Third-party apps wanting patient health data through TEFCA face a trust gap — QHINs return limited data for patient access use cases vs. treatment use cases, and companies that try to shortcut the process face lawsuits.
A certified consent management and identity verification platform that third-party apps integrate with to prove legitimate patient authorization, increasing the data QHINs are willing to return while maintaining full compliance audit trails.
API usage-based pricing (per-patient-authorization processed) plus platform certification fee
The pain signals are exceptionally strong. Companies are getting sued (Particle Health) for trying to shortcut patient access. QHINs are returning limited data for patient access vs. treatment use cases. The Reddit thread shows practitioners confirming the trust gap is the biggest blocker, not technology. When companies face litigation risk and lost revenue because they can't solve a compliance problem, pain intensity is very high.
TAM is meaningful but narrow. Primary buyers are digital health startups, PHR companies, and health data aggregators — perhaps 500-2,000 companies in the US that need third-party patient data access. At $5K-50K/year per customer, that's a $10M-100M addressable market. Could expand if TEFCA adoption accelerates and more non-traditional companies enter health data. Not a massive market, but sufficient for a venture-scale outcome if you capture significant share.
Very high. Companies in this space are already paying $1-8 per patient query to data aggregators. A trust/consent layer that unlocks MORE data from QHINs (turning limited patient-access responses into treatment-equivalent richness) has clear, quantifiable ROI. If a company is getting 30% of the data they need and this layer gets them to 90%, they'll pay significant premiums. Compliance and litigation avoidance also justify budget — legal costs from doing it wrong dwarf platform fees.
This is where the idea gets brutal. Building a TEFCA-compliant consent management layer is NOT a solo-dev-in-8-weeks project. You need: TEFCA certification (lengthy process involving ONC/RCE review), identity proofing that meets NIST IAL2 standards, legal frameworks QHINs will actually accept, integration with QHIN APIs and FHIR standards, SOC 2 and potentially HITRUST certification, and relationships with QHINs who must agree to trust your consent artifacts. The technical build is moderate, but the certification, compliance, and trust-building process is 12-18 months minimum.
Clear gap exists. Current players are either full-stack data platforms (1up, Particle, Health Gorilla) that don't offer consent-as-a-service, or payer-only solutions (Flexpa) that don't touch TEFCA clinical data. Nobody is positioned as a pure consent/trust middleware layer. The Particle Health lawsuits prove that even well-funded companies haven't solved this. The gap is real — but it exists partly because it's genuinely hard to fill.
Excellent recurring dynamics. Per-authorization API pricing means revenue scales with customer growth. Once integrated, switching costs are very high (consent frameworks, audit trails, QHIN trust relationships are deeply embedded). Customers need ongoing consent management, not one-time setup. Compliance requirements create perpetual demand for maintained, certified infrastructure.
- +Regulatory tailwind is massive — TEFCA rollout and information blocking enforcement create urgency
- +Clear, lawsuit-validated pain point that existing players haven't solved
- +High switching costs and strong recurring revenue mechanics once integrated
- +Middleware positioning means you don't compete with customers — you enable them
- +Compliance-driven purchase decisions are less price-sensitive and more predictable
- !TEFCA certification and QHIN trust-building is a 12-18 month process — long time to revenue with significant upfront investment
- !Regulatory framework is still evolving — ONC could change rules, QHINs could solve this themselves, or large EHR vendors (Epic, Cerner) could build native consent layers
- !QHINs themselves may not accept or trust a third-party consent layer regardless of certification — the trust problem may require institutional relationships, not just technology
- !Market size is concentrated in a relatively small number of digital health companies — if a few large aggregators solve it in-house, your TAM shrinks significantly
- !Identity verification at NIST IAL2 standards adds significant UX friction that could reduce adoption
API platform that connects third-party apps to nationwide health data networks
FHIR-based health data aggregation platform. Designated as a TEFCA QHIN. Provides APIs for retrieving and normalizing patient health records from EHRs and payers.
Patient-authorized health plan data access via a Plaid-like widget. Lets patients connect their insurance/claims data to third-party apps using existing payer Patient Access APIs.
Health data interoperability platform and designated TEFCA QHIN. Provides clinical data access from labs, imaging centers, EHRs, and health information exchanges.
Patient-controlled health records platform that helped patients gather and share their medical data, particularly for oncology and clinical trials.
Don't build the full certified platform first. Start as a consulting-plus-software play: help 3-5 digital health companies navigate TEFCA patient access compliance manually, using lightweight tooling for consent documentation and audit trails. Use these engagements to learn exactly what QHINs require, build relationships with QHIN compliance teams, and validate what consent artifacts actually increase data returns. Then productize the patterns into an API. The MVP is the consulting wrapper, not the platform.
Phase 1 (months 1-6): Compliance consulting + lightweight consent documentation tools at $10-25K per engagement. Phase 2 (months 6-18): Productize into API with per-authorization pricing ($2-5/authorization) plus annual platform fee ($25-50K). Phase 3 (18+ months): Pursue TEFCA certification, become a recognized consent intermediary, scale to $100-500K enterprise contracts with volume pricing.
2-3 months if you start with consulting/advisory services. 12-18 months if you insist on building the certified platform first. The consulting-first approach is strongly recommended to validate assumptions and build QHIN relationships while generating revenue.
- “The challenge is it's not returning nearly the data that treatment use case is pulling”
- “tech firms didn't want to wait and use patient access & info blocking the right way”
- “The biggest blocker is not technical. It's trust”