By MATTHEW HOLT
I am dipping into two rumbling controversies that probably only data nerds and chronic care management nerds care about, but as ever they reveal quite a bit about who has power and how the truth can get obfuscated in American health care.
This piece is about the data nerds but hopefully will help non-nerds understand why this matters. (You’ll have to wait for the one about diabetes & chronic care).
Think about data as a precious resource that drives economies, and then you’ll understand why there’s conflict.
A little history. Back in 1996 a law was passed that was supposed to make it easy to move your health insurance from employer to employer. It was called HIPAA (the first 3 letters stand for Health Insurance Portability–you didn’t know that, did you!). And no it didn’t help make insurance portable.
The “Accountability” (the 1st A, the second one stands for “Act”) part was basically a bunch of admin simplification standards for electronic forms insurers had been asking for. A bunch of privacy legislation got jammed in there too. One part of the “privacy” idea was that you, the patient, were supposed to be able to get a copy of your health data when you asked. As Regina Holliday pointed out in her art and story (73 cents), decades later you couldn’t.
Meanwhile, over the last 30 years America’s venerable community and parochial hospitals merged into large health systems, mostly to be able to stick it to insurers and employers on price. Blake Madden put out a chart of 91 health systems with more than $1bn in revenue this week and there are about 22 with over $10bn in revenue and a bunch more above $5bn. You don’t need me to remind you that many of those systems are guilty with extreme prejudice of monopolistic price gouging, screwing over their clinicians, suing poor people, managing huge hedge funds, and paying dozens of executives like they’re playing for the soon to be ex-Oakland A’s. A few got LA Dodgers’ style money. More than 15 years since Regina picked up her paintbrush to complain about her husband Fred’s treatment and the lack of access to his records, suffice it to say that many big health systems don’t engender much in the way of trust.
Meanwhile almost all of those systems, which already get 55-65% of their revenue from the taxpayer, received additional huge public subsidies to install electronic medical records which both pissed off their physicians and made several EMR vendors rich. One vendor, Epic Systems, became so wealthy that it has an office complex modeled after a theme park, including an 11,000 seat underground theater that looks like something from a 70’s sci-fi movie. Epic has also been criticized for monopolistic practices and related behavior, in particular limiting what its ex-employees could do and what its users could publicly complain about. Fortune’s Seth Joseph has been hammering away at them, to little avail as its software now manages 45%+ of all encounters with that number still increasing. (Northwell, Intermountain & UPMC are three huge health systems that recently tossed previous vendors to get on Epic).
Meanwhile some regulations did get passed about what was required from those who got those huge public subsidies and they have actually had some effect. The money from the 2009 HITECH act was spent mostly in the 2011-14 period and by the mid teens most hospitals and doctors had EMRs. There was a lot of talk about data exchange between providers but not much action. However, there were three major national networks set up, one mostly working with Epic and its clients called Carequality. Epic meanwhile had pretty successfully set up a client to client exchange called Care Everywhere (remember that).
Then, mostly driven by Joe Biden when he was VP, in 2016 Congress passed the 21st Century Cures Act which among many other things basically said that providers had to make data available in a modern format (i.e. via API). ONC, the bit of HHS that manages this stuff, eventually came up with some regulations and by the early 2020’s data access became real across a series of national networks. However, the access was restricted to data needed for “treatment” even though the law promised several other reasons to get health data.
As you might guess, a bunch of things then happened. First a series of VC-backed tech companies got created that basically extract data from hospital APIs in part via those national networks. These are commonly called “on-ramp” companies. Second, a bunch of companies started trying to use that data for a number of purposes, most ostensibly to deliver services to patients and play with their data outside those 91 big hospital systems.
Which brings us to the last couple of weeks. It became publicly known among the health data nerd crowd that one of the onramp companies, Particle Health, had been cut off from the Carequality Network and thus couldn’t provide its clients with data.
The supposed reason was that they were getting data without a “treatment” reason.
Now if you really want to understand all this in detail, go read Brendan Keeler’s excellent piece “Epic v Particle”. Basically Particle cried foul and unusually both Michael Marchant, a UC Davis Health employee & the Chair of the big health systems on the ”Care Everywhere Committee” (remember that from earlier?) and then Epic itself responded. Particle’s founder Troy Bannister in a linkedin post and an official release from Particle said that they had not received notice or any evidence of what they’d done wrong. Michael said they had. I started quoting the Dire Straits line “two men say they’re Jesus, one of them must be wrong.” (FD. Troy was briefly an intern at Health 2.0 long, long ago).
Then Epic publicly released a letter to its clients explaining that, contrary to what Troy & Particle said, it had been discussing this with Particle for months and had had several meetings before and after it cut them off. So unless Particle’s legal counsel was parsing its words very very carefully, they knew Epic and its clients were unhappy, and it was unlikely Troy was Jesus. Michael might still be, of course. (Update: as of 4/15/23 Particle says only some feeds were cut off not all of them as Epic suggested)
In the letter Epic named 4 companies who were using Particle’s data in a way it didn’t like– Reveleer and MDPortals (who are one not two companies as they merged in 2023 before this issue started), Novellia and Integritort.
So what do they do with the data. Reveleer says that “leveraging our AI-enabled platform with NLP and MDPortals’ sophisticated interoperability allows us to deliver providers a pre-encounter clinical summary of patients within their EHR workflow at the point of care.” Sounds like treatment to me. But Reveleer also does analysis for health plans. You can see why hospitals might not like them.
Novellia is a PHR company, presumably using “treatment” to enable consumers to access their data to manage their own care. This was EXACTLY what Joe Biden wanted the 21st Century Cures Act to give patients the right to do and what Epic CEO Judy Faulkner told him he shouldn’t want (depending exactly who you believe about that conversation). But it’s probably not a particular “treatment” under HIPAA, because who believes patients can treat themselves or need to know about their own data anyway? (I’ll just lock you all in a room with Dave deBronkart, Susannah Fox and Regina Holliday if you want the real answer). This is apparently the line where ONC folded in its ruling to the vested interests that providers (and their EMR vendors) didn’t have to provide data to patient requests.
Finally, Integritort does sound like it’s looking for records so it (or its law firm customers) can sue someone for bad treatment (or as it turns out defend them for it). Is that “treatment” under the HIPAA definition? Almost certainly not. On the other hand, do the providers cutting them off have a vested interest in making sure no outside expert can review what they’ve been up to? I think we all know the answer to that question.
But anyway it looks like Particle switched off Integritort’s access to Carequality on March 22nd before Particle was entirely switched off by Carequality sometime around April 1.
What is not answered in the letter is why, if Carequality can identify who these records are going to, it needed to switch all Particle’s access off. Additionally, you would think that Particle’s path of least resistance would be to cut off the named clients Epic/Carequality was concerned about and try to sort through things while keeping its system running–which it seems it did with Integritort. Whatever happened, instead of this negotiation continuing behind the scenes, we all got to witness a major power play–with clearly Epic & its big customers winning for now.
I think most people who are interested in getting access to data for patients are all agreed on the need for new “paths” which were already defined in the regulations but not implemented, and also presumably for agreed standards (with associated liability) of “know your customer laws” for the onramps like Particle to make sure that the clients using them are doing the right things vis a vis confirming patient identity et al.
Slight digression: I am confused about why identity proofing is such a big deal. In recent weeks I have had to prove my identity for the IRS, for a credit union, and for the TSA. Not to mention for lots of other websites. There are companies like IDme, Clear and many others that do exactly this. I don’t see anything so specific about health care that is different from credit cards, bank accounts, airport safety, etc. Why can those agencies/organizations access all that data online but for some reason it’s a bridge too far for health care?
However you can see where the fault lines are being drawn. There are a lot of organizations, many backed by rich VCs or huge quasi-tech corporations, that think they can do a much better job of caring for Americans than the current incumbents do. (Whether they can or not is another matter, but remember we are spending 18% of GDP when everyone else spends 10-12%). Those organizations, which include huge health plans, tech cos, retail clinics, startup virtual care clinics, and a whole lot more, need data. Not everything they or the intermediaries they do will fit the “treatment” definition the current holders of that data want to use. On the other hand, the current incumbents and their vendors are extremely uninterested in any changes to their business model.
Data may be the new oil but, like oil, data needs refining to power economies and power health care services. We spent much of the last century fighting about access to oil, and we’re going to spend a lot of this one fighting about data. Health care will be no exception.
Matthew Holt is the publisher of The Health Care Blog
Categories: Health Policy, Health Tech, The Business of Health Care