Epic Systems, a major provider of electronic health records software, has taken action against Particle Health, a venture-backed startup, for allegedly misusing patient data. The software giant, which manages the medical records system for over 300 million patients, announced in a notice last Thursday that it had severed its data connection with Particle Health.
What Were the Allegations Against Particle Health?
According to Epic, the startup was sharing patient data with third parties that were not using the information for medical treatment, thus potentially violating the Health Insurance Portability and Accountability Act (HIPAA).
Particle Health, which serves as an intermediary in accessing Epic’s extensive database of health records, purportedly allowed its partner organizations to misuse patient data. Epic’s complaint centers around the misuse not being related to patient treatment, thereby posing security and privacy risks, including potential violations of HIPAA’s strict privacy rules.
Epic’s electronic health records are accessed via Carequality, an interoperability network that facilitates the exchange of over 400,000 documents a month. Organizations looking to join this network must be thoroughly vetted and are required to adhere to specific permitted purposes for data exchange, primarily focused on treatment.
Formal Dispute Initiated
On March 21, Epic filed a formal dispute with Carequality after observing that Particle and its partners might be misrepresenting their data retrieval purposes, leading to an immediate suspension of their access.
The situation escalated when Carequality, responding to the dispute on its blog, stated the importance of maintaining the integrity of its dispute resolution process and the trusted exchange framework, though it did not comment on specific member activities or disputes.
Particle, based in New York and having raised over $39 million from investors, stated in a blog post that it began addressing the issue immediately after Epic’s action on March 21. The startup highlighted the challenges in defining ‘treatment’ in a complex healthcare environment where traditional roles of providers, payers, and payviders are increasingly overlapping.
Anomalies in Data Requests
Further issues arose when Epic began noticing anomalies in how patient data was being accessed through Particle. For instance, there were unusually large requests for records within certain geographical areas and a lack of reciprocal data sharing back to patients, suggesting uses of data unrelated to treatment.
Subsequently, Epic’s Governing Council, including representatives from 15 industry organizations, reviewed new connections facilitated by Particle. They suspected that several of Particle’s partners, including companies such as Integritort, MDPortals, and Reveleer, were not conforming to the treatment data use case.
Further, Epic discovered intentions by another Carequality member to dispute the actions of Integritort, accusing it of using patient data to identify potential participants for class action lawsuits. Another organization, Novellia, was found requesting records under the guise of treatment while promoting its product as a “personal health tool” contrary to its claimed purpose.
Epic’s inquiry into these practices led to a request on April 4 for Particle to provide additional information justifying its participants’ alignment with the treatment purpose.
The formal dispute process is ongoing, with Michael Marchant, director of interoperability and innovation at University of California Davis Health and chair of Epic’s Governing Council, expressing concern over the potential misuse of patient data for financial gain.
Troy Bannister, founder of Particle, defended the company’s actions in a LinkedIn post, arguing that Epic’s decision to cut off access was made unilaterally and without sufficient evidence or warning. He maintained that all affected partners were directly supporting treatment and sharing data back with the Carequality network.
Related News:
Featured Image courtesy of Yiem via Wikipedia CC