Part 1: The Problem with System Fragmentation in Healthcare and Security Concerns
Co-authored by Lorianne Maria Sainsbury-Wong, Esq., CISSP, CIPP/US, CHPC and Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS
The CMS Interoperability Framework is a call to action for health data networks that want to make what should already work actually work—by voluntarily meeting the CMS Interoperability Framework criteria to be designated as a CMS-Aligned Network.
This is a voluntary blueprint for modern health data exchange that puts patients and providers first. It is open, standards-based, and market-friendly so that the industry can stop theoretical debates and start delivering real results. CMS is offering shared infrastructure and clearly defined criteria for 2026.
The CMS Interoperability Framework doesn't mean centralizing all medical record data in a single location in the US. CMS is aligning networks to allow different types of health data sources, including health information networks, exchanges and other health technology platforms, to align with CMS goals for interoperability. The focus is on making it easier for different healthcare systems and applications to share and exchange medical information securely and efficiently. Here's what that means in simpler terms:
Think of it like different computer programs speaking the same language.
Currently, many healthcare systems use different formats and ways of organizing data. The CMS Interoperability Framework aims to establish common standards, especially using FHIR APIs, so that systems can understand and exchange information smoothly, regardless of where the data is stored.
- A FHIR (Fast Healthcare Interoperability Resources) API is a standardized interface for exchanging health information between different healthcare systems using modern, web-based principles.
- It acts as a shared "menu" that allows different software applications and platforms to "speak the same language," enabling them to request, retrieve, and share data like patient records, lab results, and other administrative or clinical information in a consistent format (JSON or XML).
It empowers patients and providers with access to medical information.
- The framework promotes patient access to their health records through apps of their choice and makes it easier for providers to access the full patient history at the point of care.
It's a roadmap and a call to action, not a central database.
- CMS is encouraging healthcare organizations, including networks, EHR systems, providers, and payers, to adopt common standards for data exchange, improving overall data sharing across the fragmented healthcare landscape.
It emphasizes data availability and standards, but it doesn't create a national repository.
- The focus is on making it easier to share data between existing systems and promoting the use of standards like FHIR APIs and USCDI (United States Core Data for Interoperability).
So, instead of physically pulling all medical records into one place, the CMS Interoperability Framework is about creating a more connected system that allows patient data to flow securely between different locations and organizations, ultimately benefiting patient care and efficiency.
CMS Interoperability and the Risks of Sharing Patient Data with Big Tech Companies
The Centers for Medicare & Medicaid Services (CMS) has launched an ambitious Health Technology Ecosystem initiative aimed at creating a public-private partnership that facilitates seamless data exchange among patients, providers, and payers. As stated on the CMS website, Making Health Tech Great Again is a bold step toward modernizing our digital health ecosystem.
While details and operational aspects are still being finalized, partnerships have been publicly announced with major tech companies like Amazon, Apple, Google, Microsoft AI, OpenAI, and others, which signal a transformative shift in how healthcare data is accessed and shared. On July 30, 2025 CMS.gov posted a Press Release White House, Tech Leaders Commit to Create Patient-Centric Healthcare Ecosystem which states “More than 60 companies pledged to work collaboratively to deliver results for the American people in the first quarter of 2026. Twenty-one networks pledged to meet the CMS Interoperability Framework criteria to become CMS Aligned Networks. Eleven health systems or providers committed to participate and support patient use, and seven EHRs committed to facilitate data exchange and help “kill the clipboard.” At the same time, these collaborations also raise critical questions about data privacy, security, and governance.
Should we be concerned?
The CMS Health Tech Ecosystem initiative is overseen by the CMS Senior Advisor for Technology and supported by senior officials at the Department of Health and Human Services (HHS). Its mission is to promote a secure patient-centered digital healthcare system that would allow for ease of distribution, exchange, portability, and use of electronic health information. Fundamentally, this initiative seeks to improve patient access and enhance the efficiency of the healthcare industry. Its aim is to connect healthcare data sets that are currently siloed across disparate systems so that patients, providers, and healthcare payers will have reliable access to electronic medical records through a voluntary alignment. However, what lessons can be learned from the Change Healthcare breach?
Security Risks and Lessons Learned from the Change Healthcare Breach
A significant reminder of the vulnerabilities in extensive healthcare data systems is the February 2024 ransomware attack on Change Healthcare. Threat actors exploited the business associate’s lack of multifactor authentication, gaining unauthorized remote access via stolen credentials. Insufficient third-party vendor security postures create both upstream and downstream vulnerabilities across the healthcare ecosystem.
In the Change Healthcare breach, inadequate security controls resulted in widespread disruptions, including delays in medical treatments and prescriptions, stalled claims processing and reimbursements, and fragmented financial and operational access and delivery. These events underscore the need for comprehensive data governance, continuous security monitoring, and resilient infrastructure to safeguard protected health information (PHI). Most importantly, the lessons learned highlight the criticality of data confidentiality, integrity, and availability to ensure trust and continuity in patient care.
Along those lines, it is meaningful to act as informed advocates and to engage in mission-aligned questions, such as:
- What minimum security standards must CMS’s third-party vendors and data brokers meet to safeguard data protection?
- How is patient transparency ensured, and how is informed consent managed across diverse platforms?
- Who holds accountability for data misuse or breaches, and what oversight mechanisms are in place to ensure compliance?
Conclusion
CMS's initiative for a more connected and patient-centered healthcare system offers significant benefits. But the public/private voluntary alignment must be grounded in data governance, responsible management of sensitive information, and a foundation of trust, transparency, and robust security—particularly in an innovative landscape shaped by public/private partnerships.
Please watch for Part 2: Interoperability and System Fragmentation in Healthcare: Communication, Compliance, and Strategies for Successful Integration, written by Dr. Stacey R. Atkins, PhD, MSW, LSW, CPC, CIGE.
About the Authors
Lorianne Maria Sainsbury-Wong, Esq., CISSP, CIPP/US, CHPC, is a member of the AIHC Volunteer Education Committee. Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS, is the Chief Executive Officer at the American Institute of Healthcare Compliance.
References
- ASTP HealthIT.gov https://www.healthit.gov/topic/standards-technology/standards/fhir#:~:text=TEFCA-,Health%20Level%207%20(HL7)%20Fast%20Healthcare%20Interoperability%20Resources%20(FHIR,and%20promotes%20improved%20health%20outcomes
- CMS https://www.cms.gov/health-technology-ecosystem/interoperability-framework
- CMS Health Tech Ecosystem Categories https://www.cms.gov/health-technology-ecosystem/categories
- CMS Health Tech Ecosystem – Making Health Tech Great Again https://www.cms.gov/priorities/health-technology-ecosystem/overview
- Wolters Kluwer https://www.wolterskluwer.com/en/solutions/health-language/data-quality
Copyright © 2025 American Institute of Healthcare Compliance All Rights Reserved