On August 6, 2025, the Assistant Secretary for Technology Policy (ASTP) at ONC publicly announced its release of the TEFCA Organizational Map, a beta search tool that allows users to look up which organizations are participating in the Trusted Exchange Framework and Common Agreement (TEFCA). For the first time, the public can search by organization name, address, or ZIP code to see who has committed to this national data-sharing framework.
This new transparency tool brings with it both clarity and controversy. For years, TEFCA was discussed in theoretical terms, promoted as a voluntary pathway toward nationwide interoperability. But now that the organizational map has made participation (or conspicuous non-participation😬) visible, the implications are harder to ignore. Whether that visibility functions as genuine pressure or simply as another data point depends on perspective. For some, national interoperability represents long-awaited progress; for others, it raises concerns about governance, local control, and whether more data flowing nationally is always better for patients.
Epic’s Numbers Show an Uneven Adoption
Epic remains the dominant electronic health record (EHR) vendor in the United States, with more than 250 million patients’ medical records stored in its system. When Epic speaks about interoperability, the industry listens.
In June 2025, Epic reported the following breakdown of its customers’ TEFCA status:
41% live on TEFCA
43% actively implementing TEFCA
16% still in planning stages, not yet live or committed
(source: “Healthcare Drive, Epic charts growth in provider TEFCA adoption“)
That “16%” may sound modest, but given the size and prominence of Epic’s customer base, this translates into some of the nation’s most recognized health systems still sitting on the sidelines. For these organizations, the release of the TEFCA map provides greater visibility into who is moving forward and who is not. Some will interpret absence as lagging behind, while others will view it as a conscious choice to protect local strategies or avoid premature commitments.
Who’s In and Who’s Out?
Because ONC has not released a formal “not participating” list, the map does not explicitly call out non-joiners. Instead, participation must be inferred: if an organization’s name is missing, it likely has not yet gone live or registered.
Several marquee Epic customers are already listed as active TEFCA participants, including:
- Mayo Clinic
- Intermountain Health
- Stanford Health Care
Other systems went live in May 2025, among them:
- Allegheny Health Network (Pittsburgh)
- Kaiser Permanente – Northern California
- University of Utah Health (Salt Lake City)
- Corewell Health
- University Hospital (Newark, NJ)
By July 2025, additional Epic health systems had joined:
- Citizen Potawatomi Nation Health Services
- Meritus Health
- Mohawk Valley Health System
- TidalHealth (Maryland)
- Baptist Healthcare System (Kentucky)
- St. Luke’s Health System (Idaho)
This steady onboarding shows momentum. But it also underscores how many large names are still not present.
Some systems have pledged to join, but have not yet gone live:
- Kaiser Permanente (enterprise-wide commitment)
- AdventHealth
- Sutter Health
By contrast, several of the most prominent Epic health systems appear to be absent from the TEFCA map as of August 2025. By deduction, these likely fall into the “16% still planning” category:
- Johns Hopkins Medicine
- Cleveland Clinic
- Cedars-Sinai
- Mass General Brigham
- Emory Healthcare
- Memorial Hermann Health System
- UC Davis Medical Center
The absence of these institutions is notable. Collectively, they represent millions of patients and wield significant influence in policy debates. Their decisions may reflect caution, competing priorities, or skepticism about whether TEFCA aligns with their long-term strategy.
Why Are Some Holding Back?
From a legal and compliance perspective, reluctance to jump into TEFCA is not surprising. The Common Agreement and the Qualified Health Information Network (QHIN) Technical Framework impose obligations that differ in important ways from existing HIPAA requirements. Concerns likely being weighed include:
1. Expanded Obligations Beyond HIPAA
TEFCA requires certain mandatory exchange purposes and imposes obligations to respond to queries that HIPAA leaves to organizational discretion. For some systems, this feels like a loss of flexibility.
2. Risk Allocation and Liability
Participation agreements include liability provisions that could create exposure for downstream breaches or misrouting. Some systems may view the risk profile as higher than under HIPAA alone.
3. Technical and Operational Readiness
Going live on TEFCA requires contractual execution, testing, QHIN alignment, and internal workflow changes. For large or complex systems, this can be resource-intensive.
4. Strategic Considerations
Some may prefer to wait and see. If TEFCA adoption plateaus, early movers may feel they bore disproportionate costs. Others may question whether broad, nationwide data exchange is always in patients’ interests compared to more tightly managed regional networks.
Pressure or Perspective?
Although TEFCA remains voluntary, the release of the organizational map may mark a shift in perception. For some, what once felt optional now looks like a potential requirement, at least reputationally. For others, however, the map simply provides a clearer view into the diversity of organizational strategies.
Some stakeholders may interpret a missing entry as foot-dragging. Others may see it as deliberate prudence. Payers and research partners may eventually require TEFCA participation. But for now, not all have done so, and local or regional interoperability may still meet their needs. Finally, TEFCA could be viewed as one way, but not the only way, to satisfy information blocking rules under the 21st Century Cures Act. Some may argue that local HIE participation or direct patient access tools are equally reasonable methods.
What Comes Next?
For those still weighing their options, the August 6 map release does not resolve the debate, it reframes it. Legal and compliance teams should consider:
- Map Monitoring: Use the TEFCA organizational directory as one source of benchmarking, not the only one.
- Risk Assessment: Balance the regulatory and reputational risks of delay with the operational and legal risks of early adoption.
- Contract Alignment: Track how payers, vendors, and partners reference TEFCA, but recognize that not all counterparties will demand participation immediately.
- Governance Updates: Keep data governance committees briefed, even if the decision is to stay local for now.
- Stakeholder Communications: Be ready to explain the rationale behind participation (or non-participation) clearly to both internal and external audiences.
TEFCA’s launch has always been envisioned as a “network of networks,” not a single switch. With the release of the organizational map, the industry now has a new level of visibility into who is participating and who is not.
Some systems may find themselves gradually dragged along by peer expectations or contractual obligations , much like a reluctant groom who hesitates at the altar before finally being pulled forward. Others may remain convinced that waiting, or focusing on local and regional exchange, is the better choice for their patients and communities.
The uneven march into TEFCA is no longer just a question of technical readiness. It has become a matter of strategy: deciding whether nationwide interoperability represents opportunity, overreach, or something in between.