The namesake sign outside Epic’s headquarters in Verona, Wisconsin.
Source: Yiem via Wikipedia CC
Epic Systems, the largest provider of medical record management software, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways that have nothing to do with the treatment.
Epic told customers in a notice on Thursday that it had cut the connection to Particle, hampering the company’s ability to leverage a system with more than 300 million medical records. Particle is one of several companies that acts as a sort of middleman between Epic and organizations, typically hospitals and clinics, that need the data.
Patient data is inherently sensitive and valuable and is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires patient knowledge or consent for third-party access. One way Epic’s electronic health records (EHRs) are accessed is through an interoperability network called Carequality, which facilitates the exchange of more than 400,000 documents per month, according to its website. Particle is a member of the Carequality network.
To join the network, organizations are vetted and must agree to clear “Permitted Purposes” for exchanging patient data. Epic responds to data requests that fall within the permitted scope of “Processing”, which means that the recipient provides assistance to the person whose data they request.
Epic said in its Thursday notification that it filed a formal dispute with Carequality on March 21, due to concerns that Particle and its participating organizations “may inaccurately represent the purpose associated with their record recoveries.” That day the company suspended its connection with Particle.
“This poses potential security and privacy risks, including the risk of HIPAA privacy rule violations,” Epic said in the notice, obtained by CNBC.
In a blog post last Friday, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process and the exchange of trust within the regulatory framework.” The organization said it could not comment on the existence of any disputes or member activity.
Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a blog post Friday evening and said it began “addressing this issue immediately” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said in the post that a big challenge in such matters is that there is “no standard reference for evaluating the definition of treatment.”
“These definitions have become more difficult to delineate as care becomes more complicated with the merger of providers, payers and payers into various large healthcare conglomerates,” Particle wrote.
Epic, a 45-year-old privately held company based in Wisconsin, is it is the largest electronic health record provider by hospital market share in the U.S., with 36% of the market, according to a May report from KLAS Research. Oracle is second with 25%, following the software company’s $28 billion purchase of Cerner in 2022.
According to a release, as of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures, and Pruven Capital. The New York-based startup said at the time that its technology “uniquely combines data from more than 270 million patient records by aggregating and unifying medical records from thousands of sources.”
Epic said Particle brought in thousands of new participant connections to Carequality in October and said they fell within the treatment’s use case. In the months since, all organizations participating in Particle have claimed a permitted processing purpose for their requests, Epic said.
“Use case without treatment”
However, Epic has started to notice some warning signs. The company said it has observed anomalies in medical record exchange patterns, such as requests for a large number of records within a certain geographic region. Additionally, Epic said companies linked to Particle were not submitting new data from patients, which “suggests a non-therapeutic use case.”
Epic and its Care Everywhere Leadership Council of 15 industry representatives assessed Particle participants’ new connections and determined that organizations such as Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “probably were not comply with a permitted processing purpose,” the notice said.
Epic said it had learned that another Carequality member was planning to file litigation, alleging that Integritort was using patient data to try to identify potential participants in class action lawsuits. On March 28, Epic said it discovered a participant called Novellia claiming to require documents in treatment, despite publicly advertising its product as a “personal health tool.”
Integritort, Reveleer and Novellia did not respond to requests for comment.
Epic said it initiated a formal dispute with Carequality upon the recommendation of the Governing Council. On April 4, Epic asked Particle to provide additional information to illustrate how its participants qualify for the treatment use case, according to the notice.
Michael Marchant, director of interoperability and innovation at University of California Davis Health, is the chair of Epic’s Board of Directors. He said it is difficult to know exactly why Particle may have provided documents to these organizations or whether it intentionally engaged in illicit acts. But, he said, companies must act responsibly under pressure to achieve financial results.
“If they were selling to things that they knew were not treatment-related organizations in an attempt to match VC funding or profit margins or revenue goals or whatever, then that would be really bad,” Marchant told CNBC in an interview .
In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said that Epic acted unilaterally and that Particle saw “no rationale, justification or official statement” around these issues.
Bannister wrote that, to the best of the company’s knowledge, “all affected partners directly support the treatment.” You said these organizations mine data for healthcare workers and share it with the Carequality network.
“While we continue to maintain our relationship with Carequality, the ability of an implementing entity to decide, without evidence or even a warning, to disconnect providers on a large scale jeopardizes clinical operations for hundreds of thousands of patients, as well as the trust that is central to a trust-based exchange,” Bannister wrote.
Bannister did not respond to Epic’s April 4 request for further information.
The formal litigation process is still ongoing. Marchant, who also co-chairs an advisory council at Carequality, said it is the first time in the network’s history that a complaint has reached this point.
CLOCK: Insurer stocks fall on Medicare rates
