Home  >  Interoperability   >   Epic Wrong Turn

Epic Wrong Turn

by John Moore | February 05, 2020

Or Interop, Privacy and Advancing Care

The annual ONC meeting last week brought together stakeholders to discuss policy for health IT and most importantly, interoperability. With new interoperability rules expected in the coming weeks, this was a particularly important meeting with no less than HHS Sec. Azar giving a keynote. It was the beginning of the campaign to align support behind these forthcoming rules. While there has been some concern regarding patient data privacy protection, the industry has basically fallen in-line to support these regulations.

Well, most everyone but not EHR vendor Epic.

There has already been plenty written about Epic’s CEO sending a letter to the CEOs of its customer base requesting they write letters to Sec. Azar to petition ONC/HHS to not pass these rules due to patient privacy concerns. Epic even posted on its homepage its position and the dangers they foresee if these rules are passed.

At this point this is all a backdrop.

I have been following Epic since I started Chilmark Research over 13 years ago. A few years back, Epic became a client of ours through our Chilmark Advisory Service. They remain a client, we have attended several of their annual UGMs, I have spoken with their CEO on several occasions and frankly have a ton of respect for what they have built and the services they have delivered to the market.

That being said, have not always been a fan of their product and go to market strategy – a “walled garden” approach wherein it is easy to share data within Epic and across Epic instances, but difficult across disparate EHRs from other vendors. While this approach provides a seamless flow of data within Epic from ambulatory to acute care settings, it also keeps customers “in the garden” not seeking solutions from other vendors, even if those solutions may be better. This can stifle innovation.

In its defense, Epic has made important strides in improving the interoperability of its system, which now manages health data for a majority of Americans. They support the interoperability standards that are on the books today, arguably have the greatest number of transactions passing through their system (about five million/day) and have one of the largest repositories of APIs for customers and partners to use. Epic is ahead of most health IT vendors with regards to interoperability.

As a patient of Partners Health here in Boston, I use the patient portal that is built on Epic’s MyChart. I also have established a connection between this portal and Apple Health on my iPhone. On the patient portal I can readily gain access to my complete records (except images, though I do have radiology reports) and send them to whomever I please. On my iPhone, Apple Health provides a trim version of those records – not everything but the important stuff such as meds, recent labs, diagnosis, allergies, etc. All works seamlessly. As a patient, I applaud Epic and Partners for providing such easy access to my records.

So where’s the rub?

Regardless of their arguments, Epic made a wrong turn in coming out against the proposed interoperability rules for several reasons:

It’s paternalistic. Having spoken to Epic’s CEO, I know that she is quite passionate about preserving patient privacy and truly believes Epic and its customers have to protect consumers from themselves – that third party apps a consumer invokes to use their health data may compromise that data. Yes, better privacy protections than HIPAA are needed but blocking the sharing of data until such is passed is unwarranted. Is not the risk of not sharing data that could result in serious patient harm far greater than the risk of sharing.

The first research report Chilmark published in 2007 addressed the market for Personal Health Records (PHRs). Back then there was plenty of controversy as to whether or not patients should have access to their records. Stakeholders most often used the patient privacy foil in their defense of withholding access. Fast forward 13 years and the same damn arguments are being used. Even AHIP recently invoked patient privacy as a key reason to not have price transparency.

Enough already!

If I hear yet one more stakeholder say how they have to protect the patient/consumer’s privacy as a way to prevent transparency, prevent data flows I think I’ll blow a gasket. Please just stop.


It’s self-serving. Epic has everything a health system needs in one tightly integrated package. Their walled garden ecosystem works exceptionally well within the confines of that walled garden but if Epic starts punching a lot of holes in those walls via open APIs, well that wall begins to crumble allowing third party apps to leverage the core Epic system and build more engaging apps upon it – say a new clinician interface for making rounds. This could lead to Epic becoming but one of many Systems of Record that a health system uses and not the System of Engagement as well. This change will ultimately commoditize their product.

As mentioned earlier, Epic does have quite a number of APIs prebuilt, maybe more than any other EHR vendor but according to numerous sources, Epic has been capricious in how it allows access to those APIs and at times, the fees it charges are prohibitive. Fees are just another way to block the flow of information.


Tide is against them. Epic has been very vociferous in opposing these regs while its fellow health IT brethren have been supportive. Big Tech has also come out in support of the regs.  Providers and the numerous provider associations have also been mostly supportive. Clearly the tide is against Epic and they now have inadvertently made themselves appear to be the villain in health IT – a label they do not deserve.


It’s simply not Epic’s role to control data flow but to facilitate it. Let’s use the analogy of a weather satellite. Lockheed, under government contract, builds a satellite and sends it aloft. The weather data the satellite collects is not held and distributed by Lockheed, but by its customer, the U.S. government. These weather datasets are distributed via APIs. This free flow of data has led to a wide range of innovation weather apps.

The purchase of the vast majority of EHRs in use today was also done with government funding – some $40 billion through the HITECH Act. Therefore, why does Epic believe it has the right to throttle data flow while Lockheed does not. Sure, one can again bring up the patient privacy bogeyman but really, is that all they’ve got? Free the data and let innovation prosper.


Reward is greater than the risk. Epic’s stated concerns with the new rules focus exclusively on patient privacy risk. But what if we look at data interoperability through the lens of patient safety. Would not it be far better if someone shows up unconscious in the ED, is from out of town and attending physicians, via the new interoperability rules, can gain ready access to that patient’s medical history and avert say a medication error? Or how about duplicative testing? May we not lower costs if we knew that the unconscious patient had recent labs and there was no reason to repeat?

In totality, do not these patient safety concerns far outweigh a potential privacy breach? Besides, aren’t privacy breaches occurring every single day of the week? Sure seems that way from what I read in the trade press.

Epic leads the industry in number of clinical transactions flowing through their system. In recent years, Epic has built out the capability to exchange data with any EHR that is enabled to send and receive standardized data sets. Unfortunately, there are many clinical sites of care that have yet to enable such. These draft rules will force those laggards to move forward, an objective that Epic shares.


Where Epic got it right

There are reasons for concern regarding data privacy and third party apps a consumer may invoke that uses their health data.  Epic makes a valid point that consumer health data has little protection against misuse once it leaves a HIPAA covered entity. To help preserve privacy, or at least make consumer fully aware of how their health data may be used, a third party app should answer three simple, straightforward questions:

  1. Will my health data be sold to others?
  2. Do I have a “right to be forgotten”?
  3. Will you collect family history data?

These are simple, binary, yes/no questions that the app vendor answers right up front before collecting any health data on behalf of the consumer. This will provide the consumer a clear understanding of how their data may be used prior to invoking that app.

Secondly, what level of data sharing is sufficient? The proposed rules state that electronic health information (EHI) is to be exchanged, not personal health information (PHI). There is a massive difference between these two subtle definitions. Opening the doors to any and all health data elements (EHI), in Epic’s case over 175,000, seems a bit over-the-top. The number of data elements for PHI is more in the thousands. Would not a better approach be to provide all standardized data elements, for example those in normalized FHIR standards? Note that Epic was far from alone in bringing this issue to the attention of ONC in its comments on the draft rules.

Passionate, but wrong

Epic’s CEO is a passionate leader with strong convictions. She has done much to help advance care delivery through the solutions her company provides to the market. There are times you need a strong voice such as hers to bring attention to a critical issue. However, this is not one of them. Epic took a wrong turn here and I sincerely hope that they take a step back and get on track with where this industry needs to go to continue to improve the delivery of care.

The proposed rules will likely be published in next couple of weeks and hopefully the feds will hold their ground, making changes where warranted, such as those suggested above. For in the end, the sharing of data will ultimately lead to better care despite the privacy risks – and isn’t that what we all want?

14 responses to “Epic Wrong Turn”

  1. Excellent discussion of the issue John, fair, on target and addressed the key points. Thanks for providing this level of insight and clarity.

  2. Dave deBronkart says:

    As many are saying on LinkedIn, John, this is so well written. Thanks so much.

    I hope all readers will consider the impact, good and bad, of the presence or lack of data mobility. Several stories are on this page of comments on Morgan Gleason’s letter to HHS about the impact of her own case, and in the main body of the post.

    Like you, I understand the reasons various parties have for not being eager to let data flow. But I hope people will consider the impact on sick people, especially sick elders and kids. Is all that harm and suffering the price data holders are truly willing to have sufferers pay?

    Thanks again.

    • John Moore says:

      Dave, you and I have been fighting this battle for years, the need to open up the data pipes for patient access and ultimately better care. The lock the industry has put on such (Epic far from the only guilty party) is maddening. We/society would be far better off, IMHO, if we just remove those unwarranted privacy shackles.

  3. Jim Hansen says:

    Nicely developed analysis John!

    My favorite points:
    “Free the data and let innovation prosper.” “To help preserve privacy, or at least make consumer fully aware of how their health data may be used, a third party app should answer three simple, straightforward questions …”

    We need guardrails to facilitate optimized innovation, not entities/people telling us what is best for us. This gets us the dreaded societal lowest bar. If within those guardrails I choose to not put my big boy/girl pants on and handle my data how someone who thinks they know better than me, then so be it. Everyone needs to stop and remember that without me, the patient, there is no health sick and care industry – my body, my information, my decision.

    “If I hear yet one more stakeholder say how they have to protect the patient/consumer’s privacy as a way to prevent transparency, prevent data flows I think I’ll blow a gasket. Please just stop.”

    I felt this way already when I first met you way back 12 years ago trying to essentially climb waterfalls running a HIE/PHR – words can’t even be found for how myself and other pioneers before me feel today at this point.

    It takes a great deal of integrity to “write up” a high visibility paying customer – you are one of the very rare birds in this industry I know who would do it – Thank you John! Judy should thank you too and I hope she does.

    • John Moore says:

      Yes Jim, remember those days of yore – what some 12+ yrs ago – we are still struggling with this issue. So unfortunate and I’m sick and tired of hearing the same excuses.
      Do believe a simple notice from 3rd party apps letting consumers know what might be done with their data is warranted – a safe guardrail as your health data is the most personal data of all.
      When I started this company, my objective was to do the best research possible to help the industry transition to a digital construct that will ultimately improve the delivery of care. All of our clients know this and respect that objective (i.e., we aren’t in business for you, we are in business to improve the delivery of care). They also know that there will be times when we may call them out on something that we believe may hinder such improvement. We try our upmost to be fair and objective – they see that in our research and continue to support us.
      We really do have great clients who truly want to improve the delivery of care as well.

  4. Very well-written and fair, John, but as a patient of an Epic system in the Chicago area, let me gently disagree about intra-Epic interoperability from patient viewpoint: it is non-existent. Some, not all, clinicians know that they can see some information on their patients from other Epic hospitals. However, there is no way a patient can find this out from the portal. The staff of a doctor from a different health system twice told me they couldn’t see my records; only the doctor (and I) knew he could, and I only knew it because I’m an insider. And, not to bore you with details, but that interoperability is pretty limited for patients. One more example of paternalistic delusion, I’m afraid.

    • John Moore says:

      Michael, that is quite unfortunate but I’m not sure that is a problem with the Epic software or how it is deployed at a given healthcare organization. Do know Epic has a relatively new module called Care Everywhere to facilitate data sharing across Epic instances. At an Epic UGM a couple of yrs back, some provider orgs shared their experiences with Care Everywhere. They had many challenges, chief among them semantic interop. This is an issue that literally ALL providers struggle with regardless of which EHR they are on. No easy solutions to the problem today. Likely Big Tech (AMZN, GOOG, MSFT) will tackle this one.

  5. Epic Wrong turn is very well articulated John. Agree that patient care and safety trumps patient privacy concerns….many regs and ways to implement patient privacy outside of essential and noble Treatment-Payment-Operations paradigm governing information sharing. Stop with the information blocking.

  6. Allen Enebo says:

    John – this is outstanding! It is interesting cerner is not mentioned. I expect them to have the same pushback as the other market leader. Vendors pay them for validation and “interoperability.” Is this different than an open API that hospitals or partners can work with. I think either Epic Or Cerner as the big players In the market can compete with smaller vendors easily promoting cohesiveness. How do smaller vendors differentiate? Partnering and service! Both epic and cerner struggle with implementation and user adoption. They are too big for the personal touch that smaller solutions provide. This is where interoperability and innovation come to us pushing these guys.

    • John Moore says:

      Cerner was quite public in stating its support of the new rules and congratulated HHS/ONC upon rules release thus saw no need to include them. This really was an Epic issue.

  7. Great to see you trucking along. Well balanced comments John. I believe wherever we use the word interoperability we should be using the word transparency with it. What was the source of this data? How will this data be used? (Both de-identified and identified). The more transparency, the more we trust.

  8. John Moore says:

    Absolutely Kevin – transparency should go part and parcel with interoperability across all aspects of data governance and sharing. It will take some time to get there but at least we are on the journey.

    And good to hear from you Kevin – we really should make a point to catch up in near future.

  9. Vitaliy says:

    If Epic can provide a seamless flow of data within Epic, while making sure that patient data privacy is properly taken care of, it sounds like other competitors should be technically able to do that as well. Sure thing, that still begs the question if they are actually going to do just that. So enforcing that is a good idea and really outweighs the possible risks, just like you said, John. Since many of us need to work from home https://www.dhsforyou.com/common-questions-for-working-remotely/ and use our iPhones for gathering and storing healthcare data, it’s really important so that we can use that data in 3rd party apps. Any apps we wish to use, but not just some that Epic approves or whatever. Even if we run the rist of our data being harvested by Cambridge Analytica or a similar service. I guess it’s work for lawyers to figure out how to make sure that apps don’t take much more of the patient’s data than the patient intended.

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay up to the minute.