HHS Data Plan Aims to ‘Make Health Technology Great Again’

Voluntary Effort Calls for Standards, Empowering Patients, But What About Privacy?

Marianne Kolbasuk McGee (HealthInfoSec) •
July 31, 2025    

See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]

Dubbed the “Make Health Technology Great Again” plan, the effort is being spearheaded by the U.S. Department of Health and Human Services and its Centers for Medicare and Medicaid Services.

The plan centers on promoting voluntary industry stakeholder compliance with a CMS Interoperability Framework, “an open, standards-based” infrastructure for secure health information exchange. It also promotes the development and use of various third-party patient apps – including “conversational AI assistants” – to help patients glean more personalized insights when accessing their relevant health information to make better decisions about their health.

“This will easily allow a patient to transmit records from one doctor to another doctor, no matter what system they use. The standards will also make it easier for patients to access their own personal health records,” President Donald Trump said during a White House event on Wednesday announcing the initiative.

The effort will not involve a centralized database run by the government, Trump said.

Rather, CMS intends to work with industry players and health sector stakeholders who voluntarily pledge to create a more “patient-centric” ecosystem that “kills the clipboard” – the industry’s still heavily reliance on paper forms and faxes to collect and exchange health data.

So far, more than 60 companies support the effort, including tech giants such as Apple and Google, insurers such as UnitedHealth Group and CVS’s Aetna, app developers such as Citizen Health and Microsoft AI, and healthcare delivery networks such as Intermountain Health and Cleveland Clinic. These companies are pledging to begin “delivering results” in by rolling out new capabilities for patients in the first quarter of 2026, HHS said.

That includes enabling patients to retrieve their health records from a “CMS aligned network” or personal health record apps and share them with healthcare providers using QR codes, smart health cards or links supporting Fast Healthcare Interoperability Resources, or FHIR, which was created years ago by Health Level Seven International for exchanging healthcare information electronically.

The “kill the clipboard” capability would help patients avoid having to repeatedly write out their medical history on forms when visiting a new healthcare provider, for example, HHS said.

As part of the plan, HHS said digital credentials for both patients and providers will use “a CMS-approved service for IAL2 or equivalent, for example mDLs – and AAL2 passkeys.” IAL2 is Identity Assurance Level 2, mDL is mobile driver’s license and AAL2 is Authentication Assurance Level 2.

Utah-based Intermountain Health in a statement to Information Security Media Group said it is “fully supportive” of CMS’ initiative to make healthcare data “truly” interoperable. “This effort will greatly benefit patients by allowing healthcare providers to seamlessly share information and coordinate care delivery,” said Dan Liljenquist, chief strategy officer at Intermountain Health in the statement.

Deven McGraw, chief regulatory and privacy officer at Citizen Health, which provides apps and services to help patients gain access to their health information, said her firm would not have agreed to participate in the CMS effort if it meant HHS had access to patient health information in Citizen Health.

“Citizen Health commits to our users that no third-party will have access to their medical records without their consent, and our participation in this CMS effort does not undermine or conflict with that commitment,” she said.

“I don’t see any new privacy and security concerns that are introduced by this effort, at least as far as our participation as a patient app is concerned,” she said. “What CMS is doing is trying to escalate exchange of health information consistent with HIPAA and other privacy laws,” said McGraw, who is a former HHS Office of the National Coordinator for Health IT and Office for Civil Rights official under the second Obama administration and first Trump administration.

Regulatory Déjà Vu?

For certain, secure nationwide health data exchange among healthcare providers and easier patient access to their medical records have been an aim of HHS for over two decades and under several presidential administrations.

That ambition was first spotlighted in a major way by President George W. Bush in 2004 when he set a goal for “most” Americans to have an electronic health record within 10 years.

Bush’s early vision was then essentially codified by the HITECH Act of 2009, which was signed into law by President Barak Obama, propelling the adoption of EHRs by hospitals and doctor practices through billions of dollars of financial incentives from CMS.

Since then, Congress in 2016 passed the 21st Century Cures Act, which also supports programs for improving patient care coordination through interoperable secure health data exchange.

Under the Cures Act, HHS in 2018 launched the Trusted Exchange Framework and Common Agreement, or TEFCA, a governance framework to promote secure, interoperable nationwide health information exchange (see: HHS Issues Trusted Health Data Exchange Governance Framework).

Over the years, patient access to their digital health records has improved through patients portals and mobile apps, but hurdles still remain. Also, many healthcare entities are also still heavily reliant on faxes and paper records to retrieve patient information from external sources such as non-affiliated medical providers (see: Patients Still Struggle With Full Access to Health Info).

CMS did not immediately respond to ISMG’s request for additional details about its interoperability framework and other plans under the “Make Health Tech Great Again” initiative. That includes requested clarification on how the new CMS Interoperability Framework compares and contrasts with HHS’ longstanding TEFCA and other related efforts.

Some experts said the CMS plan appears to build upon long-established principles from HITECH, the 21st Century Cures Act and various HHS Office of the National Coordinator for Health IT-led initiatives.

“It leverages existing standards and frameworks such as FHIR, USCDI v3 and the Da Vinci use cases, aligning them with CMS policy levers across Medicare, Medicaid and Affordable Care Marketplace programs,” said Rob Havasy, senior director for informatics strategy at the Healthcare Information Management and Systems Society.

“From the HIMSS perspective, this initiative represents a focused effort to scale what already exists. It’s a reaffirmation of foundational interoperability strategies, now reinforced by voluntary alignment and forward-looking components like digital identity and AI readiness,” he said.

Privacy, Security Worries

All of the proposals of the new plan would comply with HIPAA privacy and security requirements, HHS said.

Nonetheless, the HHS initiative raises a host of potential privacy and security concerns, some experts said.

“People need to think carefully about who they are sharing their information with and how it will be used,” said privacy attorney Andrew Crawford of the Center for Democracy and Technology.

“HIPAA and its Privacy Rule do not prevent the sharing of health information by non-covered entities and some elements of the plan encourage folks to share their health information with those companies,” he said.

“I worry that without robust privacy protections, peoples’ health information will be collected, used and shared by non-covered entities beyond what is necessary to provide the product or service a person has requested,” he said.

CMS’ plans around secure digital identity credentials – enabled by passkeys and other robust mechanisms – are a step in the right direction for protecting patient data and improving access, said attorney Lee Kim, senior principal of cybersecurity and privacy at HIMSS, a global professional health IT representing hundreds of organizations.

“However, providers may face significant challenges with identity proofing. The growing use of deepfakes only adds to the difficulty of verifying identities with high assurance, in addition to concerns such as identity theft and fraud,” she said.

Further, CMS’s plan to allow patients use QR codes for check in and health data sharing introduces another risk, she said.

“QR code phishing – also called quishing – has been a growing problem over the past few years, with fraudulent codes used to trick people into revealing sensitive information,” she said. “To make this work, CMS and its partners will need safeguards like digitally signed, time-limited QR codes and strong patient education so these tools remain a convenience, not a vulnerability.”