Epic, Particle Health dispute exposes broader challenges with sharing patient data, health IT experts say

Medical records software giant Epic and venture-backed health tech company Particle Health are mired in an ongoing dispute over healthcare data exchange practices.

Epic cut off data requests from some Particle Health customers, citing concerns about potentially inappropriate disclosures of protected health information and privacy risks to patients’ medical data, according to a notice sent to Epic customers April 10. A copy of the notice was obtained by Fierce Healthcare.

The tensions between the two companies ramped up last week when Particle Health founder Troy Bannister publicly confirmed the dispute on April 9, saying Epic recently stopped responding to certain medical record requests submitted through the Carequality network.

“This decision has negatively impacted thousands of patients, and potentially puts 6M+ patient encounters per year at risk. We believe strongly that this unilateral action is a violation of important rules developed to ensure that this doesn't happen and is critical to the uninterrupted treatment of patients everywhere,” Bannister posted on LinkedIn.

Both Epic and Particle Health are connected to Carequality, which operates a nationwide health data exchange service used by more than 600,000 care providers, 50,000 clinics and 4,200 hospitals to access patients’ medical records. Carequality says it supports the exchange of 400 million clinical documents each month.

Carequality is made up of dozens of implementer organizations that in turn onboard their participant organizations to the framework. Epic connects its provider customers to Carequality as an extension of its Care Everywhere network.

Organizations that connect to Carequality agree to an “interoperability framework,” which is a collection of legal, governance and technical documents used to operationalize trusted exchange of health information nationwide, according to the organization.

Epic filed a formal dispute with Carequality on March 21, claiming that Particle was sharing patient data with some companies who were then using the data for reasons unrelated to treatment. “This poses potential security and privacy risks, including the potential for HIPAA Privacy Rule violations in the event disclosures of protected health information were made under the Treatment Permitted Purpose when the requesting entities did not have treatment relationships with the patients to whom the records related,” Epic said in the notice to its customers.

“With such a large and growing community, it is inevitable that controversies or disagreement may arise out of the interpretation or implementation of the framework. The framework agreed to by the implementers and their connections includes a dispute resolution process to address such issues,” Carequality said in a statement shared with Fierce Healthcare and posted to its site on Friday.

“Carequality takes any dispute very seriously and is committed to maintaining the integrity of the dispute resolution process as well as trusted exchange within the framework. Carequality cannot comment on the existence of any dispute nor comment on the activities of implementers,” the organization said.

In an updated statement posted Monday morning, Particle Health said, beginning March 21, Epic "indiscriminately" stopped responding to queries from some Particle Health customers. But, the company noted, the vast majority of Particle Health customers have continued to actively receive data from Epic, without interruption.

"While there is an ongoing dispute between Epic and Particle Health, related to three specific customers, the significant majority of Particle Health customers impacted by Epic’s actions were not in any way related to this dispute. Nor is there any indication that these impacted customers (or Particle Health) have done anything wrong. Particle Health understands from its customers that Epic’s failure to respond to queries had an immediate impact on patient treatment," the company wrote in its latest statement.

Health IT experts say the rift between the two companies exposes larger challenges with health data exchange including a lack of transparency and clarity on the rules of the road along with the need for better gatekeeping.

Balancing patients' privacy and access to data

Particle Health is a data platform that aggregates health information for digital health companies through APIs, providing access to more than 300 million patients’ medical records. It’s one of many startups that act as data connectors between Epic and its provider customers, like hospitals and medical practices, and other healthcare stakeholders, like digital health companies. Much like Stripe makes using credit care networks easier, companies like Particle Health, Health Gorilla and Zus Health provide an easier connection to data networks so organizations can get access to the data they need.

Particle Health is “strongly committed” to privacy and security, the company said in an April 12 statement. “We have always responded rapidly and robustly to data-supported complaints through appropriate channels,” the company said.

Particle Health says its customers commit to a “rigorous onboarding process and must adhere to all standards as outlined in the Carequality framework in interactions with Particle Health or are immediately removed,” the company said. “If complaints are filed against any customer by other parties, we expect they will be managed through agreed-upon channels and we assist in all legitimate investigations,” executives said.

As the healthcare industry pushes to accelerate interoperability—to make it easier for clinicians and patients to access critical health information—concerns are growing about the need for a better gatekeeping process and more transparency about how health data are being used, said Brendan Keeler, head of product at medical data sharing startup Flexpa.

“Trust is built on transparency,” said Keeler, a self-described advocate for interoperability and healthcare integration who has worked at Zus Health and Redox.

There needs to be more transparency about the organizations that connect to health data networks and intended purposes of use for health information, Keeler noted. And, any decisions to remove vendors or pending investigations should be publicly available, he wrote in a blog post about the dispute.

With a 36% market share of the hospital sector, Epic is a dominant force in the health IT industry. Epic says it will respond to requests for patient data that fall under the “treatment permitted purpose,” which means the data will be used as part of patient care, Epic said in its notice.

The “treatment” purpose of use is the only data request healthcare organizations are required to respond to, according to health IT experts.

However, according to Particle Health executives, there is no standard reference to assess the definition of “treatment” as it pertains to data requests.

“These definitions have become more difficult to delineate as care becomes more complicated with providers, payers, and payviders all merging in various large healthcare conglomerates,” Particle said in its April 12 statement.

In its notice, Epic said its 15-member Care Everywhere Governing Council flagged three companies, who are Particle Health customers, for questionable use of patient data not related to patient care or treatment. One of these companies, Integritort, provides legal professionals with access to real-time medical records, according to the company’s website. Another healthcare organization planned to file a formal dispute with Carequality alleging that Integritort used the health data networks to get medical information “for the apparent purpose of identifying potential participants in class action lawsuits while claiming a Permitted Purpose of Treatment,” Epic said in its notice.

The governing council is made up of representatives of Epic customers that use the company’s Care Everywhere data network, according to Michael Marchant, director of interoperability and innovation at UC Davis Health and chair of the Care Everywhere Governing Council.

Beginning in March, there were growing concerns about some companies’ use of health data and potential risks to patients' data privacy, he said. After multiple meetings, the council approved Epic’s request to notify the companies about its concerns and move forward with a targeted “disconnect."

“Patients are trusting us as stewards of their information and we need to protect it,” Marchant said in an interview . “The unlawful release of information to a party that's not covered by HIPAA, which is where we come into the provider and treatment use case, which is part of HIPAA, is essentially a reportable, fineable offense. All the organizations participating in Carequality signed an agreement that they would not do that. There's a trust across the network that any organization onboarded into the network is covered under that statute.”

Health systems and provider organizations could be liable if there is a HIPAA violation for inappropriate disclosure of health information, health IT experts say.

Particle Health posted an updated statement Friday clarifying that Epic “did not shut off Particle Health as an entity, nor did Carequality.”

“Carequality has not lobbied any concern about Particle Health,” the company said.

Last week, Carequality staff held several meetings with Epic and Particle Health to discuss the dispute, according to Epic’s notice to customers.

After learning about Epic's actions, Particle Health said it immediately began to press Epic to restore its connections to Particle Health customers. "Due to these efforts, several Particle Health customer connections have already been restored, and Particle Health is actively working to restore the connections for the remaining customers," the company said Monday morning.

"Particle Health is an active member of the Carequality interoperability network, which facilitates these transactions. Particle Health maintains an ongoing, constructive dialog with Carequality, consistently adhering to all guidelines. Particle Health remains in good standing with Carequality," the company wrote.

Industry needs more clarity, transparency for data exchange

Epic and Particle Health resolving this dispute doesn’t address the broader issue that there are gray areas in data exchange practices that open up the risk for fraudulent use of patients’ health data, according to health IT executives.

At this point, there are limited options within these data exchange networks for organizations to access patient data for valid use cases that are for non-treatment purposes, such as for payers or pharma companies, noted Keeler.

“The pressure is on these networks to restore trust and to build the right paved pathways for non-treatment use cases for payers doing payment, for operations and for individuals to access their data. If the networks don't figure out how to do that, then there will always be this incentive to cheat the system,” Keeler noted.

Particle Health executives agree that the health data community needs to collaborate on a “clear set of rules of the road to avoid these kinds of potentially biased decision-making conflicts in the future."

“A cascade of inherently-biased entities (including Particle) making independent judgments on data access is orthogonal to the spirit of the Cures Act,” executives said in the statement.

As it stands, it’s up to individual provider organizations to report potential inappropriate uses of patient data. That’s not operationally feasible for organizations like UC Davis, where millions of documents are exchanged each month, Marchant noted.

The healthcare industry marked a milestone in December when a nationwide network to exchange patient data called the Trusted Exchange Framework and Common Agreement (TEFCA) became operational. Seven years in the making, TEFCA was mandated by the 21st Century Cures Act in 2016.

But health IT experts warn that these interoperability efforts will fall flat if the underlying issues around governance, gatekeeping and transparency aren’t resolved.

“As we move into TEFCA, it's incumbent upon the QHINS (qualified health information networks) to have guidelines, processes and governance to ensure that anybody they onboard to the network is going to use that exchange for the appropriate purpose,” Marchant said. “Trust is key to the success of these networks—one bad actor, moving forward unmanaged can cause a lot of damage to that trust.”

Organizations policing one another also is not an effective process to catch potential problems, Keeler noted, instead suggesting that healthcare organizations be required to provide a clear audit trail of who requested data under the “treatment” use case. This would put more control into the hands of patients, which could be a critical way to increase oversight, he noted.