Carequality Interoperability Framework: What It Is And How It Works
If you build software for health systems, you've probably run into the term Carequality interoperability framework in an RFP or a security questionnaire and had to figure out fast what it actually means. It's not a product you buy or a single API you call. It's a legal and technical agreement that lets health systems, EHR vendors, and health information networks exchange patient data without negotiating a separate contract for every connection.
At its core, Carequality defines a common set of rules for trust, security, and data exchange, then lets participating networks connect to each other under one legal umbrella. That's how a clinic on one network can pull records from a hospital on a completely different platform. This article breaks down the framework's structure, the roles of Implementers and Connections, and how data actually moves once you're part of it.
We'll also cover where Carequality fits alongside FHIR-based exchange and EPIC-specific integrations, since that's usually the piece vendors get stuck on when trying to reach health systems directly.
Why the Carequality framework matters for healthcare data exchange
Before Carequality existed, connecting two health systems meant lawyers on both sides drafting a data-sharing agreement from scratch. That process could take six months or longer per connection, and it had to happen again every time a new partner showed up. If you're a digital health vendor trying to reach ten health systems, you're not signing one contract, you're signing ten different ones, each with its own legal language, security requirements, and technical specs. Carequality replaced that model with a single agreement that every participant signs once. Sign it, and you're legally cleared to exchange data with every other participant on the framework, no separate negotiation required.
The scale problem Carequality solves
The numbers make the case better than any explanation. Carequality now connects hundreds of thousands of care sites and more than 60 networks and platforms, according to Carequality's own reporting on its participant base. That includes the largest EHR vendors in the country: EPIC, Oracle Health (formerly Cerner), athenahealth, and eClinicalWorks all participate, along with health information exchanges (HIEs) that serve regional hospital systems. Without a shared framework, every one of those connections would require its own point-to-point agreement. With Carequality, a single signature gets you access to that entire network.

One signed agreement replaces hundreds of individual data-sharing contracts.
This matters most if you're building a product that needs patient data from outside your customer's own EHR instance. A remote monitoring company, for example, might need lab results or discharge summaries from a hospital the patient visited last month, one that has nothing to do with the health system that's actually your customer. Carequality is what makes that record retrievable without you building a custom interface for every possible source.
Why vendors can't ignore this
Health systems increasingly expect vendors to already participate in a national exchange framework before they'll even take a meeting. It's become a baseline expectation, not a differentiator. If your RFP response doesn't mention Carequality, TEFCA, or a comparable framework, procurement teams read that as a gap in your product's maturity, not just a missing feature.
Here's what typically happens when a vendor lacks this connectivity:
- The health system's IT team has to build a custom point-to-point interface, adding weeks or months to onboarding.
- Legal has to review a bespoke data-sharing agreement instead of relying on Carequality's existing legal framework.
- The vendor's product looks less credible next to competitors who already participate.
- Patient data ends up siloed within a single instance instead of following the patient across care settings.
Carequality also matters because it's not just a technical spec, it's a legal trust framework. Participants agree to specific privacy, security, and data-use obligations enforced through the agreement itself, not just through technology. That's part of why health systems trust the network enough to expose patient records through it. For vendors, understanding this distinction is the first step toward figuring out where their own EPIC integration work needs to plug in, which is exactly what the next sections cover.
How the Carequality interoperability framework works
Under the hood, the Carequality interoperability framework runs on a query-response model built on IHE standards like XCPD (Cross-Community Patient Discovery) and XCA (Cross-Community Access). A provider or app doesn't request data from a specific hospital by name. Instead, it broadcasts a standardized query across the network asking, in effect, "does anyone have records for this patient?" Every connected network checks its own data against the patient identifiers in that query, and any match triggers a response.
A single query can reach every connected network at once instead of one system at a time.
The query-response cycle
Getting a record back typically follows the same sequence no matter which two networks are talking to each other:

- Patient discovery: the requesting system sends demographic identifiers (name, DOB, gender) to search for a match.
- Matching: responding networks run their own algorithms to confirm the patient exists in their records.
- Document query: once a match is confirmed, the requester asks what clinical documents are available.
- Document retrieval: the actual records, usually CCDs or FHIR resources, get pulled back to the requesting system.
Each step happens over secure, authenticated connections, so the framework isn't just passing data around loosely. It's enforcing the same trust and security rules at every hop, regardless of which vendor built either end of the connection.
Implementers and Connections
Carequality doesn't connect individual hospitals directly. It connects through organizations called Implementers, entities like EPIC, Surescripts, or a regional HIE, that build Carequality-compliant technology and onboard their own customers as Connections. Your health system customer is a Connection sitting inside an Implementer's network. Vendors almost never join Carequality directly; they get access through an Implementer's existing infrastructure, which is exactly the layer a platform like VectorCare operates within when it wires an app into EPIC's Connections.
Core components that make Carequality function
Four pieces hold the Carequality interoperability framework together: a single legal agreement, a governance body, a participant directory, and a shared technical spec. Strip out any one of them and the network stops working the way vendors expect it to. Understanding each piece helps you see where your own EPIC integration work actually plugs in, rather than treating Carequality as a black box you just trust to work.
The Connected Agreement and governance
Everything starts with the Carequality Connected Agreement, the legal document every Implementer signs to join. It spells out privacy obligations, security requirements, and liability terms so that no participant has to negotiate those points individually. Sitting above that agreement is a governance structure, run through the Sequoia Project, that maintains the rules, resolves disputes between participants, and updates technical requirements as standards evolve. Sequoia publishes the current version of that agreement and its governing policies directly on its site, which is worth reading if you want the legal detail behind the summary here (https://sequoiaproject.org/carequality/).
No governance body, no shared rulebook, and the whole trust model falls apart.
Directory, testing, and technical specs
A participant directory lists every Implementer and Connection on the network, which is how a query knows where to look for a given patient's records. Before any Implementer goes live, they run through a conformance testing process that verifies their systems correctly handle XCPD and XCA transactions, the same standards covered in the previous section.
Here's what that onboarding typically checks:
- Correct handling of patient discovery queries and responses
- Proper document query and retrieval formatting
- Compliance with the Connected Agreement's security requirements
- Accurate listing in the shared participant directory
Each piece exists for a reason. The agreement builds legal trust, governance keeps the rules current, the directory makes participants findable, and testing makes sure a query sent from one system actually gets understood by another. Vendors building on top of an Implementer like EPIC inherit all four automatically, which is exactly why plugging into an existing Connection beats trying to replicate this infrastructure from scratch.
Carequality compared to TEFCA and other exchange networks
Confusion between Carequality and TEFCA (Trusted Exchange Framework and Common Agreement) comes up constantly, and the two aren't interchangeable. TEFCA is a federal initiative, run by the Office of the National Coordinator for Health IT, that sets a nationwide baseline for exchange and designates Qualified Health Information Networks (QHINs) to carry traffic under one common agreement. Carequality predates TEFCA by nearly a decade and is a private-sector framework, governed through the Sequoia Project, that already connects EPIC, Oracle Health, athenahealth, and dozens of HIEs. In practice, several networks (including Carequality itself, through its designated QHIN) now participate in both, so they overlap rather than compete.
Where the two frameworks diverge
Despite the overlap, the two frameworks solve slightly different problems, and vendors get tripped up assuming one replaces the other.
| Framework | Governing body | Primary role | Vendor access path |
|---|---|---|---|
| Carequality | Sequoia Project | Query-based document exchange between networks | Through an Implementer like EPIC |
| TEFCA | ONC (federal) | National baseline via designated QHINs | Through a QHIN or participating network |
Carequality moves the records; TEFCA sets the federal floor everyone has to meet.
For a vendor, that distinction matters less than the practical outcome: plugging into an EPIC Connection under Carequality already puts your data flows inside a framework that satisfies most TEFCA expectations too, since EPIC participates in both.
Other networks worth knowing
Beyond TEFCA, you'll also hear about eHealth Exchange and CommonWell Health Alliance, both older exchange networks that predate Carequality and now interoperate with it rather than compete against it directly. CommonWell in particular has a direct connection to Carequality, so data can flow between the two without a vendor joining both separately. Reading through ONC's own explainer on TEFCA (https://www.healthit.gov/topic/interoperability/policy/trusted-exchange-framework-and-common-agreement-tefca) is worth the twenty minutes if your RFP responses need to speak precisely about which framework covers which piece of your integration.
What Carequality means for vendors building EPIC integrations
Most vendors don't need to join Carequality directly. Since EPIC is already an Implementer, every health system running EPIC is automatically a Connection on the network. That means the Carequality interoperability framework is already active on your customer's side before you write a single line of integration code. Your job isn't building trust infrastructure from scratch, it's building an app that plugs into infrastructure EPIC already maintains.
Why this changes the build-versus-buy math
Traditional EPIC integrations get scoped as if Carequality doesn't exist, which inflates timelines unnecessarily. Teams budget months for security review and legal negotiation that Carequality already resolved through the Connected Agreement. That misunderstanding is where a lot of the $250K+ engineering estimates come from in the first place.
The trust layer is already built. Your integration work should start above it, not rebuild it from zero.
What actually still needs building on the vendor side:
- SMART on FHIR authentication so your app can request patient data inside EPIC's workflow
- UI components that surface Carequality-sourced records where a clinician expects to see them
- Workflow logic that decides what to do with data once it arrives, not how to legally access it
- EPIC Showroom listing so health systems can actually find and approve your app
Where a no-code platform fits
This is exactly the layer VectorCare's no-code workflow builder targets. Instead of a vendor spending months on FHIR API code and OAuth handshakes to sit correctly inside EPIC's existing Connection, VectorCare's visual FHIR configuration handles the data pull, while the platform manages HIPAA and SOC2 compliance underneath it. The Carequality-level trust already exists between EPIC and its Connections; what vendors need is a fast, compliant way to build on top of it. That's the gap between a 12-18 month custom build and a 3-6 week deployment, and it's the difference between treating Carequality as background infrastructure versus something you have to reverse-engineer yourself.

Where interoperability goes from here
Carequality solved the trust problem so vendors don't have to. Health systems already run on this framework, EPIC already participates as an Implementer, and every Connection under it already meets the legal and technical bar most RFPs ask about. The Carequality interoperability framework isn't a checkbox you need to chase; it's infrastructure you inherit the moment you build correctly on top of EPIC. Expect that inheritance to deepen as TEFCA matures and more QHINs plug into networks like Carequality, but the core lesson stays the same: the exchange layer is solved, and your competitive edge lives in what you build above it.
That's where the real work sits, in SMART on FHIR apps that actually fit clinical workflows instead of fighting them. If you're still scoping a custom EPIC build measured in months instead of weeks, you're solving a problem that's already been solved. Build and deploy your SMART on FHIR app in days and put your engineering time where it actually matters.
The Future of Patient Logistics
Exploring the future of all things related to patient logistics, technology and how AI is going to re-shape the way we deliver care.