims data, could be reported for fraud through payor relationships, and were generally part of the same ecosystem of incentives that had long governed legacy healthcare institutions. Cash-pay providers, by contrast, were harder to monitor through traditional mechanisms and thus, in the eyes of SOP authors, posed a risk.