Epic Severed Partnership With Particle for Unauthorised Sharing Of Patient Data

Particle is one of many businesses that serves as a sort of go-between for Epic and the establishments that use the data, which are usually clinics and hospitals.

The Health Insurance Portability and Accountability Act, or HIPAA, is a federal legislation that protects patient data and requires authorization or awareness from the patient before sharing it with third parties. Patient data is sensitive and important by nature. According to its website, Carequality is an interoperability network that makes it possible to access Epic’s electronic health records (EHR) and exchange more than 400,000 documents each month. Particle is a part of the Carequality network.

To join the network, organizations are vetted and have to agree to abide by clear “Permitted Purposes” for the exchange of patient data. Epic responds to requests for data that fall under the “Treatment” permitted purpose, which means the recipient is providing care to the person whose records they are requesting. 

Reasons for the Discontinuation of Cooperation

Epic said in its notice on Thursday that it filed a formal dispute with Carequality on March 21, over concerns that Particle and its participant organizations “might be inaccurately representing the purpose associated with their record retrievals.” The company suspended its connection with Particle that day.

“This poses potential security and privacy risks, including the potential for HIPAA Privacy Rule violations,” Epic said in the notice, which was obtained by CNBC. 

In a blog post late Friday, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process as well as trusted exchange within the framework.” The organization said it can’t comment about the existence of any disputes or member activities.

Representatives from Epic and Particle didn’t respond to requests for comment. However, Particle published a blog post Friday evening and said it began “addressing this issue immediately” after Epic “stopped responding to data requests from a subset of customers” on March 21. Particle said in the post that a big challenge in such matters is that there is “no standard reference to assess the definition of Treatment.”

“These definitions have become more difficult to delineate as care becomes more complicated with providers, payers, and payviders all merging in various large healthcare conglomerates,” Particle wrote.

Epic, a 45-year-old privately held company based in Wisconsin, is the largest EHR vendor by hospital market share in the U.S., with 36% of the market, according to a May report from KLAS Research. Oracle

 is second at 25%, following the software company’s $28 billion purchase of Cerner in 2022.

As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, according to a release. The New York-based startup said at the time that its technology “uniquely combines data from 270 million plus patients’ medical records by aggregating and unifying healthcare records from thousands of sources.”

Epic said Particle introduced thousands of new participant connections to Carequality in October, and asserted that they fell under the treatment use case. In the following months, all of Particle’s participant organizations claimed a permitted purpose of treatment for their requests, Epic said. 

Non-treatment Use Case

However, Epic began to notice some red flags. The company said it observed anomalies in the patient record exchange patterns, like requests for large numbers of records within a certain geographical region. Additionally, Epic said that the companies connected to Particle weren’t sending new data back from patients, which “suggests a non-treatment use case.” 

Epic and its Care Everywhere Governing Council, consisting of 15 industry representatives, evaluated Particle’s new participant connections and determined that organizations like Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “likely didn’t conform to a Treatment Permitted Purpose,” the notice said.

Epic said it learned that another Carequality member was planning to file a dispute, alleging that Integritort was using the patient data to try and identify potential class action lawsuit participants. On March 28, Epic said it discovered that a participant called Novellia claimed it was requesting records under treatment, despite publicly advertising its product as a “personal health tool.”

Epic said it filed a formal dispute with Carequality at the Governing Council’s recommendation. On April 4, Epic asked Particle to provide additional information to illustrate how its participants qualify for the treatment use case, according to the notice. 

Michael Marchant, director of interoperability and innovation at University of California Davis Health, serves as the chair of Epic’s Governing Council. He said it’s hard to know exactly why Particle might have provided these organizations with records, or whether it intentionally engaged in wrongdoing. But, he said, companies have to act responsibly even if pressured to deliver financial results.

“If they were selling to things that they knew were not treatment-related organizations in an effort to match VC funding or profit margins or revenue targets or what have you, then that would be really bad,” Marchant told CNBC in an interview.

Particle’s Response

In a statement on LinkedIn Wednesday, Particle founder Troy Bannister said Epic acted unilaterally, and that Particle has not seen “rationale, justification or official claims” surrounding these issues.

Bannister wrote that, to the company’s knowledge, “all of the affected partners directly support treatment.” He said these organizations pull data for care providers and share data back with the Carequality network. 

“While we continue maintaining our connection with Carequality, the ability for one implementor to decide, without evidence or even so much as a warning, to disconnect providers at massive scale, jeopardizes clinical operations for hundreds of thousands of patients as well as the trust that is so critical to a trust-based exchange,” Bannister wrote.

Bannister didn’t address Epic’s April 4 request for additional information.

The formal dispute process is still ongoing. Marchant, who also serves as the co-chair of an advisory council at Carequality, said it’s the first time in the network’s history that a complaint has gotten this far.