On May 16, 2025, HHS published a Request for Information (RFI), 90 Fed Reg 21034, inviting public comment on the future of the TEFCA exception within the federal information blocking rules. Issued jointly by the CMS and the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC), the RFI directly asks whether the TEFCA exception should be retained, revised, or eliminated. Comments are due June 16, 2025— only one week away.
The RFI reflects a moment of inflection. After more than a year of active implementation, TEFCA participation remains uneven, with many high-profile health systems still in planning phases or standing on the sidelines. At the same time, networks like Carequality continue to impose new procedural requirements that exceed HIPAA’s baseline, raising legitimate questions about whether layering multiple governance regimes may deter, rather than accelerate, participation in nationwide exchange.
Against this backdrop, the RFI seeks to assess whether the TEFCA exception, the regulatory shield that protects certain practices from information blocking liability if they are necessary for and consistent with TEFCA, strikes the right balance. Or instead, whether the TEFCA Exception is inadvertently creating confusion, double standards, or competitive imbalances that hinder adoption.
The TEFCA Exception: Origins & Purpose
The TEFCA exception was introduced through the HTI-1 Final Rule, published January 9, 2024 (89 Fed. Reg. 1496). Codified under the information blocking regulations at 45 C.F.R. Part 171, the exception was designed to resolve a tension: TEFCA’s governance structure imposes rules and technical requirements that, if viewed in isolation, could arguably be considered “interferences” under the broad definition of information blocking.
For example, TEFCA requires participants to route queries through a Qualified Health Information Network (QHIN), respect network-specific credentialing standards, and comply with TEFCA’s common agreement policies. Outside of TEFCA, imposing similar conditions could possibly be viewed as erecting barriers inconsistent with HIPAA or the information blocking framework. The TEFCA exception therefore provides a carve-out, ensuring that TEFCA participants are not penalized under information blocking laws for complying with TEFCA’s rules.
In principle, the exception appears to serve two policy goals: (1) to encourage participation in TEFCA by providing legal certainty, and (2) to harmonize the information blocking framework with the national “network of networks” envisioned by Congress in the 21st Century Cures Act. But as the RFI acknowledges, the practical impact may be more complicated.
The RFI: Key Questions
The RFI, formally published in the Federal Register on May 16, 2025, seeks comment on several issues:
➔ Policy and technical limitations: Are there features of the TEFCA exception that limit its effectiveness? Do they unintentionally hinder participation in TEFCA?
➔ Competitive neutrality: Does the exception confer advantages on TEFCA participants at the expense of those who participate in other frameworks, such as Carequality, state-level HIEs, or direct API networks?
➔ Impact on adoption: Does the existence of the exception incentivize TEFCA participation, or does it create confusion by applying different rules to the same conduct depending on context?
➔Future alignment: Should the exception be retained, modified, or sunsetted in favor of a more universal framework for judging whether specific practices are reasonable under the information blocking rule?
The agencies framed these questions broadly, signaling openness to rethinking the exception’s role. This is not merely a technical inquiry, it goes to the heart of how HHS intends to balance flexibility, innovation, and fairness in nationwide data exchange.
New National Network Requirements
The timing of the RFI is notable given Carequality’s May 2025 release of Version 3.0 of its Framework Policies. Those policies introduced several new requirements for data exchange, including credentialing for treatment purposes, consumer app identity verification at NIST IAL2/AAL2, mandatory delegation notices, and detailed directory metadata obligations.
As discussed in my prior post from May 2025, these requirements go beyond HIPAA’s baseline. For example:
- Credentialing: HIPAA permits disclosures to any health care provider for treatment purposes without requiring proof of licensure. Carequality now requires such proof before queries will be honored.
- Patient Requests: HIPAA requires “reasonable verification” of a patient’s identity, but Carequality demands third-party credential service providers and demographic tokens.
- Delegation: HIPAA business associate arrangements do not require central directory declarations, but Carequality insists on them.
Each of these measures arguably strengthens accountability and security, but they also increase administrative burden. For HINs and HIEs already struggling with TEFCA onboarding, the additional procedural layers may make participation less attractive.
From an information blocking perspective, the problem is magnified: a practice tolerated under TEFCA’s exception may be judged an interference if imposed solely within Carequality’s framework. The result is an unstable regulatory environment in which similar rules are lawful in one context and potentially unlawful in another.
The Double Standard Problem
This is where the TEFCA exception’s paradox becomes most apparent. Under the exception, a TEFCA participant who imposes credentialing checks or rejects queries lacking standardized metadata may be shielded from information blocking liability. But if a Carequality participant imposes those same requirements outside of TEFCA, it may risk allegations of interference.
The RFI squarely raises this issue by asking whether the exception hinders participation. Some stakeholders argue that the exception creates pressure to join TEFCA, because only inside TEFCA are such practices protected. Others contend that the exception is necessary to legitimize TEFCA’s rules, and that eliminating it would deter participation.
From another perspective, the more troubling concern is fairness. How can the same conduct be both lawful and unlawful depending on which governance framework applies? HINs and HIEs are already subject to the “knows or should know” standard under 45 C.F.R. § 171.103(a)(1), making them vulnerable to enforcement if their practices are second-guessed outside of TEFCA.
Therefore, without greater clarity, this double standard may chill innovation and deter smaller networks from participating in either framework.
Payer Access & Misaligned Timelines
The RFI also comes at a critical juncture for payers. CMS continues to enforce deadlines for Patient Access API and Provider Directory API requirements under its interoperability rules. Payers must allow patients to access their health data via third-party apps, regardless of whether TEFCA or Carequality governs the exchange.
This creates a misalignment. Payers are legally required to support patient-directed exchange under CMS rules, but the technical and procedural infrastructure of TEFCA and Carequality do not always align with those obligations. For example, payer access often hinges on standardized APIs, while TEFCA and Carequality emphasize network governance and policy assertions. As a result, payers may face conflicting demands: align with TEFCA and its exception, comply with Carequality’s new requirements, and simultaneously meet CMS API enforcement deadlines. Each framework has its own definition of reasonableness, but payers must satisfy them all.
Participation Hurdles Higher Than HIPAA
Both TEFCA and Carequality exemplify a larger trend: governance frameworks imposing requirements stricter than HIPAA. HIPAA’s Privacy Rule permits disclosures for treatment, payment, and operations with minimal formalities. But under TEFCA and Carequality, those same disclosures may require credentials, attestations, and metadata.
This raises the metaphorical higher hurdle. Participants now must clear not only HIPAA’s baseline, but also additional procedural requirements. While many of these requirements may be justified by security, transparency, or patient empowerment goals, they create operational and compliance challenges that smaller organizations may not be able to surmount.
For some, the hurdle is worth the effort, as participation in TEFCA or Carequality signals leadership in interoperability. For others, the hurdle is a deterrent, prompting a wait-and-see approach.
Legal & Policy Implications
The RFI forces stakeholders to confront several legal and policy questions:
➔ Should the TEFCA exception continue to exist? If eliminated, TEFCA participants may face greater information blocking exposure. If retained, non-TEFCA networks may view it as unfair.
➔ How should overlapping frameworks be reconciled? Carequality, TEFCA, and CMS all impose different rules on data exchange. Without alignment, organizations will struggle with inconsistent obligations.
➔ What role should federal enforcement play? OCR, OIG, and CMS each have overlapping authority. How they interpret and apply the exception will determine whether networks feel safe adopting stringent requirements.
Does the exception advance or hinder nationwide interoperability? Proponents argue it accelerates TEFCA adoption. Critics warn it creates double standards that alienate non-participants.
Looking Ahead
Public comments on the RFI are due June 16, 2025, leaving stakeholders one week to weigh in. Large EHR vendors and QHINs may support retaining the exception as essential to TEFCA’s viability. Smaller HIEs and regional networks may argue that it creates inequities and undermines alternative exchange models. Payers may call for greater harmonization with CMS rules, while privacy advocates may focus on patient protections.
What is clear is that the decision will shape the future of interoperability. If the TEFCA exception is retained, TEFCA will enjoy a competitive advantage, but at the risk of deepening the divide with other frameworks. If eliminated, TEFCA may lose some of its appeal, but the regulatory playing field may become more even.
Either way, stakeholders must prepare for change. The release of the RFI signals that HHS is willing to revisit assumptions and recalibrate its policies. For organizations navigating this space, the key will be to monitor developments closely, engage in the comment process, and reassess compliance strategies.
Whether the TEFCA exception hinders or helps participation will ultimately depend on how HHS responds to stakeholder feedback and reconciles overlapping frameworks. Until then, health systems, payers, HIEs, and vendors must operate in a fragmented environment where the same practice may be deemed reasonable in one network and questionable in another. The stakes are high, and the outcome will shape the trajectory of interoperability for years to come.