It’s been a busy past few weeks in health IT, and at the center of the craze has been electronic health record (EHR) behemoth Epic Systems. The Verona, Wis.-based EHR vendor—whose technology systems house data for some 250 million patients, according to company officials—published a statement this week to its website expressing concern that a soon-to-be- finalized regulation from the Office of the National Coordinator for Health IT (ONC) contains “serious risks to patient privacy,” as currently proposed.
In Epic’s Jan. 27 statement, the company said while it does not typically comment publicly on national policy issues, and although it strongly agrees with ONC’s core goal to support patients' ability to access their data, “by requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates new privacy risks.” According to a recent study, the statement noted, 79 percent of healthcare apps resell or share data, and there is no regulation requiring patient approval of this downstream use.
As laid out in ONC’s rule, proposed last February with a final version expected any day, EHR systems would be required to allow patients to download their medical data to apps of the patient’s choosing. Similarly, a CMS proposed rule released at the same time would require all federal health plans to ensure that patient claims and other health information are available to patients through third-party apps and developers.
Stakeholders—beyond just Epic and other EHR companies—have taken issue with the patient privacy elements of the rule. One group, the College of Healthcare Information Management Executives (CHIME), a leading association representing healthcare CIOs, noted the proposed ONC interoperability rule does not sufficiently address the 21st Century Cures Act’s directives to protect patient data privacy and ensure health IT security. Third-party apps are currently not required to follow data blocking policies under ONC's proposed rule, according to CHIME. What’s more, smartphone apps created by third-party developers and not by providers or business associates covered under the Health Insurance Portability and Accountability Act (HIPAA) are not subject to HIPAA rules, even if a breach occurs.
Other industry groups, such as the American Medical Association (AMA) and American Hospital Association (AHA), told The New York Times last year that they have met with federal regulators to push for changes in this area. Without federal restrictions in place, the groups argued, consumer apps would be free to share or sell sensitive details like a patient’s prescription drug history.
Epic agrees, per its recently posted statement that details two highly likely patient privacy risks: 1) family member data may inadvertently be shared; and 2) apps may take much more of the patient's data than the patient intended. Company officials compared these two risks “to what happened to Facebook friends who did not give their approval for their information to be harvested by Cambridge Analytica.”
On the ONC front, federal healthcare officials believe that by requiring software developers to publish APIs and integrate them into their EHRs, consumers can more easily access and download their medical data to third-party apps of their choosing. To this end, National Coordinator for Health IT Don Rucker has previously said, “patients have to make conscious decisions on if they want their data to be downloaded to the [third-party] app.”
Are Epic’s concerns authentic?
Though Epic’s patient privacy concerns are valid on the surface, and are shared by other stakeholders, one industry consultant believes there is a larger strategic play here by the company. Michael Abrams, managing partner of healthcare consulting firm Numerof & Associates, says that patient privacy is the hot-button healthcare topic of the day, and “by coming out as a presumptive advocate of patient privacy, Epic is trying to look like the good guys. I’m not sure there’s anything else they can point to that puts them in that same light,” he says, adding that Epic’s comparison of the patient privacy risks in ONC’s proposed rule to Facebook-Cambridge Analytica situation is “completely specious.”
Of course, the patient privacy elements are just one part of a much larger federal regulation that is broadly designed to ensure health information is seamlessly moving, while not restricting such efforts. It’s this portion of the rule that Abrams believes Epic is privately worried about. “Some of the players in the industry are attempting to leverage [patient privacy] in an effort to once again stonewall change in the industry and maintain the status quo, which keeps them in control,” he says.
Indeed, for years Epic has been criticized around the industry for making it difficult on providers that don’t use its system to share data with Epic users. Conversely, Epic-to-Epic data sharing is seen as much easier. So, presumably, it could make sense that the EHR vendor that continues to dominate the large hospital EHR market in the U.S. might oppose regulations that call for hefty fines for data blocking violators.
“As the largest provider of EHR management software, Epic has enjoyed the advantages of a system that locks clients into their products,” says Abrams. He notes that the proprietary data methodology that is used by each EHR manufacturer raises the end-user costs of switching EHR systems to the point where it’s easier and cheaper to stay put.
What’s more, as things currently stand, “the fact that we haven’t had any interoperability requirements means that [EHR] manufacturers are in control of who gets to see what data and under what circumstances. So these new rules would change these anti-competitive constraints and force EHR manufacturers to compete more directly on the value their products actually provide,” Abrams contends.
Abrams does agree that the issues raised by Epic about inadvertent disclosure of data and data being retained and resold by API developers are real concerns. But he notes they can be addressed by regulating the collection sharing and reselling of patient data by APIs, and by giving patients control over their process. “That’s what the comment period for proposed rules is for—raising concerns—but it would be a gross overreaction to presume that such concerns could justify more of the status quo,” Abrams says.
Epic, in its Jan. 27 statement, defended the ability to access data via its system, starting with the creation of the MyChart patient portal 20 years ago to its Share Everywhere platform, created in 2017, that “allows patients to share personal health information with anyone in the world who has internet access.”