TEFCA and medical record access in plain English
TEFCA is a nationwide framework for exchanging electronic health information across participating networks in the United States. It is not a patient portal, consumer app, or central database. To request your own information through TEFCA, you generally use a participating app or service called an Individual Access Services Provider, or IAS Provider.
That provider helps verify your identity, sends a request through its TEFCA connection, and returns information from entities connected to the network. What comes back depends on the provider's capabilities, the connected sources, identity matching, available electronic information, and applicable rules. A result can be useful without being a complete personal health record.
Current-state note: This guide was verified on July 10, 2026. TEFCA policies, participating networks, IAS Providers, and capabilities can change. Use the live ONC and Recognized Coordinating Entity sources linked below rather than a static provider list.
The short answer
TEFCA can expand the reach of an electronic record request across connected health-information networks. For an individual, the practical path is:
- Choose an IAS Provider that participates in TEFCA exchange.
- Review what it can request, receive, and share, plus its privacy and data-use terms.
- Complete the supported identity or portal-credential process.
- Request information from TEFCA-connected entities.
- Inspect returned records for source, dates, duplicates, and gaps.
- Use portals or formal record requests for anything still missing.
The stopping rule is important: more connected does not mean complete.
The key terms without the policy language
ONC's TEFCA page, updated June 9, 2026, describes a nationwide network-of-networks with these roles:
- TEFCA: the common governance, legal, policy, and technical framework for exchange
- QHIN: a Qualified Health Information Network that serves as a central connection point
- Participant: an organization connected to a QHIN
- Subparticipant: an organization connected through a Participant
- Individual Access Services: the TEFCA Exchange Purpose for an individual requesting their own information
- IAS Provider: an app or service that provides the individual's access path
TEFCA currently includes Exchange Purposes for Treatment, Payment, Health Care Operations, Public Health, Government Benefits Determination, and Individual Access Services. An exchange request identifies why information is being requested.
For a patient, the main distinction is this: your health system may use TEFCA for treatment exchange, while you may use a separate IAS Provider for personal access. Provider-to-provider exchange and individual access are related but different workflows.
TEFCA is not where you log in
The official RCE frequently asked questions explain that an individual does not sign a TEFCA Framework Agreement. Instead, the individual has an agreement with an app or another IAS Provider that requests information through TEFCA exchange.
Before creating an account or sharing identity information, confirm:
- The service states that it participates as an IAS Provider or through a TEFCA-connected organization
- Which QHIN, Participant, Subparticipant, or connector supports its exchange
- Whether its current listing or participation can be verified through official RCE information
- Whether it requests records, receives records, shares records back to connected participants, or supports only some of those actions
- Which organizations or source types it expects to reach
- What export formats and provenance details it provides
The RCE's live Designated QHIN list can change as organizations complete designation. Do not use a blog post's static roster as proof that a particular app, provider, or source is currently connected.
Review the IAS Provider before using it
The RCE's TEFCA for Individuals page says IAS Providers must tell individuals which exchange capabilities they support. A bidirectional capability can include requesting access to information and sharing it with other connected participants, but a particular provider may support a different set of actions.
Review:
- Exchange capability: request, receive, export, and share functions
- Identity path: portal credentials, identity proofing, or other supported method
- Source coverage: which TEFCA-connected entities it can query and how gaps are shown
- Privacy notice: collection, use, disclosure, retention, deletion, research, advertising, and sale terms
- Sharing controls: who can receive information and whether sharing is optional
- Export and portability: readable and machine-readable formats, source metadata, and account closure
- Cost and support: fees, failed-match help, correction paths, and response times
- Record handling: duplicates, updates, provenance, download history, and missing-data status
Open the copyable TEFCA IAS Provider checklist. It is an evaluation worksheet, not an endorsement or certification of any provider.
Understand the identity step
The RCE FAQ describes current IAS access paths that may use supported patient-portal credentials or demographics-based matching after identity verification through a credential service provider. Implementation varies by IAS Provider.
Before starting, ask:
- What identity information is required?
- Is a portal login used, and which portals are supported?
- Which identity-verification vendor is involved?
- What happens after a failed identity or patient match?
- Can a caregiver or personal representative use the service, and under what process?
- What identity data is retained after verification?
Do not send identity documents or portal credentials based only on a search result or unsolicited message. Start from the official provider site, inspect the terms and privacy notice, and confirm the expected process.
Completing identity proofing does not guarantee that every source can match you or return every record. Keep a log of failed sources and unresolved identities.
Request information from connected entities
ONC's current TEFCA history and growth page says Individual Access Services allow patients to electronically request and receive their own health information. The RCE explains that IAS infrastructure is intended to help individuals obtain information from TEFCA-connected entities.
When starting a request, record:
- IAS Provider and account used
- Request date and time
- Source organization or source category requested
- Date range or filters, if supported
- Request or transaction identifier
- Response status
- Records or document types returned
- Sources that returned no match, no data, an error, or an incomplete result
Do not treat request completed as archive complete. It means the provider completed the request it could perform under its current capabilities and connections.
Inspect what comes back
For each returned file or data bundle, preserve:
- Source organization
- Author, clinician, facility, or department when provided
- Service, collection, or document date
- Record or document type
- Original identifiers and provenance metadata
- Download or receipt date
- Whether the item duplicates another source
- Whether pages, attachments, images, or related reports appear to be missing
Keep these statuses separate:
- Network reached: a connected source responded
- Record returned: information came back from that source
- Source verified: you checked the source, identity, date, and document type
- Completeness unknown: no response can prove that every relevant record exists in the returned set
If a record contains a possible error, use the source organization's correction or amendment process. Do not silently rewrite an official document in the personal archive.
What TEFCA can help with
TEFCA can provide a common exchange floor across participating networks. It can support treatment exchange and an individual access path. It can reduce the number of separate network connections some organizations need and may let an IAS Provider query multiple connected sources.
Those are infrastructure capabilities. They can make broader access possible without making the returned record self-explanatory.
What TEFCA cannot promise
TEFCA does not promise that:
- Every provider, hospital, lab, imaging center, payer, pharmacy, or app participates
- Every historical, paper, archived, or specialty record is electronically available
- Every connected source matches the correct individual on every query
- Every requested data class or document is returned
- Duplicate records are removed
- Units, codes, names, or formats are normalized for personal use
- A returned record is clinically complete, current, interpreted, or accurate
- A particular app is free, private, secure for your needs, or appropriate for you
- Information will arrive before an appointment or urgent decision
These limitations do not make TEFCA useless. They define the gap between exchange infrastructure and a verified personal record.
Keep the fallback access path active
If TEFCA access is unavailable or incomplete, continue using the source paths that exist today. ONC's Get It guide describes portals, access or release forms, email, mail, fax, and provider-specific processes.
Use a simple gap log:
- Missing record or date range
- Likely record holder
- TEFCA or IAS response
- Portal checked
- Formal request date
- Follow-up date
- Received and verified date
- Remaining uncertainty
The medical-record request template provides a manual request artifact. Missing data alone does not prove information blocking, misconduct, or a legal violation.
Turn returned data into a usable record
Exchange is only the first layer. Keep original files and provenance, then build the artifact needed for the next task.
- For scattered portals and source gaps, read why medical records are still scattered when portals exist.
- For longitudinal labs, use how to organize years of blood test results.
- For a referral handoff, use how to export medical records for a specialist.
Do not ask an app or AI system to infer diagnosis or treatment from an unverified, incomplete, or decontextualized export.
Questions people ask about TEFCA
Is TEFCA a patient portal I can sign into?
No. TEFCA is a framework and network-of-networks. Individual access generally happens through an IAS Provider, such as a participating app or service with an agreement for individual access.
Will TEFCA give me all my medical records?
It can help request information from connected entities, but it cannot guarantee every source participates, every identity matches, or every historical and relevant record is returned. Treat completeness as unknown and keep a gap log.
How do I find an IAS Provider?
Start with the official RCE individual-access information and live participation resources. Verify the provider's TEFCA role or connection, capabilities, privacy notice, identity process, source coverage, exports, costs, and support before creating an account.
Does TEFCA replace my HIPAA right-of-access request?
No. TEFCA can provide another electronic access path, while portals and formal requests remain useful for sources or records that are not returned. This article does not provide legal advice about a specific access request.
Is Libby connected to TEFCA?
This page does not claim that Libby is a QHIN, Participant, Subparticipant, connector, or IAS Provider. Libby can help organize files you lawfully obtain, preserve their sources, track gaps, and prepare summaries and questions.
What Libby and white-glove setup help with
Libby supports the organization layer after records reach you. It can keep source files, dates, provenance, timelines, missing-record logs, summaries, and questions together.
White-glove setup provides hands-on help organizing a first record and learning the product. It does not connect Libby to TEFCA, retrieve every record, provide identity proofing, certify an IAS Provider, offer legal or medical advice, diagnose, or recommend treatment.
Safety boundaries
This guide explains a changing interoperability framework. It is not legal, privacy, security, or medical advice and does not endorse an IAS Provider.
Keep these boundaries clear:
- Do not delay urgent care while waiting for electronic records.
- Do not assume missing data proves information blocking or provider misconduct.
- Do not share identity documents, portal credentials, or health data until you understand and accept the provider's process and terms.
- Do not treat a returned record set as complete without checking sources and gaps.
- Do not change medication, supplements, testing, or treatment based only on an export, app, or AI answer.
- Verify clinical interpretation and medical decisions with a qualified clinician.
If symptoms may be urgent, contact a clinician, urgent care, emergency services, or your local emergency number instead of waiting for records.
References
Educational content, not medical advice.Libby is a personal record tool, not a medical service — it doesn't diagnose, treat, or prescribe. Reference ranges vary by lab and by person. Talk to a qualified healthcare professional about your results.
Every lab you've ever taken, on one timeline.
Libby imports your lab PDFs, reconciles the units, and tracks every marker over the years — yours to own and export, ready for a conversation with a clinician or AI.
Start your record ›