Re: CMS-0042-NC – Request for Information; Health Technology Ecosystem

It is a well-known secret that fraud, waste, and abuse (FWA) are a major focus of this administration.

Fraud involves intentional deception or misrepresentation to gain an unauthorized benefit. This includes falsifying documents, billing for services not provided, identity theft, or making false statements to obtain money, property, or services. Fraud requires deliberate intent to deceive.

Waste refers to the careless, inefficient, or unnecessary use of resources that doesn’t involve criminal intent. Examples include purchasing excessive supplies, poor planning leading to project overruns, using premium services when standard ones would suffice, or maintaining redundant systems. Waste stems from mismanagement rather than malice.

Abuse involves practices that are inconsistent with sound business or medical practices, resulting in unnecessary costs or reimbursements. While not necessarily fraudulent, abuse goes against accepted standards. This includes ordering excessive tests, providing services that don’t meet professional standards, or misusing positions of authority for personal gain.

The boundaries between them often blur. What starts as waste due to poor oversight can evolve into abuse when someone realizes they can exploit the lack of controls. Abuse can escalate to fraud when someone begins actively concealing their actions or falsifying records to continue the behavior.

They share common root causes, including inadequate internal controls, lack of accountability, insufficient training, and cultures that don’t prioritize ethical behavior. A system vulnerable to one is typically vulnerable to all three.

From an organizational perspective, this can create compounding effects. Waste creates environments where abuse can flourish unnoticed. Abuse normalizes inappropriate behavior, making fraud seem less serious. Together, fraud, waste, and abuse create significant financial losses, damage public trust, and divert resources from legitimate purposes.

While FWA can be politicized and weaponized like any topic, it does seem opportune as a focus given the challenges we’ve seen as an industry:

• The attacks on Change Healthcare last year, a form of fraud
• The widespread abuse (and perhaps even fraud) of actors to inappropriately access health information by posing as providers and provider organizations
• The waste of organization-to-organization interactions that are still manual, non-digital processes
• The rise of direct patient fraud through identity theft to receive healthcare services and information
• The stories of ghost networks creating provider and patient administrative waste
• A national provider directory (NPPES) that is riddled with law firms, pharmaceutical companies, and AI health coaches leads to fraud, waste, and abuse

We support CMS and others who are working to build a national, coordinated, digital healthcare system that serves patients, providers, payers, and all stakeholders. Though our collective efforts are creating a national organization of sorts, no modern organization would ever operate like we do, allowing anyone to create a “user account” with privileged access without appropriate checks. Luckily for us, much ink has been spilled already on the tactics of combating organizational fraud, waste, and abuse—we need just apply them at a national scale, and specifically within the context of our clinical informatics and health data exchange infrastructure.

Fraud and abuse funnel to the weakest point in the system; where there is the least friction. Creating friction through process is the easiest path to reducing fraud—more forms, more phone calls, more time. The tradeoff, however, is waste! We create systems of slow onboarding, painful audits, and top-down policing. In doing so, we create strong incentives for users to pursue workarounds, with far more risk of fraud and abuse. Building a moat and walls around our national organization is a broken, and demonstrably ineffective, pursuit. Zero-trust security architectures in modern enterprises exist for this reason. The answer is no longer higher walls and a single check as you enter the gate, but continuous and easy verification at every interaction, making fraud technically impossible rather than merely difficult.

With that said, we believe we can have our cake and eat it, too. Rather than bias towards friction, a foundation of trust allows us to shift the entire fraud-friction function upward.

Trust is built through transparency enabled by technology. In such a system, bad actors cannot hide in the shadows of manual processes, while good actors move freely through automated verification highways. The same technologies that make patient data instantly accessible to authorized providers make it impossible for unauthorized actors to pose as legitimate ones. Instead of gatekeepers asking ‘can we trust you?’, the system already knows – making access instantaneous for the verified and impossible for the fraudulent.

Some worry that FWA initiatives are merely pretexts for cutting access to care, particularly for vulnerable populations; this represents old thinking trapped in the friction paradigm. When fraud prevention means more hoops to jump through, then yes, fighting fraud hurts patients. The populations most vulnerable to administrative barriers—those with limited English proficiency, unstable housing, or cognitive impairments—are the same ones most dependent on Medicaid, who may be restricted from accessing care by administrative hurdles.

Technology fundamentally changes this dynamic: when a homeless patient’s identity can be verified through biometrics rather than utility bills, when a rural clinic can credential providers instantly rather than waiting months, when prior authorization happens automatically based on evidence-based protocols, we get to have our cake of strict controls preventing FWA and eat our better care outcomes too. At HTD, we believe that technology is never the goal, only a tool in pursuit of some other goal of a more profound nature. We can demand and aspire for a system that costs less in total and delivers better results for the participants within it. Thoughtful application of technology and process to our healthcare data access systems will be a huge step forward.

The CMS and other HHS agencies at this exact moment, at this exact time, have the focus, energy, and mandate to orient the industry towards this outcome. They can set the industry on a path where minimizing fraud, waste, and abuse, and creating the conditions for patient care are one and the same.

There are many things CMS could work on and prioritize. The risk is that work will be wasted effort if built on quicksand. This risk can be mitigated by the bedrock of any trusted and transparent system: identity, knowing with certainty who is participating at every level.

Identity underpins everything: Which organization is actually submitting this claim? Is this provider truly licensed and credentialed? Is this patient really who they claim to be? Without reliable answers to these fundamental questions, every other innovation—from value-based care to price transparency to quality measures—becomes vulnerable to manipulation.

Today’s identity infrastructure is a patchwork of paper credentials, phone verifications, and database lookups that create friction for legitimate actors while remaining porous to determined fraudsters. A provider’s NPI can be stolen, a patient’s insurance card can be copied, and an organization’s credentials can be spoofed.

Imagine instead a national identity framework where every healthcare organization has a cryptographically secure digital identity, where every provider’s credentials are verified through federated systems and instantly portable, where every patient has privacy-preserving biometric verification.

With a strong digital identity as the foundation, every other reform becomes not just possible but natural. Prior authorizations can truly be automated because we know the provider is real. Claims can be paid instantly because we know the organization is legitimate. Patients can access their records seamlessly because we know they are who they say they are.

This section addresses:

• PC-14 (Digital identity credentials for patients)
• PR-9 (Providers accepting digital identity credentials)
• PR-10 (Digital identity challenges and benefits for providers)
• PA-3 (Payers accepting digital identity credentials)
• TD-3 (Digital identity implementation challenges)

Tacking on digital identity haphazardly and inconsistently to the system, though, is a route fraught with peril and unintended consequences that could actually worsen the problems we’re trying to solve. Piecemeal implementation creates new attack surfaces—each poorly integrated identity system becomes another database to breach, another set of credentials to steal, another point of failure in an already fragile ecosystem.

The benefits, as we look at international systems like Aadhar in India or ID-card in Estonia, are astounding. India’s Aadhar enables instant verification for over 550 million beneficiaries in their Ayushman Bharat health insurance plan—the world’s largest government healthcare program. Fraudulent claims plummeted by 85% in implementing states. Patients in rural Rajasthan can walk into any empaneled hospital and receive care without carrying paper documents or proving eligibility through a byzantine bureaucracy.

Estonia’s approach demonstrates what’s possible with a comprehensive digital infrastructure. Since 2008, 99% of Estonian prescriptions have been issued electronically. Every citizen has a digital ID that serves as their health record key. The system maintains complete audit logs— patients can see precisely who accessed their medical data and when.

The contrast with American healthcare is stark. We’re still debating whether to require basic two-factor authentication for systems containing sensitive health data. We accept provider directories full of bad data as normal. We treat patient matching across systems as an unsolvable problem.

Thus, digital identity must be built into healthcare’s foundation, not bolted on as an afterthought. The time for half-measures and iterative steps has passed. The core constructs of our healthcare system—our patients accessing care, our providers providing care—must be based on digital identity. This will have growing pains—it will demand tech literacy on populations that struggle with such today. But those are the next generation of problems we should be focused on, rather than continuing to wrestle with the prehistoric problems of “is this actually the patient’s record?” or “did this prescription really come from a licensed physician?

So we see three building blocks to this outcome:

Know Your Business (KYB): Every healthcare organization must have a verified digital identity. CMS and state agencies should control organizational licensure and credentialing, creating a provider directory backed by a cryptographic organizational identity. No more phantom clinics billing Medicare. No more shell companies masquerading as legitimate providers. Every entity submitting claims or accessing patient data proves who they are through credentials that can’t be forged or stolen.

Know Your Provider (KYP): Employee fraud is a rapidly and exponentially growing factor in massive cyberattacks. Individual healthcare providers need portable digital credentials that travel with them across organizations. Providers should be able to digitally attest their organizational affiliations, or better yet, organizations can use providers’ digital credentials to verify employment and privileges. This creates bidirectional verification—providers can’t claim false affiliations, and organizations can’t list providers without their cryptographic consent. The ghost networks plaguing our system become technically impossible.

Know Your Customer (KYC): Patients are stuck proving their identity over and over at every provider, usually with easily-faked insurance cards and knowledge anyone could get from Google. Meanwhile, medical identity theft ruins credit scores and corrupts health records. We need patients to have portable digital credentials—verified once, trusted everywhere. Not another password to forget, but real identity verification that works whether you’re picking up a prescription, checking into an ER, or accessing your records from home. The same assurances that protect your bank account should protect your medical history.

Tactically, tangibly, here is how that can be accomplished:

1. Cross-cutting requirements:
   • Set hard deadlines with teeth, such as loss of federal payment eligibility for non-compliance
   • Fund regional pilots in 2025 and a national rollout by 2027
   • Move to passwordless access to any system containing PHI by 2030
2. For KYB, Organizational Identity:
   • Mandate that all Medicare participating organizations obtain NIST-compliant digital certificates by 2026
   • Create a single source of truth for healthcare organization identity, managed jointly by CMS and state licensure boards
   • Require cryptographic signing of all claims submissions
   • Make organization identity attestation a prerequisite for EHR certification and payer contracts
3. For KYP, Provider Identity:
   • Issue digital credentials at the point of medical licensure that follow providers throughout their careers
   • Replace the current NPI system with cryptographically secure provider identities that can’t be stolen or spoofed
   • Enable providers to digitally sign prescriptions, referrals, and clinical notes with their portable credentials
   • Create provider-controlled affiliation management where they grant and revoke organizational access to their credentials
4. For KYC, Patient Identity:
   • Establish identity proofing standards for patient portal account creation that match financial services requirements
   • Deploy biometric options at the point of care for patients who opt in, with non-biometric alternatives always available
   • Create portable patient credentials that work across any provider, payer, or pharmacy nationally
   • Build identity verification into TEFCA from day one, no health information exchange without knowing who’s asking

The CMS should lead by example for these initiatives. Rather than mandating changes for the industry while maintaining legacy systems internally, CMS must be the first adopter of these standards and condition the use of their tools with organizations deploying those technologies more broadly. Every portal, every API, every access point that is hosted by the CMS is an opportunity to prove the advantages of the approach and scale the deployments.

• Deploy a cryptographic organizational identity for all Medicare Administrative Contractors. Replace username/password authentication with digital certificates for MAC portal access.
• Require the use of digital identity for quality measure submission and performance feedback access to the QPP/MIPS Portal.
  Implement KYB for BCDA, DPC, and AB2D APIs. Organizations must authenticate with verified digital certificates to access claims data. Publish a technical implementation guide based on lessons learned.
• Condition access to the BCDA, DPC, and AB2D APIs on portal access with a KYC option. Organizations implementing KYB for AB2D must also deploy KYC for their beneficiary portals within 12 months.
• Launch Blue Button 2.0 digital identity pilot. Add support for FIDO2 security keys, mobile biometrics, and government ID verification. Track adoption rates and user experience metrics.

CMS’s own identity transformation would serve as both proof of concept and reference implementation. The technical specifications, integration guides, and lessons learned from CMS’s deployment should become the blueprint for the industry. When a rural hospital sees that CMS successfully implemented digital identity across its complex systems, the path forward becomes clearer.

Moreover, CMS should use its convening power to align other federal agencies. The VA, Indian Health Service, and DoD health systems should adopt compatible standards. When a veteran seeks care at a civilian hospital, their military health identity should seamlessly integrate. When tribal members access care outside IHS facilities, their identity travels with them.

Digital identity and organization directory are critical and underpin anything else we can attempt to do in healthcare technology. If that foundation is weak, every other initiative requires costly workarounds, manual verification processes, and redundant checks that add friction and complexity throughout the system. Boiling down all prior ASTP and CMS regulations of health technology, we see three general themes that the government is uniquely positioned to incentivize or mandate at the ecosystem level.

Create or incentivize ubiquitous networks to replace phone, fax, text, and mail across organizations, addressing:

• PC-10 (TEFCA helping patient access)
• PC-11 (HIEs helping patient access)
• PR-6 (TEFCA helping provider access)
• PA-1 (TEFCA limitations and improvements)
• TD-6 (TEFCA’s unique functions)

While we’ve successfully digitized health data within individual enterprises, the connections between organizations remain stubbornly analog. Every day, countless hours are wasted on phone calls for prior authorizations, faxes for records requests, and manual processes that should have been automated decades ago. The government has proven it can solve this problem—we’ve seen successful examples in e-prescribing through Surescripts, claims and eligibility through clearinghouses, and emerging clinical data exchange through networks like CareQuality and TEFCA.

The challenge is that networks face a fundamental chicken-and-egg problem: they provide no value until they reach critical mass, but reaching critical mass requires massive coordination. This is where government intervention becomes essential. Networks naturally stagnate at regional or specialty-specific levels without regulatory pressure to achieve national scale. We need to expand beyond the current focus on treatment use cases to include the full spectrum of healthcare operations, including prior authorization, referrals, care coordination, and even fraud detection. Bringing payers fully into the ecosystem through initiatives like fixing TEFCA Operations, enabling CMS participation, and ensuring true bi-directional exchange will unlock enormous value.

Ubiquity matters more than technical perfection. We can spend decades quibbling over the nuances of emergent, better technology and constantly revisiting our decisions on tool choice. Alternatively, we can reach a ubiquitous, national scale and then use the implicit network effects to upgrade and update with new features and protocols.

• Multi-Purpose Network Design – Create transport infrastructure that supports diverse use cases rather than single-purpose networks that can’t adapt to new requirements. Consider Language First Interoperability and Agent-to-Agent protocols that may offer more robust and flexible negotiation between counterparties, rather than inflexible and highly bespoke content formats.
• Expand Beyond Clinical Data – Build national infrastructure for prior authorization, referrals, lab ordering, appointment scheduling, billing inquiries, and every other workflow currently handled by phone or fax.
• Regulatory Coordination – Use Medicare reimbursement incentives, certification requirements, and information blocking enforcement to drive network adoption at the scale and speed that private coordination cannot achieve.
• Recalibrate and Revive TEFCA Operations – TEFCA Operations is dead in the water, driving demand for workarounds that stress the trust in Treatment exchange and threaten to undermine the full system. Redesign this SOP with payer input, clear value propositions, streamlined standards, and regulatory incentives for participation. Creating a paved path for payer participation is the only way to legitimately hold organizations accountable for “off-roading” around established data exchange standards. We cannot enforce compliance with a highway that doesn’t exist or penalize detours when the main road is impassable. Until TEFCA provides a functional, efficient route for all stakeholders—especially payers—we’re essentially asking the industry to follow rules for infrastructure we haven’t actually built.

Empowering patients beyond just clinical data access to fully direct and manage their complete health journey, addressing:

• PC-2 (Easy access to health information in one location)
• PC-8 (Available and valuable health data)
• PC-9 (Blue Button 2.0 API improvements)
• PC-12 (Valuable operational health data use cases)

Patient data access has evolved significantly from the paper-based requests mandated by HIPAA to the digital APIs required by the Cures Act, yet significant friction remains. Today’s patient wanting to aggregate their health records faces a maze of different portals, forgotten passwords, and incomplete data. They must remember every place they’ve received care, maintain separate credentials for each health system, and even then, only receive a limited subset of their information through USCDI rather than their complete electronic health information.

True patient empowerment requires building systems where patients can seamlessly access their complete longitudinal record from any provider through universal health identity systems. This means solving the discovery problem so patients can find all their records without remembering every provider visit, implementing federated authentication so one secure login provides access everywhere, and expanding from limited USCDI data to full electronic health information access. Patients should have granular consent controls that let them share specific data with specific providers while maintaining full audit trails of who accessed what and when.

Perhaps most importantly, we need to create legitimate, patient-controlled pathways for data sharing that undercut the current gray market where applications establish pseudo-treatment relationships, launder data through secondary use, and arbitrage that risk to sell data to life sciences companies, lawyers, and insurers without patient involvement. When we make it easy for patients to direct their data where they want it to go–whether to researchers, other providers, or innovative applications—we not only respect patient autonomy but also create the demand that drives innovation and better healthcare.

The vision extends beyond just clinical data to encompass the entire patient journey. The idea that clinical data aggregation is the main (or even most important) problem patients need solved is an easily provable falsehood. Patients need to find timely care, manage scheduled appointments, and pay their bills. Unified patient services should span price transparency, eligibility checking, appointment scheduling, communications, and billing across all providers.

Patients need comprehensive data portability with standardized exports for personal use or when switching providers, along with the ability to correct errors or add context to their records through annotation rights. These capabilities transform patients from passive subjects to active participants in their healthcare journey and enable a whole category of hyper-specialized consumer-facing health tools that simply cannot exist today.

Administrative Workflow Integration: Aggregation of clinical data is one of the most basic jobs-to-be-done, but we need to do more to serve the average patient. Care navigation is dependent on extending patient agency beyond clinical data to the full healthcare lifecycle. Patients should be able to check eligibility, receive good faith estimates, schedule appointments, and manage billing across all their providers through the centralized applications of their choosing. This requires expanding USCDI to include administrative data elements, such as appointments, referrals, and financial bills, and mandating new provider APIs for operational workflows, like schedule availability, consumer-initiated eligibility, appointment booking, and bill pay.

The FHIR Argo-Scheduling Implementation Guide is an example of how one such capability should be exposed.

Solve the Discovery Problem at Scale: Patients shouldn’t need to remember every provider they’ve ever seen. We need national record location services that work like financial account aggregation, where one authenticated request finds all your records across all systems. This could be built on TEFCA Individual Access, claims-based discovery through payer APIs, or dedicated record location infrastructure.

Full Electronic Health Information Access: Move beyond the limited USCDI data set to complete EHI access. Patients should get everything in their chart—images, specialty reports, notes, test results—not just the structured data elements that make it into current APIs. The EHI export capability should be accessible via patient-directed APIs, not just portal downloads.

• Scheduled but not yet completed appointments must be included, as they are the most valuable signal for a patient’s plan of care
• Financial bills must be included, as they are vital to helping a patient navigate care.
• Referral orders must be included to understand the desired transitions of care.
• PACS systems that include diagnostic images should be included.
  Non-note scanned documents in the EHR and Document Management System should be included.
  Operationalizing the EHI export in a useful way will not just help patients. It will meaningfully decrease the burden on hospitals’ HIM departments when the release of information is available via a portal and authorized API.

The EHI Export criteria of the certification program should be thoroughly vetted, as it is non-functional today. The EHI Export API Implementation Guide should be incorporated to allow for more robust usage of the EHI Export capability.

Universal Health Identity Systems – Every patient gets one secure, portable digital identity that works across all health systems. No more separate logins for every hospital, clinic, and specialty practice. Federated authentication means patients authenticate once with their chosen identity provider and seamlessly access all their records everywhere.

Granular Consent and Control – Patients need fine-grained control over their data sharing. They should be able to share specific conditions with specific providers, grant time-limited access to researchers, or provide comprehensive access to trusted family members. All access should be logged and auditable so patients know exactly who has seen what data and when.

Legitimate Data Sharing Pathways – Create proper channels for patients to share data with life sciences companies, legal representatives, and other non-covered entities when they choose to do so. This undercuts the current problematic secondary use patterns where organizations establish minimal treatment relationships just to access data for other purposes.

Data Correction Rights – Patients need the ability to correct errors or add context through annotation rights. When information is incorrect or incomplete, patients should have mechanisms to fix it. The FHIR Patient Request for Corrections Implementation Guide Implementation Guide is good guidance for a path forward here.

Ensure dominant platforms offer vertical interoperability and make closed systems into headless ones, addressing:

• PR-2 (Obstacles to physician workflow applications)
• PR-3 (Importance of all EHR data being accessible)
• PR-5 (FHIR APIs and capabilities)
• TD-8 (Effective certification criteria)
• TD-9 (Certification of health IT)
• TD-10 (API condition of certification)

The healthcare technology ecosystem has reached an inflection point where the tension between software vendors’ control and customers’ need for extensibility is boiling over. While EHR vendors maintain legitimate concerns about security, performance, and intellectual property protection, healthcare organizations increasingly demand the ability to use the technology of their choice, beyond manufacturer-provided options. They want to install the applications they see as best, access their data through comprehensive APIs, and create workflows that match their specific needs—essentially, they want to “jailbreak” their enterprise infrastructure.

The administration faces a fundamental choice in how to approach this tension, with two distinctly different paths forward. If the primary concern is EHR market consolidation and stagnancy, policy would focus on reducing switching costs through tools like population EHI export and bulk FHIR, while removing certification requirements that act as barriers to new EHR entrants. This approach assumes that better EHRs will emerge to disrupt incumbents if switching becomes easier.

However, the reality is that EHRs won’t be disrupted by other EHRs. These markets naturally calcify as massive switching costs always outweigh marginal improvements. True disruption comes from platform shifts that fundamentally change how organizations operate, as mobile and cloud computing did to desktop operating systems. We can hasten this outcome via a more pragmatic approach to create a vibrant ecosystem alongside existing EHRs. It’s more important now than ever, as such an ecosystem is foundational in this era of generative artificial intelligence. LLMs operate best with the fullest context. This means mandating comprehensive APIs that match internal capabilities, not just read-only USCDI access, but full CRUD operations, webhooks, subscriptions, and workflow integration. It means actually enforcing information blocking provisions beyond sporadic private litigation to create continuous pressure for openness, exceeding the pace of the regulatory floor.

The current state, where providers default to EHR-bundled solutions due to integration barriers, represents a massive market failure. When clinical application choice is dictated by pre-existing integration agreements rather than quality or fitness for purpose, we lose the benefits of specialized innovation. While mandating this “headlessness” does impose a regulatory burden on EHRs that may cull the long tail of vendors in that space, the alternative—continued stagnation and vendor lock-in is far worse for healthcare innovation. Providers should be able to choose the systems they want and need.

Enforce Information Blocking Provisions: Direct OIG to pursue 5-10 high-profile enforcement cases annually, focusing on the most egregious violations such as excessive API fees, artificial throttling, and denied access to data. Even limited enforcement will create a powerful deterrent effect as vendors seek to avoid becoming cautionary tales. The industry responds more to the credible threat of enforcement than to the rules themselves. By making examples of the worst actors, HHS can drive voluntary compliance across the entire ecosystem without needing to pursue every violation. Clear safe harbor guidelines should accompany enforcement to help well-intentioned vendors understand acceptable practices.

Expand Certification to Specialty Markets: The current certification program has inadvertently driven away entire sectors of healthcare IT. Dental practices, behavioral health providers, physical therapists, home health agencies, nurses at schools, correctional health, and occupational health have ignored or abandoned certified systems, given that their providers live outside regulated programs (Medicare Promoting Interoperability and MIPS). CMS should leverage every available program to bring these specialties back into the certification ecosystem: require certified technology for dental and vision claims in Medicare Advantage, make it a condition of home health agency certification, tie behavioral health grants to certified EHR use, link DEA licensing for e-prescribing to certified systems, and include technology requirements in Medicaid managed care contracts. For school-based and correctional health, federal education and justice grants should give preference to certified systems. The goal is to reduce certification burden while also making certified systems the path of least resistance for all providers, not just hospitals and large practices.

Mandate FHIR Subscriptions and Write-back Capabilities: Read-only APIs are next to useless in creating applications that really benefit providers. Modern healthcare applications need bidirectional data flow, including both the ability to subscribe to real-time updates and write data back to the source system. CMS should require certified EHRs to support FHIR subscriptions and write operations, starting with specific high-value use cases like lab results, vital signs, and patient-reported outcomes. This transforms EHRs from data vaults into true platforms where third-party innovations can build apps as powerful as the EHRs’ own offerings and meaningfully contribute to the patient record.

Make Bulk FHIR Export Functional: Current Bulk FHIR implementations across most certified EHRs are plagued by critical failures that prevent population health applications from functioning. Export jobs frequently get stuck at partial completion percentages, fail outright before finishing, or take weeks to complete even modest data sets. Many EHR vendors haven’t “productionalized” their implementations – they pass certification tests but fail under real-world conditions. Providers must manually create and maintain patient groups before exports can begin, adding administrative burden. Missing USCDI data elements, corrupted exports, and a lack of “All Patients” capability force vendors to use proprietary APIs instead.

• Enforce reliability standards: Require all bulk export jobs to complete within 1 month, regardless of size, with performance targets of 1 hour per 100,000 records for standard resources
• Mandate “All Patients” export: Eliminate the burden of manual group management by requiring support for practice-wide exports by default
• Treat failures as information blocking: Direct OIG to pursue enforcement cases against vendors whose Bulk FHIR repeatedly fails or stalls, creating clear deterrent effects
• Implement proper rate-limiting: Require standard HTTP 429 responses with Retry-After headers to prevent queue flooding while maintaining multi-client access
• Enable incremental exports: Support date-range filtering and delta exports to avoid redundant full-population downloads
• Reduce provider burden: Prohibit requirements for additional software installation, manual configuration, or vendor contact to enable Bulk FHIR
• Clear certification labeling: Require vendors to explicitly mark which API features are certified vs experimental to prevent reliance on unsupported functionality

Make EHI Export Functional: Providers remain locked into suboptimal EHR systems because switching is so painful. The EHI export requirement should be strengthened to ensure the complete and importable transfer of patient records between systems. This means standardized formats that competing EHRs can actually ingest, strict timelines for data delivery, and inclusion of customizations and configurations that make each practice unique. When providers know they can switch without losing years of data and workflows, market competition can finally function properly.

The current moment presents a unique opportunity. With the administration’s focus on FWA and the technological capabilities now available, CMS can lead a transformation that makes healthcare both more secure and more accessible. We urge CMS to act decisively and comprehensively. Half-measures and incremental steps will only perpetuate the current dysfunction. Instead, by setting clear deadlines, leading by example, and using the full weight of federal programs to drive adoption, CMS can catalyze the industry-wide transformation that patients, providers, and payers desperately need.

The technology exists. The need is urgent. The benefits are clear. What remains is the will to act. We at HTD Health stand ready to support these efforts and help build a healthcare system that is simultaneously more trustworthy, more efficient, and more patient-centered than ever before.

Thank you for the opportunity to comment on this critical initiative.