The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Epic Systems Shuts off Access for Certain Particle Health Customers Over Patient Privacy Concerns

Posted By on Apr 16, 2024

The electronic health record provider Epic Systems has cut off access to data for a startup called Particle Health after alleging the firm was sharing patient data with third-party companies for reasons not related to treatment. Epic, the largest provider of electronic health records in the United States, alleged that Particle Health was engaging in unauthorized and unethical data sharing that had the potential to violate the HIPAA Privacy Rule. On Thursday last week, Epic notified customers that the connection with Particle Health had been cut off.

Particle Health is a member of the Carequality network, which supports interoperability and facilitates health data exchange. Members of the network act as middlemen that connect different healthcare networks across the United States and the Carequality interoperability framework is used to exchange more than 400 million documents each month. To join the Carequality network, a company must agree to only share patient data for certain purposes, one of which is for treatment. Epic responds to requests for data for treatment purposes and requires the recipient to be providing care to the patient whose records have been requested.

On March 21, 2024, Epic filed a formal dispute with Carequality about Particle Health and its participant organizations and alleged that they may be inaccurately representing the purpose for record requests and suspended Particle Health’s connection the same day. Particle Health explained in an April 9, 2024 blog post that immediate action was taken to address the issue after Epic blocked access to data requests for a subset of its customers and confirmed that it is strongly committed to privacy and security and subjects its customers to a rigorous onboarding process and requires them to adhere to the standards of the Carequality framework. Particle Health explained that Epic did not shut off data access for the company and Carequality has not suspended Particle Health’s ability to participate in data exchange; however, on March 21, 2024, Epic stopped responding to data requests for some of Particle Health’s customers without a clearly stated reason for doing so.

Particle Health also expressed concern that certain individuals at Epic thought that some of its customers might be inaccurately representing the purpose associated with their record retrievals, then extrapolated that to assert that Particle Health might not be fulfilling its obligations as a Carequality implementer. Particle Health said it strongly objects to the latter and is happy to investigate the former, and pointed out that the company has always acted in good faith and followed guidelines and said there is no standard reference to assess the definition of treatment nor the application of the definition of treatment as it pertains to data requests.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

“This decision has negatively impacted thousands of patients, and potentially puts 6M+ patient encounters per year at risk,” explained Particle Health founder, Troy Bannister, in a post on LinkedIn. “We believe strongly that this unilateral action is a violation of important rules developed to ensure that this doesn’t happen and is critical to the uninterrupted treatment of patients everywhere.”

Epic said the reason for cutting off access was due to anomalies in patient record exchange patterns, such as requests for large numbers of records in a particular geographic region, and that certain Particle Health customers were not sending back new data from patients, which is a red flag that suggests the data is being shared for reasons other than treatment. After evaluating Particle Health’s new participant connections, including organizations such as Integritort, MDPortals, and Reveleer, Epic determined that data sharing was likely not for treatment purposes and blocked access for a subset of Particle Health’s customers. Epic also said that it heard from another Carequality member that Integritort was attempting to use patient data to identify participants in a potential class action lawsuit. Epic requested that Particle Health provide further information on how its customers qualify for treatment uses.

“We have made significant progress towards resolving this connectivity, with some customers already turned back on,” explained Particle Health in a blog post. “We are continuing working collaboratively with Epic and remain committed to upholding our mission by standing up for our customers and supporting the legitimate use of health data exchanges.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist