Or Interop, Privacy and Advancing Care
The annual ONC meeting last week brought together stakeholders to discuss policy for health IT and most importantly, interoperability. With new interoperability rules expected in the coming weeks, this was a particularly important meeting with no less than HHS Sec. Azar giving a keynote. It was the beginning of the campaign to align support behind these forthcoming rules. While there has been some concern regarding patient data privacy protection, the industry has basically fallen in-line to support these regulations.
Well, most everyone but not EHR vendor Epic.
There has already been plenty written about Epic’s CEO sending a letter to the CEOs of its customer base requesting they write letters to Sec. Azar to petition ONC/HHS to not pass these rules due to patient privacy concerns. Epic even posted on its homepage its position and the dangers they foresee if these rules are passed.
At this point this is all a backdrop.
I have been following Epic since I started Chilmark Research over 13 years ago. A few years back, Epic became a client of ours through our Chilmark Advisory Service. They remain a client, we have attended several of their annual UGMs, I have spoken with their CEO on several occasions and frankly have a ton of respect for what they have built and the services they have delivered to the market.
That being said, have not always been a fan of their product and go to market strategy – a “walled garden” approach wherein it is easy to share data within Epic and across Epic instances, but difficult across disparate EHRs from other vendors. While this approach provides a seamless flow of data within Epic from ambulatory to acute care settings, it also keeps customers “in the garden” not seeking solutions from other vendors, even if those solutions may be better. This can stifle innovation.
In its defense, Epic has made important strides in improving the interoperability of its system, which now manages health data for a majority of Americans. They support the interoperability standards that are on the books today, arguably have the greatest number of transactions passing through their system (about five million/day) and have one of the largest repositories of APIs for customers and partners to use. Epic is ahead of most health IT vendors with regards to interoperability.
As a patient of Partners Health here in Boston, I use the patient portal that is built on Epic’s MyChart. I also have established a connection between this portal and Apple Health on my iPhone. On the patient portal I can readily gain access to my complete records (except images, though I do have radiology reports) and send them to whomever I please. On my iPhone, Apple Health provides a trim version of those records – not everything but the important stuff such as meds, recent labs, diagnosis, allergies, etc. All works seamlessly. As a patient, I applaud Epic and Partners for providing such easy access to my records.
So where’s the rub?
Regardless of their arguments, Epic made a wrong turn in coming out against the proposed interoperability rules for several reasons:
It’s paternalistic. Having spoken to Epic’s CEO, I know that she is quite passionate about preserving patient privacy and truly believes Epic and its customers have to protect consumers from themselves – that third party apps a consumer invokes to use their health data may compromise that data. Yes, better privacy protections than HIPAA are needed but blocking the sharing of data until such is passed is unwarranted. Is not the risk of not sharing data that could result in serious patient harm far greater than the risk of sharing.
The first research report Chilmark published in 2007 addressed the market for Personal Health Records (PHRs). Back then there was plenty of controversy as to whether or not patients should have access to their records. Stakeholders most often used the patient privacy foil in their defense of withholding access. Fast forward 13 years and the same damn arguments are being used. Even AHIP recently invoked patient privacy as a key reason to not have price transparency.
If I hear yet one more stakeholder say how they have to protect the patient/consumer’s privacy as a way to prevent transparency, prevent data flows I think I’ll blow a gasket. Please just stop.
It’s self-serving. Epic has everything a health system needs in one tightly integrated package. Their walled garden ecosystem works exceptionally well within the confines of that walled garden but if Epic starts punching a lot of holes in those walls via open APIs, well that wall begins to crumble allowing third party apps to leverage the core Epic system and build more engaging apps upon it – say a new clinician interface for making rounds. This could lead to Epic becoming but one of many Systems of Record that a health system uses and not the System of Engagement as well. This change will ultimately commoditize their product.
As mentioned earlier, Epic does have quite a number of APIs prebuilt, maybe more than any other EHR vendor but according to numerous sources, Epic has been capricious in how it allows access to those APIs and at times, the fees it charges are prohibitive. Fees are just another way to block the flow of information.
Tide is against them. Epic has been very vociferous in opposing these regs while its fellow health IT brethren have been supportive. Big Tech has also come out in support of the regs. Providers and the numerous provider associations have also been mostly supportive. Clearly the tide is against Epic and they now have inadvertently made themselves appear to be the villain in health IT – a label they do not deserve.
It’s simply not Epic’s role to control data flow but to facilitate it. Let’s use the analogy of a weather satellite. Lockheed, under government contract, builds a satellite and sends it aloft. The weather data the satellite collects is not held and distributed by Lockheed, but by its customer, the U.S. government. These weather datasets are distributed via APIs. This free flow of data has led to a wide range of innovation weather apps.
The purchase of the vast majority of EHRs in use today was also done with government funding – some $40 billion through the HITECH Act. Therefore, why does Epic believe it has the right to throttle data flow while Lockheed does not. Sure, one can again bring up the patient privacy bogeyman but really, is that all they’ve got? Free the data and let innovation prosper.
Reward is greater than the risk. Epic’s stated concerns with the new rules focus exclusively on patient privacy risk. But what if we look at data interoperability through the lens of patient safety. Would not it be far better if someone shows up unconscious in the ED, is from out of town and attending physicians, via the new interoperability rules, can gain ready access to that patient’s medical history and avert say a medication error? Or how about duplicative testing? May we not lower costs if we knew that the unconscious patient had recent labs and there was no reason to repeat?
In totality, do not these patient safety concerns far outweigh a potential privacy breach? Besides, aren’t privacy breaches occurring every single day of the week? Sure seems that way from what I read in the trade press.
Epic leads the industry in number of clinical transactions flowing through their system. In recent years, Epic has built out the capability to exchange data with any EHR that is enabled to send and receive standardized data sets. Unfortunately, there are many clinical sites of care that have yet to enable such. These draft rules will force those laggards to move forward, an objective that Epic shares.
Where Epic got it right
There are reasons for concern regarding data privacy and third party apps a consumer may invoke that uses their health data. Epic makes a valid point that consumer health data has little protection against misuse once it leaves a HIPAA covered entity. To help preserve privacy, or at least make consumer fully aware of how their health data may be used, a third party app should answer three simple, straightforward questions:
- Will my health data be sold to others?
- Do I have a “right to be forgotten”?
- Will you collect family history data?
These are simple, binary, yes/no questions that the app vendor answers right up front before collecting any health data on behalf of the consumer. This will provide the consumer a clear understanding of how their data may be used prior to invoking that app.
Secondly, what level of data sharing is sufficient? The proposed rules state that electronic health information (EHI) is to be exchanged, not personal health information (PHI). There is a massive difference between these two subtle definitions. Opening the doors to any and all health data elements (EHI), in Epic’s case over 175,000, seems a bit over-the-top. The number of data elements for PHI is more in the thousands. Would not a better approach be to provide all standardized data elements, for example those in normalized FHIR standards? Note that Epic was far from alone in bringing this issue to the attention of ONC in its comments on the draft rules.
Passionate, but wrong
Epic’s CEO is a passionate leader with strong convictions. She has done much to help advance care delivery through the solutions her company provides to the market. There are times you need a strong voice such as hers to bring attention to a critical issue. However, this is not one of them. Epic took a wrong turn here and I sincerely hope that they take a step back and get on track with where this industry needs to go to continue to improve the delivery of care.
The proposed rules will likely be published in next couple of weeks and hopefully the feds will hold their ground, making changes where warranted, such as those suggested above. For in the end, the sharing of data will ultimately lead to better care despite the privacy risks – and isn’t that what we all want?