The eponymous sign outside Epic headquarters in Verona, Wisconsin.
Source: Yiem via Wikipedia CC
Epic Systems, the most important provider of software for managing medical records, says a venture-backed startup called Particle Health is using patient data in unauthorized and unethical ways in which don’t have anything to do with treatment.
Epic told customers in a notice on Thursday that it cut off its connection to Particle, hindering the corporate’s ability to tap a system with greater than 300 million patient records. Particle is one of several firms that acts as a kind of middleman between Epic and the organizations — typically hospitals and clinics — that need the data.
Patient data is inherently sensitive and beneficial, and it’s protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires a patient’s consent or knowledge for third-party access. A method Epic’s electronic health records (EHR) are accessed is thru an interoperability network called Carequality, which facilitates the exchange of greater than 400,000 documents a month, based on its website. Particle is a member of the Carequality network.
To affix the network, organizations are vetted and need to comply with abide by clear “Permitted Purposes” for the exchange of patient data. Epic responds to requests for data that fall under the “Treatment” permitted purpose, which suggests the recipient is providing care to the person whose records they’re requesting.
Epic said in its notice on Thursday that it filed a proper dispute with Carequality on March 21, over concerns that Particle and its participant organizations “may be inaccurately representing the aim related to their record retrievals.” The corporate suspended its reference to Particle that day.
“This poses potential security and privacy risks, including the potential for HIPAA Privacy Rule violations,” Epic said within the notice, which was obtained by CNBC.
In a blog post late Friday, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process in addition to trusted exchange throughout the framework.” The organization said it might’t comment concerning the existence of any disputes or member activities.
Representatives from Epic and Particle didn’t reply to requests for comment. Nonetheless, Particle published a blog post Friday evening and said it began “addressing this issue immediately” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said within the post that an enormous challenge in such matters is that there’s “no standard reference to evaluate the definition of Treatment.”
“These definitions have turn into harder to delineate as care becomes more complicated with providers, payers, and payviders all merging in various large healthcare conglomerates,” Particle wrote.
Epic, a 45-year-old privately held company based in Wisconsin, is the largest EHR vendor by hospital market share within the U.S., with 36% of the market, based on a May report from KLAS Research. Oracle is second at 25%, following the software company’s $28 billion purchase of Cerner in 2022.
![Very cautious on high-flying multiple stocks, says Wedbush's Joel Kulina](https://image.cnbcfm.com/api/v1/image/106991696-16400174851640017482-20405027292-1080pnbcnews.jpg?v=1640017485&w=750&h=422&vtcrop=y)
As of July 2022, Particle had raised a complete of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, based on a release. The Latest York-based startup said on the time that its technology “uniquely combines data from 270 million plus patients’ medical records by aggregating and unifying healthcare records from 1000’s of sources.”
Epic said Particle introduced 1000’s of recent participant connections to Carequality in October, and asserted that they fell under the treatment use case. In the next months, all of Particle’s participant organizations claimed a permitted purpose of treatment for their requests, Epic said.
‘Non-treatment use case’
Nonetheless, Epic began to note some red flags. The corporate said it observed anomalies within the patient record exchange patterns, like requests for large numbers of records inside a certain nation-state. Moreover, Epic said that the businesses connected to Particle weren’t sending recent data back from patients, which “suggests a non-treatment use case.”
Epic and its Care In every single place Governing Council, consisting of 15 industry representatives, evaluated Particle’s recent participant connections and determined that organizations like Integritort, MDPortals and Reveleer, which acquired MDPortals last yr, “likely didn’t conform to a Treatment Permitted Purpose,” the notice said.
Epic said it learned that one other Carequality member was planning to file a dispute, alleging that Integritort was using the patient data to attempt to discover potential class motion lawsuit participants. On March 28, Epic said it discovered that a participant called Novellia claimed it was requesting records under treatment, despite publicly promoting its product as a “personal health tool.”
Integritort, Reveleer and Novellia didn’t reply to requests for comment.
Epic said it filed a proper dispute with Carequality on the Governing Council’s advice. On April 4, Epic asked Particle to offer additional information as an example how its participants qualify for the treatment use case, based on the notice.
Michael Marchant, director of interoperability and innovation at University of California Davis Health, serves because the chair of Epic’s Governing Council. He said it’s hard to know exactly why Particle may need provided these organizations with records, or whether it intentionally engaged in wrongdoing. But, he said, firms need to act responsibly even when pressured to deliver financial results.
“In the event that they were selling to things that they knew weren’t treatment-related organizations in an effort to match VC funding or profit margins or revenue targets or what have you ever, then that might be really bad,” Marchant told CNBC in an interview.
In a statement on LinkedIn Wednesday, Particle founder Troy Bannister said Epic acted unilaterally, and that Particle has not seen “rationale, justification or official claims” surrounding these issues.
Bannister wrote that, to the corporate’s knowledge, “all of the affected partners directly support treatment.” He said these organizations pull data for care providers and share data back with the Carequality network.
“While we proceed maintaining our reference to Carequality, the power for one implementor to make your mind up, without evidence and even a lot as a warning, to disconnect providers at massive scale, jeopardizes clinical operations for a whole bunch of 1000’s of patients in addition to the trust that’s so critical to a trust-based exchange,” Bannister wrote.
Bannister didn’t address Epic’s April 4 request for additional information.
The formal dispute process continues to be ongoing. Marchant, who also serves because the co-chair of an advisory council at Carequality, said it’s the primary time within the network’s history that a grievance has gotten this far.
WATCH: Insurer stocks fall on Medicare rates
![Health care stocks headed for worst day since early November](https://image.cnbcfm.com/api/v1/image/107395588-17120704021712070400-33962404773-1080pnbcnews.jpg?v=1712070401&w=750&h=422&vtcrop=y)