Epic Systems Claims Particle Health Used Medical Record Data in Unethical Ways

Computer data

On April 11, 2024, Epic Systems, a global leader in electronic medical record (EMR) software, informed customers it was severing ties with Particle Health, a healthcare technology company. Epic Systems alleges Particle breached legal and ethical rules safeguarding patient privacy by misusing patients’ electronic health records (EHRs) for non-treatment purposes. 

The breakup prevents Epic Systems from accessing Particle’s collection of over 300 million healthcare records and blocks Particle from requesting records through Epic Systems’ interoperability network.

National Record Retrieval’s mission is to give lawyers expedited access to their clients’ medical records so they can be offered as evidence of harms for which their plaintiff-clients are seeking damages. We are closely following any developments on Epic Systems’ conflict with Particle to continue servicing law firms. 

Federal Law Protecting Patient Medical Data and the Privacy Rule

Congress enshrined the protection of patients’ medical records in 42 U.S.C. §§ 1320d–d-9 (2024), codifying the Health Insurance Portability and Accountability Act of 1996, or HIPAA. The statute compels the Secretary of Health and Human Services (HHS) to promulgate regulations ensuring the privacy of patients’ identifiable medical information. 

Generally iterated in 45 C.F.R. § 160.502, the HHS regulation known as the Privacy Rule prohibits disclosure of patients’ medical information by certain “covered” healthcare entities (defined in § 160.103) without patient consent. 

Disclosures are permitted under certain circumstances. For instance, ​​a covered entity (e.g., a healthcare provider) may contract with a business associate whose subcontractor “creates, receives, maintains, or transmits” private medical data. This subcontractor, as expressed in § 160.103(3)(iii), is treated as a business associate itself when acting on behalf of the primary business associate. 

A covered entity is noncompliant with HHS regulations when it has knowledge of a business associate’s practices or patterns of activity constituting “a material breach” of contractual obligations or violations of HIPAA. A covered entity must show it has taken “reasonable steps to cure the breach or end the violation” to establish compliance under 45 C.F.R. § 164.504(e)(1)(ii) (2024). Where these steps do not remediate contraventions, the covered entity must terminate its agreement with the breaching business associate. 

Epic Systems Versus Particle: A Breach of Contract and Ethics

Epic Systems is a private healthcare information technology corporation that developed a software suite containing widely used platforms like MyChart and Care Everywhere. This suite began as an EHR product but has since grown with a focus on interoperability, which facilitates the exchange of patient information across various healthcare computing systems. 

Epic Systems’s interoperability approach gives access of its EHR reservoir to the CareQuality network. The connectivity initiative of this intermediary network sets national standards and trust policies for its vetted implementers, such as Particle. 

Although CareQuality has binding agreements with its implementers constricting patient information requests to eight “Permitted Purposes,” Epic Systems has a policy of exclusively responding to data requests for the purpose of treatment. This protocol limits EHR exchange to requesters administering care to the patient whose record is being sought. 

On March 21, 2024, Epic Systems filed a formal dispute against CareQuality, alleging Particle was misrepresenting the purpose for its patient-record retrievals. Epic Systems suspended interactivity with Particle and its affiliates on this basis, citing security risks and the possibility of breaking the HIPAA Privacy Rule. 

In an April 12 blog post, Particle said it is engaging with Epic Systems to address the situation. Particle contends that the lack of a standard definition of “treatment” has left them without clear guidelines for proper retrieval purposes. Epic Systems’s complaint has yet to be resolved.

Patient Trust and Ethical Transmission of Records

The relationship between patient and healthcare provider involves a great deal of trust. However, confidentiality must be balanced against the need to transmit healthcare data, so medical histories can be shared for the benefit of patient care.

Law firms employing National Record Retrieval use our services to fulfill medical record requests for lawyers. Our efficiency relies on cooperation between major players in the EMR industry. We will not be discouraged as Epic Systems settles its issues with CareQuality and Particle.