The sign bearing the name outside Epic's headquarters in Verona, Wisconsin.
Source: Yiem via Wikipedia CC
Epic Systems, the largest provider of medical records management software, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways unrelated to treatment.
Epic told customers in a notice on Thursday that it had severed its connection to Particle, hampering the company's ability to tap into a system of more than 300 million patient records. Particle is one of several companies that act as an intermediary between Epic and organizations — typically hospitals and clinics — that need the data.
Patient data is inherently sensitive and valuable, and is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires patient consent or knowledge for third-party access. One way to access Epic's electronic health records is through an interoperable network called Carequality, which facilitates the exchange of more than 400,000 documents per month, according to its website. Particle is a member of the Carequality Network.
To join the network, organizations are vetted and must agree to adhere to clear “permitted purposes” for sharing patient data. Epic responds to data requests that fall within the permissible purpose of “treatment,” meaning the recipient is providing care for the person whose records are requested.
Epic said in its notice on Thursday that it filed a formal dispute with Carequality on March 21, over concerns that Particle and the organizations involved in it “may inaccurately represent the purpose associated with its log retrieval operations.” The company suspended its connection with Particle that day.
“This poses potential security and privacy risks, including potentially violating the HIPAA Privacy Rule,” Epic said in the notice obtained by CNBC.
In a blog post late Friday, Carequality said it takes disputes “seriously and is committed to maintaining the integrity of the dispute resolution process as well as trusted exchange within the framework.” The organization said it could not comment on any disputes or member activities.
Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a blog post on Friday evening and said it began “immediately addressing this issue” after Epic stopped “responding to data requests from a subset of customers” on March 21. The big challenge in such matters is that “there is no standard reference for evaluating the definition of treatment,” Particle said in the publication.
“These definitions have become more difficult to define as care has become more complex as providers, payers, and payers have consolidated into various large health care conglomerates,” Particle wrote.
Epic, a 45-year-old private company headquartered in Wisconsin, is the largest electronic health record vendor by hospital market share in the United States, with 36% of the market, according to a May report from KLAS Research. inspiration It ranks second, at 25%, after the software company's $28 billion purchase of Cerner in 2022.
As of July 2022, Particle has raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Proven Capital, according to a statement. The New York-based startup said at the time that its technology “uniquely collects data from 270 million plus patients' medical records by aggregating and unifying healthcare records from thousands of sources.”
Epic said Particle submitted thousands of new participant connections to Carequality in October, and confirmed they fell under the treatment use case. In the following months, all organizations participating in Particle claimed a permissible purpose for processing their requests, Epic said.
“Non-therapeutic use case”
However, Epic is starting to notice some red flags. The company said it had noticed anomalies in patient record exchange patterns, such as requests for large numbers of records within a particular geographic area. Additionally, Epic said companies associated with Particle did not submit new data from patients, which “suggests a non-therapeutic use case.”
Epic and its Care Everywhere Board of Directors, made up of 15 industry representatives, evaluated the communications of new Particle entrants and determined that organizations such as Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “likely did not meet the permitted purpose of treatment,” The notice said.
Epic said it learned that another Carequality member was planning to file a dispute, alleging that Integritort was using patient data to try to identify potential participants in the class action. On March 28, Epic said it discovered that a participant named Novellia claimed he was requesting in-treatment records, despite publicly advertising his product as a “personal health tool.”
Integritort, Reveleer and Novellia did not respond to requests for comment.
Epic said it filed a formal dispute with Carequality based on the board's recommendation. On April 4, Epic asked Particle to provide additional information to clarify how its participants qualify for the treatment use case, according to the notice.
Michael Marchant, director of interoperability and innovation at UC Davis Health, serves as chairman of Epic's board of directors. He said it was difficult to know exactly why Particle provided these organizations with the records, or whether they were intentionally involved in wrongdoing. But he said companies must act responsibly even if they are under pressure to achieve financial results.
“If they're selling to things that they know aren't treatment-related organizations to try to match venture capital funding or profit margins or revenue goals or whatever, that's going to be really bad,” Marchant told CNBC in an interview.
In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said Epic acted unilaterally, and that Particle saw “no rationale, justification, or formal allegations” surrounding the issues.
To the company's knowledge, “all affected partners are directly supporting the remediation,” Bannister wrote. These organizations pull data for caregivers and share the data back with the Carequality Network, he said.
“While we continue to maintain our relationship with Carequality, the ability of a single port to decide, without evidence or even warning, to dismiss providers on a large scale, jeopardizes the clinical operations of hundreds of thousands of patients as well as the trust in it.” “This is critical to trust-based exchange,” Bannister wrote.
Bannister did not respond to Epic's April 4 request for additional information.
The formal dispute process is still ongoing. Marchant, who also serves as co-chair of Carequality's advisory board, said this is the first time in the network's history that a complaint has reached this extent.
Watch: Insurance stocks decline on Medicare prices