Particle Health Inc's 81-page antitrust lawsuit against Epic Systems Corporation, filed in federal court in New York on September 23, raises a number of important questions, including what extent of information sharing is appropriate within Carequality, the trusted exchange framework that enables nationwide health data exchange among a wide variety of organizations and disparate information systems; how to appropriately address the competitive advantage that accrues to electronic health record software companies that store significant amounts of health information due to their market share; and whether Epic's activities, as alleged in the complaint, merit antitrust enforcement activity or any other type of sanctions.
According to the complaint, on March 21 Epic filed a formal dispute through Carequality against Particle, alleging that some Particle customers were accessing patient records through Carequality under false pretenses—they claimed to be requesting data for treatment purposes but were using the data for other reasons. Following investigation, the Carequality Steering Committee determined that Particle acted within the law and Carequality rules; even so, the complaint stated, Particle was subjected to a corrective action plan to appease Epic. Particle asserted that such appeasement was necessary because Epic is the electronic health record system used by many of the largest health systems in the country, several of whose representatives sit on the Carequality Steering Committee alongside Epic.
Although Carequality permits sharing of data for treatment, health care operations, and other purposes permitted by HIPAA, it only requires participants to respond to requests where the data will be used for treatment purposes. The complaint alleges that Epic refuses to share its data for any purpose other than treatment; due to Epic's market share, this refusal effectively means that other legitimate and necessary data sharing is cut off. Epic has denied Particle's allegations and has asked Carequality to make the internal dispute resolution public; Carequality has responded that the resolution was shared confidentially with Epic and Particle but remains subject to appeal and, accordingly, Carequality will not provide more information until the appeal process has concluded.
As an attorney who regularly works with health technology companies, I can confirm that the manner in which health information is (or is not) shared within the health data ecosystem, and the economics of such data sharing, is opaque and inconsistent at best. This has been true for many years, and the ever-increasing number of state and federal laws and regulations surrounding health-related data sharing are not improving matters. Many companies do not know how the complex rules surrounding health care data protection and sharing—including HIPAA, 42 CFR Part 2, state privacy laws that are stricter than HIPAA, state consumer protection laws, the FTC's Health Breach Notification Rule, and the 21st Century Cures Act's Information Blocking Rule—overlap and apply to them. Some companies, however, are better acquainted with the applicability of these various rules to their operations and could and should be more transparent about their data sharing practices.
It is in the best interests of all stakeholders in the health care ecosystem (including patients) to understand what the health data sharing rules are, who is complying with them, and who is not. Greater transparency surrounding who is making money from patient data also is needed. Only then can stakeholders make informed decisions about what organizations to trust with their patients' (or their own) health data, and only then will stakeholders who don't abide by the rules be subject to a more level playing field.