By: Darren Whitt, Senior Director, Business Development
Maybe it’s because I’d been watching a lot of the NCAA basketball tournament when the news about Particle Health and Epic broke, but the dispute kind of reminds me of a basketball game. Epic plays for the Good Guys, along with their teammates, the Providers. Particle plays for the Bad Guys, with their teammates, the bad actors. The court both teams play on is Carequality, and all the players understand the rules of the game.
In this game, there are no referees, so it’s really more like a pick-up game and it’s up to the players to call the fouls. Epic has called a foul on Particle. The fans of the Good Guys, like Brendan Keeler who’s done outstanding work covering this matter, are in the stands shouting, “you can’t do that, you can’t do that” – a familiar chant you hear from fans when a foul is called in a high school basketball game. Let’s discuss the foul and why it needs to be enforced to ensure the integrity of the game.
The Foul
Carequality is an interoperability framework that enables the exchange of EHR data by member organizations. The framework defines the rules. The permitted purpose of use for querying Carequality centers on treatment, payment, and operations (TPO). There are other permitted purposes of use, like coverage determination and patient right of access requests, but treatment is the only permitted purpose of use that organizations are required to respond to.
As a Carequality implementer, you must declare your permitted purpose of use as addressed with the framework documents. According to their website, Particle is a Carequality implementer, and they only support TPO use cases. However, several of Particle’s customers have use cases that sit outside of TPO. Epic is concerned about this, and that is why they requested Carequality turn off Particle connections to certain Epic customers—the foul that was rightfully called.
What’s the Big Deal?
You might have heard of HIPAA. It’s been around for a while now—Bill Clinton signed it into law in 1996—that’s how long it’s been. When a Carequality implementer initiates a query under the auspices of TPO, but it’s really a non-permitted purpose, and a provider releases data, this is likely a HIPAA violation on the provider’s part. This is another reason why Epic is calling a foul on Particle. Providers are very risk-averse, and HIPAA violations are a really big deal to them!
What about Privacy?
When an implementer inappropriately queries under the facade of TPO, this is a HIPAA violation pertaining to the privacy rule. Patients whose providers participate in Carequality generally unknowingly opted into the TPO data highway built and managed by Carequality.
A fiduciary relationship exists between a patient and a provider. Confidence, trust and confidentiality uphold this relationship. Patients rightfully expect their sensitive, personal health information will be held in confidence with their provider. However, this information is documented in the patient’s medical record, and the notion that a bad actor could query Carequality without appropriate consent is a breach of trust to the patient-provider relationship – this is harmful.
When the Carequality network is queried for TPO purpose of use, there is an expectation that patient data remains protected as required by HIPAA. The fiduciary relationship is de facto and applicable to all providers involved in the treatment of the patient. Remember the Hippocratic Oath: First, do no harm. In good faith and in compliance with the Carequality framework, providers participate in the evolution of interoperability with the best intentions – for TPO purpose of use.
When a Carequality implementer queries the network under the pretense of a TPO-permitted purpose, but the use case is not permitted, this is a violation of the Carequality framework. But it’s really a much bigger violation of privacy and having the appropriate consent. It’s inappropriate and illegal to use any data for an unpermitted purpose of use – this is a flagrant, intentional, technical foul! Cause for ejection?
Perceptions of Risk and the Erosion of Trust
The perception of risk due to lack of enforcement and data misuse is bad for the business of Carequality and a threat to advancing healthcare interoperability. Reciprocity is defined by Webster as “a mutual exchange of privileges.” The privilege of exchanging electronic health records between providers for treatment is built on a foundation of trust. Without trust, reciprocity is a big problem. Simply, when the trust of providers erodes, they will likely stop participating in the privileged exchange of EHR data by Carequality or any QHIN governed under TEFCA that does not follow the rules.
Where are the Referees?
Epic shouldn’t have had to call Particle’s intentional foul. Carequality should be the referee. Carequality is supposed to police the onramps and “on behalf of” players well enough to recognize if non-TPO use is potentially taking place. That would have to happen at the time of on-ramping and on some ongoing basis, to monitor traffic that might be going to parties not likely to be part of a TPO chain of HIPAA business associates. Epic rightfully called foul to protect the interests of their customers.
Carequality’s value completely depends on the trust of the participating health systems and medical facilities. If participants fear records could be disclosed incorrectly, representing a HIPAA breach, how long before health systems pull their records from the network?
We’re in a time where patient trust is compounded with healthcare organizations experiencing data breaches and privacy threats. Due to this, it won’t take many abuses of trust at Carequality to drive key players from the network.
Finally, there’s the reciprocity aspect of the network to consider. If real treatment were taking place on the receiving end of these records, the fulfilling organization, the health system that shared the records, could expect to receive records back with more information about their (mutual) patient. Our understanding is that many Carequality onboarders and “on behalf of” endpoints in the network use that designation to avoid reciprocating. If the health system is being asked to do the sharing, they have a right to get something in return. That’s the only path to better care coordination and improved outcomes.
While a mass tort litigation purpose of use is clearly not TPO (even with an employed provider on the team), there are other use cases where abuse is being tolerated, such as in the life sciences industry. Clinical trial recruiters who use social media and other forms of marketing to find and match patients to a trial should not be allowed to query Carequality for records. Research is not a permitted purpose of use and is a potential HIPAA violation on the providers that unintentionally release records to a bad actor who’s bending the rules for the sake of profit. It would have been very simple for Particle to reach out to Carequality if they wanted to speak to a referee for clarity on their use case. Maybe they chose not to ask because they knew that a good referee would have called this foul.
Fortunately, there are other ways for these organizations to ethically retrieve these records with the patient’s explicit consent. That’s what’s missing from a Carequality TPO style of data exchange—explicit patient consent.
Does Greenlight Play Hoops?
The ONC recently released the Federal Health IT Strategic Plan for 2024 – 2030. The top priority and purpose of the plan is “Individual Access to EHI.” Why? According to the plan, the goal is to “promote health and wellness” so that “individuals are empowered to manage their health. By enabling individuals to access and share their EHI, patients can better “understand and inform their health decisions.”
This 5-year strategic plan aligns with our mission at Greenlight. This is our game – practical, tactical interoperability governed by the patient. Technically, we support individual right of access requests to EHI, and we securely move this data to its intended destination with explicit patient consent. By support, I mean we make it easy for patients. As a data-as-a-service provider, this is mission-critical to us, and we only get paid when we establish connections. We know most individuals know very little about how to navigate to their EHI – until they become sick or injured. When you become a patient and you need access to medical records, the learning curve can be steep. We make it easy, we do it securely, and we always do it with explicit patient consent. We are a trusted resource to the patients we serve and to our strategic partners who need EHR data liquidity to drive innovation.
About Greenlight
We enable seamless digital patient data connectivity, bridging EHR record silos to provide heterogenous EHR networks with a simple, easy-to-view summary of patient medical records. The connected patient is our star player.
Contact us today to learn more about how you can benefit from direct digital medical records.