Jeffrey Lloyd Jensen
Utah’s 45-Year Journey from “Health Passports” to Total Data Coherence
While the digital revolution may feel like a recent phenomenon, the push for total data coherence in American healthcare began over forty years ago in Utah. Long before “Silicon Slopes” became a marketing slogan, the state was architecting a different kind of revolution, one that began in 1981 as a localized vision for a “Bionic Valley.” Under the steady hand of Mike Leavitt, moving from the Utah Governor’s mansion to the halls of Washington, this regional experiment has culminated in the most significant centralization of personal data in human history.[i]
The finish line for this forty-five-year industrial strategy was the passage of the 21st Century Cures Act. By effectively rebranding traditional privacy protections as “information blocking,” the federal government turned a localized vision into a mandatory national architecture. This transition represents a transformation where convenience and compliance have become one and the same, leaving us at a crossroads between seamless service and systemic surveillance.
At the heart of this transformation is a fundamental, yet largely unasked, question: Do we prioritize the efficiency of a personalized life or the sovereignty of our private data? The current push for “System-wide Coherence” treats individual privacy not as a right, but as a hurdle to be cleared, a legacy “silo” that prevents the flow of a unified digital identity. To avoid the divisiveness of public voting or traditional legislative oversight, this architecture was built through public-private “alliances” that operate beyond the reach of government scrutiny. This “Design-Build” approach ensures that by the time the public is asked to participate, the infrastructure for a permanent digital identity is already a fait accompli, making societal participation increasingly conditional on data compliance.
1981–1985: The Birth of “Bionic Valley”
By 1981, the University of Utah was emerging as a global hub for bioengineering. While these artificial organs and robotics provided significant improvements in healthcare, they also provided the technical foundation for a centralized system capable of tracking the “whole person” in real-time. At the same time, Utah began linking genealogical records to medical outcomes to form the world’s first “population-level” data set, effectively transforming millions of private medical histories into a single, searchable map of the state’s collective biology.
The University of Utah also made an agreement in 1981 with Zhejiang University, establishing a foundation of academic and scholarly exchange that mirrors today’s globalized standards. While Utah’s Silicon Slopes are known today for their broad footprint in the digital workforce, the state’s lesser-known but more deeply developed role in the realm of human health monitoring and medical technology has been just as impactful.
1990s: The Health Passport & Smart Cards
Following the creation of a technological healthcare infrastructure, broader implementation occurred during the 1990s with the introduction of several “SmartStates” initiatives led by Governor Mike Leavitt. Under the umbrella of the Western Governors’ Association (WGA), and with Leavitt as the lead governor, Utah partnered with Nevada and Wyoming to launch the Health Passport in December 1995.
This program sought to solve the fragmentation of social services, addressing, for example, the burden on a mother required to carry separate paper files for WIC, immunizations, and food stamps. The Health Passport utilized a SmartCard, a physical debit-card-like device with an embedded computer chip capable of storing and unifying encrypted data from multiple sources. In essence, it served as a portable, digital health file for individuals moving between different agencies or participating states.
2000s: Expansion from Regional to National
In 2003, Mike Leavitt moved from the Governor’s mansion to Washington, serving first as the Administrator of the EPA and then, crucially, as the Secretary of Health and Human Services (HHS) in 2005. Leavitt was now positioned to lay the groundwork for the national implementation of what had previously been a regional experiment in digital collectivization.
During this same window, the Office of the National Coordinator for Health Information Technology (ONC) was established by Executive Order in 2004. This office represented the formalization of the “total data coherence” goal, a vision born in Utah and refined through the Western Governors’ Association. With the ONC in place and a blueprint established, the 2004 Health Information Technology Summit set an ambitious goal: most Americans were to have electronic health records within ten years. This marked a profound rhetorical shift; the narrative transitioned from a narrow focus on “helping mothers with paper files” to a broader mandate for “national economic and health security through data.” Utah was once again providing the blueprint for national implementation, scaling the “SmartStates” model to a federal level.
The Design-Build Philosophy: Bypassing the Public Square
The rapid national scaling of Utah’s digital blueprint was driven by a specific administrative strategy Mike Leavitt called Design-Build. Originally utilized to fast-track the massive reconstruction of Utah’s I-15 corridor for the 2002 Winter Olympics, the Design-Build method involves starting the physical construction of a project while the final blueprints and rules are still being finalized.
When applied to healthcare and social policy, this philosophy allowed for the creation of vast technical Alliances, private-sector partnerships that developed data standards long before any formal laws were passed. By building the digital “plumbing” of the healthcare system first, proponents prioritized functional interoperability and technical consensus over the often-protracted cycles of traditional legislative debate. This strategy ensured that by the time the 21st Century Cures Act reached the floor of Congress years later, the infrastructure for a permanent digital identity was already a fait accompli.
Leavitt’s philosophy was rooted in collaborative governance, the idea that complex societal problems could only be solved through these deep public-private partnerships. When used to provide specialized services or leverage market innovation, these partnerships can be a powerful tool for progress, a concept famously championed by Ronald Reagan as a way to streamline a bloated bureaucracy. In the right circumstances, such alliances foster efficiency and reduce the burden on the taxpayer.
However, in the context of a national data architecture, this approach established a framework for a digital government where private tech standards became the mandatory baseline for public participation. The concern here is not the partnership itself, but the displacement of the public square. When the “design” of a digital identity is finalized in a private boardroom before the public even knows the project has begun, the partnership ceases to be a tool for the people and instead becomes a “Private Shield” against public oversight.
For proponents, this architecture represents a critical advancement in clinical safety and public health coordination. It ensures that life-saving information, such as allergy alerts or surgical histories, is available to providers at the point of care, regardless of where the patient was previously treated. To a diverse group of critics, including privacy advocates, constitutional scholars, and some of the nation’s largest health systems, this represents a “smart nightmare”, a system where the SmartCards of the 1990s have evolved into a permanent digital tether, potentially making participation in society conditional on data compliance.
2010s: The Private Shield of Alliances over Legislation
With the federal foundation now built and goals set, efforts turned to building the infrastructure required for implementation. Once again, Utah set the example. The One Utah Health Collaborative represented a shift toward private-sector-led infrastructure, becoming a model for national rollout. By ensuring that 70% of its funding remained private, the Collaborative maintained its status as a private 501(c)(3) entity rather than a government department. This distinction is critical, as it shields the organization from direct public oversight and the transparency requirements of GRAMA requests. Essentially, it allows for the development of public policy within a private environment, shielded from the scrutiny of the public square.
The CARIN Alliance, co-founded by Mike Leavitt, became the culmination of this public-private partnership model. In traditional Congressional legislation, a bill is publicly debated, amended, and voted upon. In contrast, the “Power of Convening” utilized by CARIN functions as a form of private-sector standardization. By inviting dominant stakeholders in tech, insurance, and healthcare into a collaborative forum, Leavitt Partners facilitates a consensus on technical protocols before formal regulations are even drafted.
These protocols rely on Application Programming Interfaces (APIs), digital bridges that allow different software systems to instantly “talk” to one another. Think of an API as a universal power outlet; it allows various “appliances,” like a smartphone health app, to plug directly into a massive power grid of hospital and insurance data. Because CARIN’s participating companies represent the vast majority of the market, their agreed-upon API standards become the de facto national baseline through sheer market adoption. This creates an entrenched industry consensus that federal agencies later adopt as the “path of least resistance,” effectively shifting the origin of public policy from the legislative floor to the private boardroom.
The Federal Engine: The 21st Century Cures Act
The year 2016 marked the definitive shift from private-sector experiment to mandatory federal architecture. The timing represented a seamless handoff between the “Design” phase led by private alliances and the “Build” phase led by the federal government.
Just three months before the 21st Century Cures Act was signed, the CARIN Alliance was formally chartered in Washington, D.C. While presented as a new initiative, it was the formalization of the years of “convening” described above. Its immediate mission was to finalize the technical API standards that would allow health data to flow out of protected silos and into the hands of third-party digital platforms.
In December 2016, with overwhelming bipartisan support, Congress passed the 21st Century Cures Act, providing the legal “teeth” for the standards CARIN was already finalizing. It was the final “build” phase of the design-build strategy. Through its ‘Information Blocking’ provisions, the Act effectively criminalized the data silos of the past, a move designed to prevent health systems from ‘hoarding’ data to keep patients within their own business networks. By requiring healthcare providers to share data via the very API ‘plugs’ the Alliance had been designing, the law sought to ensure that patient information belongs to the patient, not the hospital’s IT department. However, by mandating that this access occur through the specific API ‘plugs’ designed by private alliances, the law effectively codified a regional Utah experiment into the mandatory digital architecture for every American.
The Current State: The Frictionless Trap
The reach of the 21st Century Cures Act continues to expand. With the formalization of the Trusted Exchange Framework and Common Agreement (TEFCA), the federal government has established a singular, national “on-ramp” for health data, finally realizing the 1990s vision of a universal health passport. Managed by The Sequoia Project, which serves as the federally recognized coordinating entity, this framework now connects over 71,000 organizations and sites across the country. As of early 2026, the system has facilitated the exchange of nearly 500 million clinical records, a massive surge that reflects the mandatory nature of this new digital architecture. For proponents, this volume represents a critical advancement in clinical safety, ensuring that life-saving information, such as allergy alerts or surgical histories, is available to providers at the point of care, regardless of where the patient was previously treated.
Furthermore, recent enforcement rules have added significant “teeth” to the mandate. The HHS Office of Inspector General (OIG) has moved into an active enforcement phase, with the authority to impose civil monetary penalties of up to $1 million per violation for health IT developers and networks that engage in “information blocking.” This enforcement is no longer a future threat; as of late 2025 and into 2026, regulators have prioritized the investigation of practices that interfere with the “liquid” flow of data.
This transition was finalized by a critical regulatory expansion. While the Cures Act initially focused on a narrow set of data, as of October 2022, the definition of what must be shared was expanded to include the full scope of Electronic Health Information (EHI). This means that nearly every piece of data in a patient’s “designated record set,” including clinical notes, billing records, and insurance claims, is now legally required to be accessible via the very API “plugs” designed by private alliances years ago. What began as a collaborative Utah experiment has evolved into a high-stakes federal regime where participation in the modern healthcare economy is now conditional on total data transparency.
The Response to Concern: Reframing the Risk
Throughout the decades-long push for a unified digital health infrastructure, critics have consistently raised alarms regarding data privacy and the potential for corporate surveillance. However, rather than halting the process, these concerns were typically managed through a series of specific rhetorical and administrative maneuvers designed to prioritize “data liquidity” over traditional safeguards.
The first of these maneuvers involved what could be called the Patient Empowerment Shield. Whenever privacy advocates questioned the security of opening sensitive medical records to third-party apps, proponents reframed the issue as a matter of civil rights. In this narrative, the data silo was not a privacy safeguard; it was a barrier to patient autonomy. By positioning the digital mandate as a tool to give patients ownership of their own health journey, architects of the Cures Act made any opposition to data exchange appear as an attempt to “trap” records in inefficient, obsolete systems.
A second strategy addressed the privatization of oversight through the creation of a voluntary Code of Conduct. Alliances like CARIN developed these standards for consumer-facing applications, where tech companies pledge to be transparent about how they use data. While this provides a veneer of accountability, it effectively moves oversight out of the realm of federal HIPAA law, which carries strict legal penalties, and into the realm of industry self-regulation. HIPAA generally only protects data held by “covered entities” (doctors/insurers), not the third-party apps a patient might choose to “plug in” via an API. For apps not covered by HIPAA, the primary enforcement body is the Federal Trade Commission (FTC), which generally only intervenes after a “deceptive practice” or a major data breach has already occurred.
The third maneuver involves the Self-Attestation Model utilized by national exchange frameworks like TEFCA. To facilitate a “frictionless” flow of information, organizations joining the network essentially “attest” that they are accessing records for a legitimate medical purpose. Critics, including several major health systems in early 2026, have argued that this system lacks the robust, human-led verification necessary to prevent large-scale data harvesting. Nevertheless, the response from coordinating entities has consistently prioritized the speed of the “on-ramp” over manual gatekeeping.
Ultimately, for those who fear a system of conditional participation, where access to society is tied to data compliance, the official response has been to label such concerns as speculative. The overarching strategy has been to treat the benefits of seamless care as immediate and certain, while treating the risks of data misuse as manageable technical hurdles. By the time any significant systemic misuse is identified, the infrastructure is already so deeply embedded in the national economy that opting out is no longer a viable option for the average citizen.
Conclusion: Reclaiming Sovereignty
Mankind’s entrance into the digital world has seen an exponentially increasing rise in available technologies. As smartphones become more essential, people’s trust in technology is increasing in ways more aligned with convenience than concerns for data security. In this new digital world, we focus first on convenience without bothering to read the fine print or understand the technology behind what makes our apps actually work.
Our desire for efficiency in healthcare is of supreme importance to most Americans. We care about our own health and that of our loved ones, and we want the best care possible to be provided, along with coordination between providers to ensure each one has a complete understanding of our full health profile.
But as the Roman historian Tacitus once warned of those who mistook the comforts of a managed system for true progress, we risk calling it ‘culture’ when it is actually a form of servitude. Reclaiming sovereignty in this frictionless era begins with the refusal to let convenience be the sole arbiter of our choices. It requires an intentional ‘friction’, a demand for transparency, a refusal to trade privacy for a slightly faster login, and a recognition that a system designed to know everything about us eventually gains the power to decide everything for us. The first step toward reclaiming that sovereignty is simply seeing the architecture for what it is.
References:
1981–1985: The Birth of “Bionic Valley”
Skolnick, M. (1980). “The Utah Genealogical Data Base: A Resource for Genetic Epidemiology.” Journal of Medical Systems.
University of Utah Archives (1981). “Memorandum of Understanding: Exchange Program between the University of Utah and Zhejiang University.”
Stephens, J. K. (1982). “Bionic Valley: Utah’s Bioengineering Boom.” Utah Holiday Magazine.
The Washington Post (1982). “Utah: The Bionic Valley.”
1990s: The Health Passport & Smart Cards
Western Governors’ Association. (1995). “The Health Passport Project: Phase I Strategic Plan and Report.”
Leavitt, M. O. (1996). “The SmartStates Initiative: Electronic Government in the New Economy.” Journal of State Government.
U.S. General Accounting Office (GAO). (1998). “Health and Human Services: Federal and State Agencies are Working to Improve Shared Data.” GAO/HEHS-98-120.
Pear, R. (1997, March 9). “Western States to Test a ‘Health Passport’ Electronic Card.” The New York Times.
2000s: Expansion from Regional to National
Executive Order No. 13335, 3 C.F.R. (2004). “Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator.”
U.S. Department of Health and Human Services. (2004). “The Decade of Health Information Technology: Delivering Consumer-centric and Information-derived Health Care.”
Thompson, T. G., & Brailer, D. J. (2004). “The Health Information Technology Summit: A Framework for Strategic Action.”
Leavitt, M. O. (2005). “Address to the National Press Club: The Value of Health Information Technology.” HHS Speeches and Statements.
The Design-Build Philosophy: Bypassing the Public Square
Utah Department of Transportation. (2001). “The I-15 Design-Build Project: Final Report and Lessons Learned for the 2002 Winter Olympics.”
Leavitt, M. O., & McKechnie, R. H. (2013). Finding Allies, Building Alliances: 8 Elements of Success, and Agility, in a Connected World. Jossey-Bass.
National Research Council. (2002). “The Success of Design-Build in the Utah I-15 Corridor Reconstruction Project.” Transportation Research Board.
Goldsmith, S., & Eggers, W. D. (2004). Governing by Network: The New Shape of the Public Sector. Brookings Institution Press. (This source is critical as it features Leavitt’s Utah models as the primary evidence for “collaborative governance”).
2010s: The Private Shield of Alliances over Legislation
One Utah Health Collaborative. (2022). “Articles of Incorporation and Bylaws: A Community Partnership for High-Value Care.”
The CARIN Alliance. (2016). “The CARIN Blue Button Framework and Common Payer Consumer Data Set (CPCDS).”
Goldsmith, S., & Eggers, W. D. (2004). Governing by Network: The New Shape of the Public Sector. Brookings Institution Press. (Explains the “Private Shield” of networked government).
Center for Medicare & Medicaid Services (CMS). (2020). “CMS Interoperability and Patient Access Final Rule (CMS-9115-F).” (This is the federal document that officially adopted the CARIN private standards).
The Federal Engine: The 21st Century Cures Act
21st Century Cures Act, Pub. L. No. 114-255, 130 Stat. 1033 (2016).
The CARIN Alliance. (2016, September 13). “New Multi-Sector Alliance Formed to Help Consumers Access Their Digital Health Information.” Press Release.
U.S. Department of Health and Human Services. (2016). “The 21st Century Cures Act: A New Era for Medical Innovation and Data Access.”
Office of the National Coordinator for Health Information Technology (ONC). (2020). “Information Blocking Final Rule: 21st Century Cures Act Section 4004.”
The Current State: The Frictionless Trap
The Sequoia Project. (2025). “TEFCA Milestone Report: National Connectivity and QHIN Participation.”
U.S. Department of Health and Human Services, Office of Inspector General. (2023). “Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Final Rule.” Federal Register, 88 FR 42820.
Office of the National Coordinator for Health Information Technology (ONC). (2022). “Understanding Electronic Health Information (EHI): The October 2022 Transition.” HealthIT.gov.
U.S. Department of Health and Human Services. (2026). “Annual Report on the Trusted Exchange Framework and Common Agreement (TEFCA) Implementation.”
The Response to Concern: Reframing the Risk
The CARIN Alliance. (2018). “The CARIN Alliance Code of Conduct for Consumer-Facing Applications.”
Federal Trade Commission. (2021). “Statement of the Commission on Health Apps and Other Connected Devices.” Policy Statement on Enforcement.
The Sequoia Project. (2024). “TEFCA Standard Operating Procedure (SOP): Entity Vetting and Exchange Purpose Attestation.”
Litan, A. (2025). “The Privacy Gap: Why HIPAA Does Not Protect Data in Consumer Health Apps.” Gartner Research.
American Hospital Association. (2026). “Letter to the ASTP/ONC regarding Security Concerns in TEFCA Self-Attestation Protocols.”
[i] This centralization is defined by the technical and legal integration of previously autonomous data silos, including clinical, genomic, and social service records, into a singular, interoperable framework. Unlike historical centralization, which relied on physical storage, the current “National Coordinator” model (ONC/ASTP) utilizes unified API standards and the Trusted Exchange Framework and Common Agreement (TEFCA) to create a functional “Network of Networks.” As of 2026, this infrastructure connects over 71,000 organizations and has facilitated the exchange of nearly 500 million clinical records, representing a scale of data “liquidity” and visibility into individual lives that is unprecedented in the history of administrative record-keeping. See: U.S. Department of Health and Human Services. (2026). National Progress Report on the Trusted Exchange Framework and Common Agreement (TEFCA). * Office of the National Coordinator for Health Information Technology. (2024). The Strategy for Data Liquidity: From Silos to Systems. * The Sequoia Project. (2026). QHIN Implementation and Volume Statistics: Q1 Update.