A dispute involving EHR vendor Epic Systems has ignited concerns about the security of medical information in the healthcare industry, Politico reported July 25.
Epic, which holds the largest market share for digital health records in hospitals, is at the center of a controversy that is unfolding behind closed doors, according to the article.
The core issue is Epic's allegation that Integritort, a company providing medical record analyses for legal cases, improperly accessed Epic's patient data through Carequality, a nonprofit framework designed for sharing health data. Integritort allegedly used health IT firm Particle Health to access the data by falsely claiming it was for treatment purposes, thereby bypassing the need for a physician's authorization, which violates Carequality's rules.
Integritort has denied these allegations, asserting that it adhered to federal regulations and Carequality guidelines when obtaining the data. Integritort further claims the accessed data was for legitimate treatment purposes and medical professionals confirmed diagnoses. Integritort also pointed out that patients involved in mass tort litigation, such as class-action lawsuits, often face difficulties in obtaining their own medical records, a problem the company aims to solve.
Alan Swenson, Carequality's executive director, told Politico that he's confident in Carequality's process for facilitating appropriate health data flow.
Particle Health suspended Integritort from its platform in March, stating that it had observed evidence of data queries that were not for treatment purposes.
An Epic spokesperson confirmed to Becker's that in March it filed a Carequality dispute when it learned that some customers of Carequality implementer Particle Health were accessing people's medical records by falsely claiming to be treating them as patients. Epic alleges that their actions bypassed important patient privacy protections.
"When medical records are exchanged for purposes other than treatment, certain conditions are required such as a valid patient authorization," the Epic spokesperson told Becker's. "By inappropriately claiming "treatment purposes," some Particle customers took records without appropriate authorization from the patients. When people's private medical records are taken under false pretenses it causes healthcare organizations, patients and care providers to lose trust in data exchange networks and threatens the significant progress the industry has made on interoperability."
This dispute, according to Politico, underscores legal and health tech industry experts' concerns over the lack of clarity in data governance and oversight, which threatens efforts to securely facilitate data flow within the industry.
It also highlights the tension between regulations that mandate healthcare organizations to share patient data and those charged with safeguarding such information amid a surge in patient-data breaches.
Many industry stakeholders are calling for greater clarity. Some argue that the Trusted Exchange Framework and Common Agreement, a data-sharing framework under development by the federal government and a nonprofit coordinating entity, could provide more robust governance.
"Until these networks establish standards for, and open up to, data-sharing permitted by HIPAA but that isn't [for] treatment, we will see entities trying to morph themselves into a treatment use case in order to get the records they need," Deven McGraw, a former high-ranking HHS health privacy official in the Obama and Trump administrations and now chief regulatory and privacy officer at Citizen Health, told Politico.