Name sign outside Epic headquarters in Verona, Wisconsin.

Source: Yiem via Wikipedia CC

Epic Systems, a leading provider of medical records management software, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways that has nothing to do with treatment.

Epic told customers in a notice Thursday that it had severed its connection to Particle, hampering the company’s ability to tap into the system, which holds more than 300 million patient records. Particle is one of several companies that act as a sort of middleman between Epic and organizations — typically hospitals and clinics — that need the data.

Patient data is inherently sensitive and valuable, and is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires the patient’s consent or knowledge for third-party access. Is. One way to access Epic’s electronic health records (EHR) is through an interoperability network called Carequality, which facilitates the exchange of more than 400,000 documents a month, according to its website. Particle is a member of the Carequality Network.

To join the network, organizations are vetted and must agree to adhere to clear “permitted purposes” for sharing patient data. Epic responds to data requests that fall under the permitted purpose of “treatment,” which means the recipient is providing care to the person whose records they are requesting.

Epic said in its notice Thursday that it filed a formal dispute with Carequality on March 21, over concerns that Particle and its affiliates “may have misrepresented the purpose associated with their records retrieval.” I am.” The company suspended its communication with Particle that day.

“This poses potential security and privacy risks, including the potential for HIPAA Privacy Rule violations,” Epic said in the notice, which was obtained by CNBC.

In a blog post late Friday, CareQuality said it takes the dispute “very seriously and is committed to maintaining the integrity of the dispute resolution process as well as trusted exchanges within the framework.” The organization said it cannot comment on the existence of any disputes or member activities.

Representatives for Epic and Particle did not respond to requests for comment. However, Particle published a blog post Friday evening saying it “immediately began addressing the issue” after Epic “stopped responding to data requests from a subset of users” on March 21. “. “There is a big challenge in such cases,” Particle said in the post. that “there is no standard reference for assessing the definition of treatment.”

“These definitions have become more difficult to define as care becomes more complex with providers, payers, and payers merging into different health care groups,” Particle wrote. ”

Epic is a 45-year-old privately held company based in Wisconsin. The largest EHR vendor by hospital market share in the US, with 36% of the market, according to a May report from KLAS Research. Oracle The software company’s $28 billion purchase of Cerner in 2022 is second, with 25%.

As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Proven Capital, according to a release. The New York-based startup said at the time that its technology “uniquely integrates medical record data from more than 270 million patients by collecting and combining healthcare records from thousands of sources.”

Epic said Particle introduced thousands of new participant connections to Carequality in October, emphasizing that they come in the form of therapeutic use. Over the following months, all of the particle’s participating organizations claimed a permitted therapeutic purpose for their applications, Epic said.

‘Non-Therapeutic Use Case’

However, Epic began to see some red flags. The company said it observed anomalies in patient record exchange patterns, such as requests for large numbers of records in a particular geographic area. Additionally, Epic said the particle-related companies are not sending back new data from patients, which “suggests a non-therapeutic use case.”

Epic and its CareEverywhere Governing Council, which includes 15 industry representatives, reviewed Particle’s new co-connection and determined that organizations such as Integrator, MD Portals and Revealer, which acquired MD Portals last year, “The treatments may not have been consistent with the permitted purpose,” the notice said.

Epic said it learned another care member was planning to file a dispute, alleging Integritort used patient data to try and identify potential class-action lawsuit participants. Is. On March 28, Epic said it discovered that a participant named Novelia claimed to be requesting treatment records, despite publicly promoting its product as a “personal health device.” Is.

Integritort, Reveleer and Novellia did not respond to requests for comment.

Epic said it filed a formal dispute with Carequality at the recommendation of the governing council. On April 4, Epic asked Particle to provide additional information to clarify how its participants qualify for the therapeutic use case, according to the notice.

Michael Marchant, director of interoperability and innovation at University of California Davis Health, serves as chairman of Epic’s governing council. He said it is difficult to know why Particle provided the records to these organizations, or whether it engaged in deliberate wrongdoing. But, he said, companies have to act responsibly even when pressured to deliver financial results.

“If they’re selling things that they know are not therapeutic organizations with VC funding or profit margins or revenue goals or what have you, that’s going to be really bad,” Marchant said. told CNBC in an interview.

In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said that Epic acted unilaterally, and that Particle did not see “reason, justification or official claims” related to these issues.

Bannister wrote that, to the company’s knowledge, “all affected partners directly support the treatment.” These organizations pull data for care providers and share data with the Care Quality Network, he said.

“While we maintain our relationship with care, the ability for an implementer to decide, without evidence or even warning, to massively disconnect providers, hundreds of thousands of patients For clinical operations as well as risk that trust. Critical to a trust-based exchange,” Bannister wrote.

Bannister did not respond to Epic’s April 4 request for additional information.

The formal dispute process is still ongoing. Marchant, who also serves as co-chair of an advisory council at Care Equity, said it was the first time in the network’s history that a complaint of this magnitude had been received.

Watch: Insurer stocks fall on Medicare rates.



Source link