The sign of the same name in front of Epic headquarters in Verona, Wisconsin.
Source: Yiem via Wikipedia CC
Epic Systems, the largest provider of medical records management software, says a venture capitalist-backed startup called Particle Health is using patient data in unauthorized and unethical ways that have nothing to do with treatment.
Epic told customers in a statement Thursday that it had severed its connection to Particle, preventing the company from accessing a system containing more than 300 million patient records. Particle is one of several companies that acts as a sort of intermediary between Epic and the organizations — typically hospitals and clinics — that need the data.
Patient information is inherently sensitive and valuable and is protected by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that requires a patient's consent or knowledge for third-party access. One way to access Epic's electronic health records (EHR) is through an interoperability network called Carequality that allows the exchange of more than 400,000 documents per month, according to its website. Particle is a member of the Carequality network.
To join the network, organizations are vetted and must agree to follow clear “permissible purposes” for sharing patient data. Epic responds to requests for data that fall under the permitted purpose of “treatment,” meaning that the recipient is providing care to the person whose records they are requesting.
Epic said in its statement Thursday that it filed a formal dispute with Carequality on March 21 because of concerns that Particle and its participating organizations “may be misrepresenting the purpose of their data retrievals.” The company severed its ties with Particle that day.
“This presents potential security and privacy risks, including the possibility of violations of the HIPAA Privacy Rule,” Epic said in the notice, obtained by CNBC.
In a blog post late Friday, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process and trustworthy exchanges within the framework.” The organization said it could not comment on any disputes or member activities.
Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a blog post Friday evening saying it had “immediately begun to address this issue” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said in the post that a major challenge in such matters is that there is “no standard reference for assessing the definition of treatment.”
“These definitions are becoming more difficult to delineate as care becomes more complicated and providers, payers, and payers merge into various large health care corporations,” Particle wrote.
Epic, a 45-year-old private company based in Wisconsin, is It is the largest EHR vendor by hospital market share in the U.S., with 36% market share, according to a May report from KLAS Research. oracle is second at 25% after the software company bought Cerner for $28 billion in 2022.
As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, according to a press release. The New York-based startup said at the time that its technology “uniquely combines data from over 270 million patient medical records by aggregating and unifying health records from thousands of sources.”
Epic said Particle launched thousands of new subscriber connections to Carequality in October and claimed they fell under the treatment use case. In the months that followed, all of Particle's participating organizations asserted a valid treatment purpose for their requests, Epic said.
“Use case without treatment”
However, Epic noticed some warning signs. The company said it observed anomalies in patient record sharing patterns, such as requests for large numbers of records within a specific geographic region. Additionally, Epic said that Particle's affiliates did not send back new data from patients, “suggesting a non-treatment use case.”
Epic and its Care Everywhere Governing Council, made up of 15 industry representatives, evaluated Particle's new participant connections and found that organizations like Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “likely did not meet a legitimate treatment purpose,” it said Note said.
Epic said it learned that another Carequality member planned to file a dispute alleging that Integritort used patient data to identify potential participants in a class action lawsuit. On March 28, Epic said it had discovered that a participant named Novellia had claimed to require treatment records despite publicly promoting its product as a “personal health tool.”
Integritort, Reveleer and Novellia did not respond to requests for comment.
Epic said it had filed a formal dispute with Carequality on the recommendation of the Governing Council. On April 4, Epic asked Particle to provide additional information to illustrate how its participants qualify for the treatment use case, the notice said.
Michael Marchant, director of interoperability and innovation at University of California Davis Health, serves as chair of Epic's Governing Council. He said it was difficult to know exactly why Particle may have provided records to these organizations or whether it intentionally committed wrongdoing. However, he said companies must act responsibly even when they are under pressure to deliver financial results.
“If they were selling to companies that they knew were not treatment-related organizations to meet VC funding or profit margins or sales targets or whatever, then that would be really bad,” Marchant said in an interview with CNBC.
In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said Epic acted unilaterally and that Particle had seen no “rationale, justification or official claims” regarding these issues.
Bannister wrote that to the company's knowledge, “all affected partners are directly supporting the treatment.” He said these organizations pull data for care providers and share it with the Carequality network.
“While we continue to maintain our connection with Carequality, the ability of a single implementer to decide to disconnect providers on a large scale, without evidence or even a warning, jeopardizes clinical operations for hundreds of thousands of patients and the trust placed in them.” is so critical to trust-based exchanges,” Bannister wrote.
Bannister did not respond to Epic's April 4 request for additional information.
The formal dispute process is still ongoing. Marchant, who also co-chairs an advisory board at Carequality, said it was the first time in the network's history that a complaint had come this far.
REGARD: Insurer stocks fall due to Medicare rates
Comments are closed.