Epic Systems boots Particle Health for unauthorized sharing of data

Epic Systems, the largest provider of medical records management software, claims that a startup called Particle Health is using patient data in unauthorized and unethical ways that have nothing to do with the treatment.

Epic told customers in a notice Thursday that it had cut its connection to Particle, hampering the company’s ability to operate a system containing more than 300 million patient records. Particle is one of several companies that act as a sort of intermediary between Epic and organizations — usually hospitals and clinics — that need data.

Patient data is inherently sensitive and valuable, and it is protected by the Health Insurance Portability and Accountability Act, or HIPAA, a federal law that requires a patient’s consent or knowledge for third-party access. One way to access Epic’s electronic health records (EHRs) is through an interoperability network called Carequality, which facilitates the exchange of more than 400,000 documents per month, according to its website. Particle is a member of the Carequality network.

To join the network, organizations are vetted and must agree to follow clear “permitted purposes” for exchanging patient data. Epic responds to data requests that fall under the “Processing” authorized purpose, meaning that the recipient is providing care to the person whose records they are requesting.

Epic said in its notice Thursday that it filed a formal dispute with Carequality on March 21 over concerns that Particle and its participating organizations “may misrepresent the purpose associated with their recording recoveries.” The company suspended its connection with Particle that day.

“This poses potential security and privacy risks, including the potential for HIPAA privacy policy violations,” Epic said in the notice obtained by CNBC.

In a blog post Friday evening, Carequality said it takes disputes “very seriously and is committed to maintaining the integrity of the dispute resolution process and the trustworthy exchanges within it.” The organization said it could not comment on the existence of disputes or the activities of its members.

Representatives for Epic and Particle did not respond to requests for comment.

Epic, a 45-year-old privately held company based in Wisconsin, is the largest EHR vendor by hospital market share in the United States, with 36% of the market, according to a May report from KLAS Research. Oracle is second with 25%, after the software company’s purchase of Cerner for $28 billion in 2022.

As of July 2022, Particle had raised a total of $39.3 million from investors including Menlo Ventures, Story Ventures and Pruven Capital, according to a release. The New York-based startup said at the time that its technology “uniquely combines data from more than 270 million patient medical records by aggregating and unifying health records from thousands of sources.”

Epic said Particle introduced thousands of new Carequality participant connections in October and claimed they fell under the treatment use case. Over the following months, all Particle participating organizations claimed an authorized processing purpose for their requests, Epic said.

However, Epic has started to notice some red flags. The company said it observed anomalies in patient record exchange patterns, such as requests for a large number of records in a certain geographic region. Additionally, Epic said companies connected to Particle were not returning new patient data, which “suggests a no-treatment use case.”

Epic and its Care Everywhere board of directors, made up of 15 industry representatives, evaluated Particle’s new participant connections and determined that organizations like Integritort, MDPortals and Reveleer, which acquired MDPortals last year, “probably did not comply with a permitted processing purpose,” the notice said.

Epic said it has learned that another Carequality member plans to file litigation, alleging that Integritort is using patient data to try to identify potential class-action participants. On March 28, Epic said it discovered that a participant called Novellia had claimed it was requesting records being processed, despite publicly advertising its product as a “personal health tool.”

Integritort, Reveleer and Novellia did not respond to requests for comment.

Epic said it filed formal litigation with Carequality at the board’s recommendation. On April 4, Epic asked Particle to provide additional information to illustrate how its participants qualify for the treatment use case, according to the notice.

Michael Marchant, director of interoperability and innovation at University of California Davis Health, chairs Epic’s board of directors. He said it was unclear exactly why Particle might have provided documents to these organizations, or whether it intentionally engaged in wrongdoing. But, he added, companies must act responsibly, even if they are forced to produce financial results.

“If they were selling to things that they knew we weren’t treatment-related organizations, in an effort to match venture capital funding or profit margins or revenue targets or whatever, then that would really be bad,” Marchant told CNBC in an interview. .

In a statement on LinkedIn on Wednesday, Particle founder Troy Bannister said Epic had acted unilaterally and that Particle had not seen “any official rationale, rationale, or assertion” regarding these issues.

Bannister wrote that, to the company’s knowledge, “all relevant partners directly support the processing.” He said these organizations extract data for care providers and share it with the Carequality network.

“While we continue to maintain our relationship with Carequality, the ability for a provider to decide, without evidence or even warning, to disconnect providers on a large scale, jeopardizes the clinical operations of hundreds of thousands of patients as well as the trust that is essential to an exchange based on trust,” Bannister wrote.

Bannister did not respond to Epic’s request for additional information on April 4.

The formal dispute resolution process is still ongoing. Marchant, who is also co-chair of an advisory board at Carequality, said this is the first time in the network’s history that a complaint has reached this far.

WATCH: Insurer stocks fall on Medicare rates