Electronic medical record giant Epic has accused interoperability company Particle Health of violating HIPAA and putting patient medical records at risk. The dispute provides an early test of the new federal interoperability framework. So what exactly are they fighting about? And what does it mean for patient rights and the future of medical record sharing? you Welcome to Care Talk, America's home for incisive debate about healthcare business and policy. I'm David Williams, president of Health Business Group. And I'm John Driscoll, a senior advisor at Walgreens. David, why should we care? What's going on here? This feels like a battle of technology people and healthcare entities that the average patient doesn't know anything about. I mean, who cares? Everybody cares, John. You know, you and I are so interoperable. We want it for everybody else as well. You know, so first of all, who are these companies? So Epic is the biggest electronic medical record provider, especially for hospitals and big health systems and particle health. It sounds like a particle board, you know, cheesy piece of wood that you would, non-wood, wood that you would, that you would bring in, but they are what they call a data interoperability player. And they're making it easier for others to access patient data and share it among providers. So that is the two, the two players. Now, what Epic is alleging is that particle health was using data about patients inappropriately. in a way that violates HIPAA and also care quality rules. Care quality is the intravailability framework they're using. You're already getting so buried in like so arguably EPIC, which is a software and data business, invented the electronic health records. They are the dominant player in the academic and large system medical record space. When you go into a hospital, you're the person who's not looking at you and not paying attention to your compliance, your wines and your winneys is probably typing into an epic database to make sure that the information about you is actually in the right place and that they can move you along, take advantage of your medical history, which is often a critical part of your care and that they can bill for you. So let's start with what are we talking about here? The second thing is, I do care about whether people are taking my information and using it inappropriately. I don't want, you know, you, David, with one of your techie clients taking my data and making money off of it. Isn't that what we're talking about here? Well, John, I think what's happened is that, you know, Epic has been has this information has been requested from them. So they're the ones that are providing it because they have the medical record. As you say, they have a big, big share there. But the point is, they're supposed to be a separate dispute resolution here. you know, if they think it's not being provided for the right purpose, they're supposed to go through, they're supposed to go through, you know, official channels to challenge that, not just say, hey, we're cutting you off right now. Because I can tell you, as part of this, they cut off some folks that are questionable, but they cut off some folks that are unquestionable as well. And definitely we're using the information for treatment. So that's a concern right there, John. It's not people misusing your information. I want my information available. Like if I go to a specialist, or I would go somewhere out of my area. I want them to have that information. I don't want them to take another x -ray. I don't want them to draw blood if they don't have to. I don't want them to know about my medical condition before I come in. Don't you enjoy filling out those same forms repeatedly every time you move an office or a floor? You're making a really important point, but I think, and I think that what's interesting about this is this is happening at a time when the full weight, of the federal government's mandate for the interoperability of data is finally hitting and it's running into the same disjointed who owns what argument that was the reason for why the federal government threw meaningful use one into the CARES Act, the TEFCA. I don't even exactly know what that represents, but they're all part of a push. that's bipartisan support for standardizing and simplifying the sharing of data with a view that we could substantially reduce the excess costs and unnecessary care to your point if we could just get the right information to patients and providers at the right time in order to do that because the information is all over the place in many cases in although it's slowing down in paper files. You need to have one language, if you will, to translate all that information into so that anyone can read right into your file a basic set of information that will help care and lower costs and lower the friction and administrative costs and hopefully lower, improve your care and lower costs. But having said that, it's still this broken market of players, some of whom have the data and some of whom are trying to make money off the data. And that strikes me as what... this battle's about. I mean, maybe you could talk about David, who's taking my data and what are they doing with it in that range of people who are interested in true clinical care and those who just appear to be using it to advance a new business. Well, John, the TEFCA is a nice sounding thing. It's a trusted exchange framework and common agreement. And it came out of the 21st Century Care Act signed by Obama back in 2016. It's just being implemented now. There's been a lot of thought put into it. Of course, implementation can be a challenge. It's interesting to note that this, what's going on now with care quality is like, which is the interoperability network right now is a precursor to Tefka. So one of the arguments is actually to say, let's implement Tefka faster right away and actually put some teeth in it. So you can't have somebody like Epic just going in and doing, you know, what they, what they see fit. Now what's the purpose of it? One is universal interoperability. So you've got common rules and guidelines everybody can follow. So you've got a common way to exchange this information, make it simple to connect, improve patient care, John. a more comprehensive view of the medical history of the patient, care coordination, et cetera. Patient empowerment, make it easier for the patient to manage their own data. And then for public health, I mean, as we saw in the pandemic, we didn't have access to a lot of information. So that's the goal here. And that is supposed to be right now, there's only one of these sort of use cases that's allowed right now, which is for treatment. So you're supposed to be able to get data if it's being used for treatment. It's not allowed to be used for other things right now. that eventually will be allowed to use for including payment, what they call healthcare operations, public health, benefits administration and individual access services. So the challenge is it just started with the treatment use case and people are trying to use some of these others. So it's supposed to be treatment, but aren't some of these like health, you know, guys, people trying to develop like insurance, new forms of life insurance companies off of this data. I mean, it's not, I mean, it's a pretty broad, I mean, most people think treatments like, I'm in the midst of getting, you know, I'm in the hospital with a heart attack. I just need to make sure that we can get access to the information about medical history so that nothing goes wrong during that absolutely critical point in care. What are all these other companies trying to grab my data? Isn't it a little bit beyond conventional treatment? Yeah, so first of all, the treatment is the vast majority of what's going on. And it's really, I've seen it, you know, my medical record being populated and I haven't had to fill out those forms as often. It's interesting. There seems to be within, Particle Health, there seems to be three different companies, really two I think that they're concerned about. One is MD Portals and Reveleer, which I think are together. Now they're rumored to be working actually for payers and gathering a lot of medical records there, probably to manage cost as opposed to for treatment. And so that one would be a clear, probably fairly clear violation. They probably done wrong there. The other one that's interesting I hadn't heard about is called Integritort. which is, I guess, what are they? Sounds like a horrible condition. With between, you know, integrity and torts, but their job is to round up patients, to identify patients for class action lawsuits. Now that would also seem to be, you know, but I went, that would seem to be out of, you know, out of bounds, but I went to their website and if you look at what they're doing, they definitely put themselves in terms of patient empowerment. They're talking about, you know, finding patients that have not been getting the right treatments. They've got physicians there. and they counsel patients on what treatments they should be getting while they're probably their business model. Why to no David, that really does not sound that that sounds like they're treating their bank accounts. I know I think the challenge here is that none of that there are broad potential applications, but perhaps not narrow enough definitions to actually give us some direction here. And again, Particle Health is one of these health IT organizations as is Reveille or as our MD portals, all of this. this long trail, there's an entire industry that sort of exploded venture backed companies that are in some cases, I think, really trying to help stay on mission to lower costs and improve outcomes by taking information and using it to improve the access and precision of the care. But others are just trying to, I think, find narrow ways to make money. And honestly, the same data. can be used effectively for both. And I guess the question that I'd ask you, David, is do you think that's legit, given the whole premise of HIPAA, is to prevent you and your clients or my clients, if I was in the industry, to take information without my consent or that's not related specifically to my treatment? I think that the principle of patient empowerment is a good one. And one of the things that I hope we'll be able to do with this episode is give patients a little more of a sense of what's actually out there and what's at stake. So let's go back to your life insurance example. I don't know exactly what you're talking about, new forms of life insurance, but let's talk about how life insurance works now. So if someone wants to apply for life insurance, there's a fair cost involved because the, you know, unlike with medical underwriting where you can't charge somebody a different price for health insurance, you can charge somebody a different price for life insurance, depending on their health status. Um, and they do often do tests. So I've had, you know, I have life insurance and I've had a medic come to my house and, you know, draw blood and do EKGs and do tests and it costs them money. Uh, certainly increases the cost of life insurance and also is going to, uh, reduce accessibility. So in order to have life insurance be available, you've got to be selling a lot of it with a high enough premium to make it worthwhile. Now that information should already be there for my doctor's office. So as long as I'm okay with it as a patient, I might like my life insurance. company to actually have that information as part of my application rather than come draw blood again. You know, so I think it should be focused on the on the patient. Okay, so but that would still require specific patient consent. Like I don't care if Reveilleur MD Portals, ABC Tech Company wants to use my data. I just want to know that they're in my in my stuff. Yeah, I mean, I think that's really what this I mean, the HEPA while it's been used to in some ways, increase costs and increase friction and increase all these forms. But the premise was, which I think is legit, you know, I kind of want to know, A, who's using it and what it's for. I mean, if and if I don't, if they're making money on me and I'm not taking a getting a piece of that, I don't think that's fair. Yeah. No, it's a good point, John. So I wouldn't want a life insurance company, you know, harvesting data without my consent to be prospecting me for life insurance. Although maybe I do. But let's say for sure, but for sure what I, John, for sure what I want is if I'm applying for life insurance, I want to be able to check the box and allow care quality, particle health, whoever's working for the insurance company to pull that record seamlessly. I do want that. Now, let me go back to what I was saying. Maybe I actually do want life insurance companies going through and saying, hey, you know, we might be able to offer you a better deal. And as long as I've allowed that, you know, sort of opted into marketing, maybe I want that. Maybe I want it. Maybe I want to upgrade my podcast co-host at the same time. Well, I, you know, we're not interoperable. That's true. Yeah. No, I think, I think what's interesting here is we are in this funny balance in, in technology. We've really allowed. Unlike in Europe, the technology companies have defined the rules in which they compete in storage, in social media because of Article 230 and we've prevented them from liability for all the horrible things that are the result of inappropriate use of social media. We have allowed different software and hardware companies to really battle it out without too much concern about either anything from antitrust to social impact. In the case of technology assisted healthcare, we really have a massive problem where we are so much more expensive than every other country in the world. And there is a plausible case to be made that if we could just get information sharing and we could probably take a couple hundred basis points, a couple, 200 or 2 % off of total medical costs, just by reducing the back and forth of data, just by reducing the administrative costs, just by reducing the army of health plan, healthcare billers who are, you've got, Hospital people billing one set of things and an army on one side and an army of people on the managed care side denying them and the opportunities for AI and all that is are there but because you don't have information in the standard format to your point you can't get it and They can't compute off of it. But I do worry that without more clear direction for example in the case of in this particular case what the Some of the startups that may have violated the rules or violated the intent of the rules is that the definition of data related to treatment was not clear. And so they're trying to expand it. And they've obviously got self -interest in doing it. And Epic is trying, I think, in a genuine way to interpret its role as the protector of the data. And yeah, they're the judge, jury, and executioner. But it's not like the federal government has a role here. And I think It really begs the question as to whether there should be, even though it might be somewhat painful to have HHS or CMS or the national coordinator for healthcare technology, Jan Cet, who works at the Center for Medicare and Medicaid Services, to play a role in laying out ground rules so that the startups and the incumbents, the startups like Particle, the incumbents like Epic, CERN, or Oracle, kind of know what the rules are because without that, I do think you're going to have this kind of conflict going on. And honestly, this kind of conflict will reduce the opportunity you have for your perverse desire to create novel forms of life insurance based on your data. John, I don't think you'd know about my perverse desires unless you were into my medical record. But nonetheless, let's make an argument here for startups and for big companies like Epic. So I think here I doubt Epic actually wanted to be the judge jury in execution. Of course not. I'm just going to speculate that what happened is that care quality, which has sort of an established, somewhat established approach if you've got it. And just stepping back just so folks understand care quality is a thing. It's not care quality because you care about quality and care quality is not not as an adjective. It is an entity like, you know, there's a few entities out here that are industry nonprofits that are helping set these evolving regulatory standards? So my speculation here, and it's no more than that, is that Epic probably tried to go through the regular channels and to complain to Care Quality about a misuse, but they probably didn't get very rapid. They got more kind of a bureaucratic time frame and that therefore they probably just said, hey, I can't just keep sending my medical records to a place that I'm pretty sure. uh, you know, isn't for treatment purpose because Epic actually knows who's treating patients based on, you know, where they're collecting the medical records. So, so I don't blame Epic necessarily. Now, when you say about, let's say, uh, on shit, you know, ONC and Mickey Chirpathy, who we think very highly of who, who runs that, uh, organization, you know, I would encourage him to like, you know, let's, let's implement Tefka faster. Cause this isn't actually literally under Tefka. Um, in fact, um, if they were Tefka, then you could actually have a more serious mechanism. Now the federal government might be slow, but they're authoritative. and they are going to not just let things just sort of sit out there. So I actually think this is an argument perhaps to accelerate the movement into TEFCA. And then I would love to see an acceleration into these other use cases as well, including payments, healthcare operations, and so on. Where I understand there's a balance, you don't want to give it too fast because you got to test it out so you don't have some unknown issue. But on the other hand, let's go before the 21st century is done. You're starting to sending two different messages, David, but I think... I think unlike many of your inconsistent theories about the future, this one actually makes a lot of sense, which is we have to actually, we want an authority to help adjudicate these particular disputes. Why not, why not move to a standard, a set of those standards faster? And you actually cheer point the on chip, you know, Mickey Tripathi is in a, and is in a position to help establish industry rules. And he is good actually, honestly, all of the, Republican and Democrats who held that particular seat, which is the national coordinator for health information technology, have have it's not, you know, it's not it's one place where partisan performative nonsense has really not held. It's really people have all genuinely worked together in a bipartisan way to accelerate and move to a more standard data infrastructure. And I think that, you know, the the opportunity there is great, but we do have to. create a centralized dispute resolution, or I think we're going to slow down the path to interoperability because we haven't been clear about what the rules are. Well, this will hopefully just be just a quick little episode that highlights the need to get things done right, and it will lead to some good improvements, acceleration of TEFCA. John, I want to leave with a question to you, which is, what advice would you give health care providers and tech companies? to navigate the health data exchange landscape. For the provider side, I think they don't really understand enough. And I would really up their understanding of where the technology wants to go and what the tech companies' agendas are. Because I think then they can play in more effectively to make sure that what we're really focused on is better clinical care. And they can understand how their own data is being used. And for the tech companies, I guess I would ask for a little bit more modesty and a little bit more engagement with the regulatory authorities because they run the risk, particularly the venture -backed companies, the early entrants, in the interest of kind of pushing the edge of the envelope on what they can deliver, really breaking the trust they currently have with the rest of the health care system to share that data. Because if that gets broken, and I think that's that... That really is the part of this that makes what is a dispute between companies around an esoteric issue really important. We have this path towards interoperability which can reduce costs, improve outcomes, and to your point, really give patients control over their information. That's an awesome three -part aim. But it all is based on the notion that we are going to trust one another, tech company, patient, and provider, and we all have the best interest of the patient. and the system in mind. That has been an assumption. If that trust is broken, I really worry that we'll end up in the classic, you know, slow down court decision, regulatory overreach, companies fighting and not sharing information that will reflect the current disjointed system, which has given us a healthcare system that frankly delivers too little for too much, even though in innovation, it's the wonder of the world. So I do think that's my big concern and why these disputes need to be taken seriously. Good. Well, John, I agree with you. And I'll say that's it for yet another episode of Care Talk. We've been talking today about interoperability, which gives us a chance to talk about not only acronym like HIPAA, but also to throw out things like TEFCA, Onshit, and Integracort, which is not an acronym. I'm David Williams, president of Health Business Group. And I'm John Drozd, the senior advisor at Walgreens. If you like what you heard, what you didn't, we'd love you to subscribe. favorite service and please leave us a review.

CareTalk: Healthcare. Unfiltered.

Epic, Particle Health, and The Patient Data Dilemma

Listen to this podcast on