CMS Announces Creation of Health Tech Ecosystem for Improving Access to Patient Data

During a “Make Health Tech Great Again” event on July 30, 2025 at the White House, the Centers for Medicare & Medicaid Services (CMS) announced its intent to create a digital health ecosystem, in partnership with private industry, to improve patient outcomes, reduce provider burden, and drive value by making it easier to access and share patient data.

Specifically, CMS aims to enable a connected ecosystem where:

The announcement calls on the healthcare industry to voluntarily align around a shared framework for data and access (the Framework), and to increase the availability of personalized tools so patients have the information and resources they need to make better health decisions.

This initiative builds on a May 2025 request for information issued jointly by CMS and the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) to solicit suggestions from stakeholders on ways to modernize the nation’s digital health ecosystem. Several early adopters have already pledged to meet the goals of the Framework by the first quarter of 2026, including some of the country’s largest payers, data networks, health systems and providers, and patient-facing app developers.

Since 2004, the U.S. Department of Health and Human Services (HHS) has been working to promote nationwide, interoperable health information exchange, with the goals of ensuring appropriate information is available to guide medical decisions; improving healthcare quality and reducing medical errors; reducing healthcare costs; promoting a more effective marketplace and greater competition; improving coordination of care; and ensuring patients’ individually identifiable health information is secure and protected.

Since 2010, there have been efforts for health information technology to be used to empower consumers. However, despite two decades of work, there are still significant limits to accessing electronic health information that meets these objectives. 

As technology has advanced, so has the ability to share information in a secure way that meets the needs and expectations of patients. This announcement and the commitments of a diverse set of actors, with a focus on identity management, and consent is an important step toward meeting these goals. It will be important to follow HHS policy and regulations, as well as industry action, as CMS and early adopters shape these advances and healthcare organizations and technology companies look to leverage these developments to benefit healthcare delivery and patients. 

Key Highlights of the CMS Announcement

• At this time, participation in the digital health ecosystem and compliance with the Framework is voluntary.
• This Framework leaves a lot of room for clarification, and we would expect CMS and ASTP/ONC to continue to develop policy and flesh out the details over the next year.
• Early adopters, in the enumerated participant categories below, pledge to collaboratively meet and aim to showcase the Framework objectives in the first quarter of 2026:
  • CMS Aligned Networks
  • Providers connecting to CMS Aligned Networks
  • Electronic health records (EHRs) connecting to CMS Aligned Networks
  • Payers connecting to CMS Aligned Networks
  • Patient-facing apps leveraging CMS Aligned Networks
• Early adopters have been invited to collaborate with CMS to document and publish implementation guidelines, where objectives are visionary and less mature.
• CMS plans to highlight participants through various channels (e.g., Medicare.gov, a to-be-created CMS National Provider Directory).
• The Framework is not intended to contravene, supersede, or preempt federal or state healthcare or privacy laws, such as the Health Insurance Portability and Accountability Act of 1996 Privacy, Security, and Breach Notification Rules (HIPAA Rules), and the Privacy Act of 1974.

The CMS Interoperability Framework

The Framework, as outlined on the CMS website, is a voluntary blueprint for modern health data exchange that seeks to remove roadblocks to data access, sharing, and transparency. The Framework has two parts: the criteria that define data sharing principles and the different categories of participants, such as networks, EHRs, healthcare providers, payers, and digital health products, and the criteria that each must meet. 

CMS acknowledges that the criteria outlined in the current version of the Framework is visionary. Importantly, where needed, the group of early adopters will have the opportunity to collaborate with CMS to determine further technical specification or implementation guides. 

Below, we have outlined the Framework criteria and provided our view for each category.

I.     Patient Access & Empowerment

Patients will be allowed to use applications of their choice to access their electronic medical information (including claims, explanations of benefits (EOBs), prior authorizations, and clinical data) anywhere it lives on the network. Patients will be able to use a digital identity credential through a CMS-approved service for Identity Assurance Level 2 (IAL2) or equivalent (e.g., mobile driver’s license (mDL)) and Authentication Assurance Level 2 (AAL2) (e.g., passkeys) to access their electronic medical information without additional interactions, such as needing to navigate additional portal accounts or enter provider-specific information. Importantly, patient consent preferences, including a patient’s right to request restrictions on disclosures of their information for certain purposes, must be shared with all involved parties. Last, the network will provide an accounting record of all network-facilitated transactions, including for treatment (e.g., who accessed a patient’s data, when, and why).

Our view: The federal government has been trying to promote access to patient data through a number of regulatory channels for decades. Even with the push for patient access application programming interfaces (APIs), patients face challenges in accessing all of their health data, and often need to validate their identity for each healthcare organization that maintains their health data. CMS is adding to the scope of what information would be available to patients through the Framework, including payment-related activities, such as EOBs; appears to be attempting to reduce friction through the use of a digital identity credentials; and seems to be attempting to empower patients through the sharing of patient consent preferences and providing information about how their data is being accessed through the sharing of patient consent preferences and the accounting record of network-facilitated transactions.

II.     Provider Access & Delegation

Providers will have full access to a patient’s electronic medical information (except where restricted by law) if they i) use an identity-verified credential, ii) are validated as an active provider in the CMS National Provider Directory, and iii) attest that the request is for treatment purposes. Providers may use any application or delegated technology vendor/partner of their choice to execute transactions in the network, and such delegated actions will be treated as equivalent to direct provider actions by business associates under HIPAA. Additionally, payers and other value-based care organizations may query for specific quality data elements (e.g., mammograms, blood pressure, depression screening) necessary for payment or healthcare operations, and payers can query for relevant data tied to a claim submitted in the last 60 days and receive clinical data for that encounter.

Our view: CMS seems to be attempting to remove roadblocks and streamline access to data for providers, payors, and delegated partners. They are also requiring that providers are validated in a national provider directory, something CMS has been trying to address for many years. While some of these initiatives existed previously, many health information exchange efforts have been limited to information requests for treatment purposes by providers. These criteria are driving toward exchange for expanded purposes and by more types of entities, including payers and value-based organizations for payment and healthcare operations purposes under HIPAA.

III.     Data Availability & Standards Compliance

Chart notes and clinical documents (including radiology reports, scanned/faxed labs, and external specialist notes) must be returned in machine and human-readable formats (PDF, JPG, TIF) as specified in United States Core Data for Interoperability, Version 3 (USCDI v3), network queries must have a timely response (and should be fulfilled in real-time, when feasible) using IAL2 credentials to support identity matching, and patient appointment and encounter details may be shared in accordance with existing law.

Additionally, by July 4, 2026, networks must provide or facilitate access to data using Fast Healthcare Interoperability Resources (FHIR) APIs and implement a record locator service that can be initiated by patients, providers, and value-based organizations.

Our view: These criteria would increase the amount of data that is available today and the timeliness of responses to queries for electronic health information. Note the July 4, 2026, deadline—early adopter networks have less than a year to provide or facilitate access to FHIR APIs and implement a record locator service.

IV.     Network Connectivity & Transparency

Networks must agree to be recognized as a CMS Aligned Network in the CMS National Provider Directory. Networks must also agree to publish membership information (e.g., NPI level participants, relevant endpoints and other interconnected networks) in the CMS National Provider Directory in the format and cadence determined by CMS and update the directory as new information is discovered about providers (e.g., contact details, license information). Networks must provide metrics on network queries, as well as usage statistics, to share in the CMS National Provider Directory. Furthermore, networks must support standards-based inter-network connectivity, including the ability to query/respond across federated networks using widely accepted query formats and protocols, and support searching network-wide for all records of a patient or only a subset using a targeted query (e.g., records in a certain state or from a specific NPI).

Our view: The intent here appears to be to use the CMS National Provider Directory as a one-stop shop for transparent information about networks, providers, and usage and improve the quality of data in a national provider directory. Additionally, CMS makes it clear that data should be accessible and searchable across networks. We note there is no mention of Trusted Exchange Framework and Common Agreement (TEFCA), but the Qualified Health Information Networks are early adopters of the Framework.

V.     Identity, Security & Trust

Networks must accept digital credentials for both patients and providers that are IAL2 or equivalent using a CMS-approved service to streamline access to data. Additionally, all network queries must include the purpose for the request (e.g., individual access, treatment, payment, or healthcare operations) under HIPAA to ensure disclosures are lawful, and networks must enforce requisite access control and consent policies appropriate to the data access context. Networks must also provide verifiable logs or audit records for identity/authorization requests and responses for independent review. Last, networks must maintain HITRUST certification or equivalent security validation as approved by CMS.

Our view: CMS appears to be focusing on identity management to make it easier to validate users and ultimately streamline access to different types of data. CMS is also building on quality and access controls, including the challenge of ensuring proper consent policies are implemented to protect patients’ rights. Operationalizing these goals across all participating networks will be challenging and will test compliance with privacy protections.

Health Tech Ecosystem Categories

As part of the announcement, CMS also released a list of the different categories of healthcare industry partners who are invited to participate in the digital health ecosystem and identified the following specific ways each partner category should voluntarily align with the CMS Interoperability Framework:

I.     CMS Aligned Networks

Designated CMS Aligned Networks are health information networks and exchanges and other health technology platforms that voluntarily commit to aligning with CMS goals for interoperability. CMS Aligned Networks must:

• implement Framework criteria, including clinical and claims data as appropriate;
• respond to patient, provider, and when appropriate, payer requests following the Framework; and
• self-attest to meet the interoperability criteria and agree to be reviewed if suspected to not be meeting the criteria.

II.     EHR & Providers

Participating EHRs and providers must commit to making complete, timely patient data available, including both structured data and real-world clinical documentation and encounter signals. Specifically, participating EHRs must:

• make electronic medical information accessible to CMS Aligned Networks, including structured data (via FHIR) and unstructured clinical documents (e.g., PDFs, JPGs, TIFs) as part of the patient record, and
• provide appointment and encounter notifications to those who are subscribed to specific patient records within 24 hours of occurrence.

Participating providers must:

• join CMS Aligned Networks to ensure electronic medical information is available and discoverable across care settings;
• support patient-centered workflows that enable real-time access to electronic medical information across systems—both for treatment and patient use; and
• make electronic medical information accessible to CMS Aligned Networks, including structured data (via FHIR) and unstructured clinical documents (e.g., PDFs, JPGs, TIFs) as part of the patient record.

III.     Payers

Participating payers must join or create a CMS Aligned Network and:

• make claims data accessible to CMS Aligned Networks in alignment with Patient Access and Provider Access API standards;
• respond to patient, provider and payer requests, and
• implement Framework criteria.

IV.     Patient Facing Apps

Participating patient facing apps must:

• support data exchange with patient identity verification via an intermediary personal health record application or using a CMS-approved service for IAL2 or equivalent (e.g., mDLs) and AAL2 (e.g., passkeys) to generate digital credentials that can be used to access health records from CMS Aligned Networks; participating EHRs must similarly support such exchange and may not require portal credentials or additional account setup to accept or return data when patient’s identity is verified using a CMS-approved service;
• offer Medicare beneficiaries a way to be notified of communications from Medicare.gov (e.g., notices, EOBs, fraud alerts);
• participate in CMS review, including disclosure of data sources, terms/agreements, and a basic security checklist;
• offer trial access for Medicare patients if the app charges a fee;
• participate in the “CMS discovery experience” by allowing their app to be presented as a recommended option to eligible beneficiaries (e.g., through an app store on Medicare.gov); and
• operate in a manner consistent with the HIPAA Rules (as applicable).

Additionally, participating patient facing apps must meet one of the following use cases along with respective enumerated criteria—implementation guidelines to be published for “less mature” criteria:

• Kill the Clipboard: eliminate manual check-in forms and fragmented data collection by enabling patients to share their verified health and identity information directly with providers at the point of care—and receive their visit record back—using modern digital tools built on FHIR. 
• Conversational AI Assistants: use artificial intelligence-powered assistants to deliver personalized, context-aware guidance to patients by securely accessing and interpreting their medical history in real time, including symptom checking, care planning, coordination, and chronic disease support, with appropriate disclaimers.
• Diabetes & Obesity Prevention and Management: provide tailored, data-driven support to individuals at risk for or living with diabetes and obesity, powered by direct access to clinical data from trusted networks.