The Carequality interoperability framework released the results of an independent resolution in the dispute between Epic and Particle Health on Tuesday, but both parties appear further entrenched in their stated opposition.

"The Carequality Steering Committee resolution confirms that Particle Health customers inappropriately accessed people’s medical records by falsely claiming to be treating them as patients," an Epic spokesperson told Healthcare IT News by email on Wednesday. "The resolution confirms Epic and its customers took appropriate action to protect patient privacy."

"We see this resolution as a victory," Jason Prestinario, CEO of Particle Health, said in a statement also sent by email the same day. "Carequality invalidated Epic’s original dispute, and Epic has agreed to implement more transparency and open communication, with a six-month oversight period to ensure adherence to this agreement."

Due diligence questions

In September, Particle filed an antitrust lawsuit in the Southern District of New York alleging that Epic Systems uses its monopoly over electronic health records to block its provider customers from data and to squelch competition in the payer platform market. 

In response to the filing, Epic asked Carequality to release the dispute resolution, but the interoperability framework said last week that it could not disclose information until its resolution process concluded.

A panel of Carequality community members and external subject matter experts reviewed claims brought by Epic in March and Particle Health relating to each other’s participation in the framework.

According to Carequality, Epic claimed that three Particle customers were submitting queries for treatment purposes when they were not, and while two of them were found to have signed authorizations, the data was not intended for treatment purposes. 

"It appears that Particle Health did conduct diligence for onboarding purposes on each of the three customers, although this diligence activity failed to reveal inaccurate information provided by each customer," Carequality said Tuesday in a summary of its dispute resolution findings.

Subsequently, in June, Particle terminated its contracts with those specific organizations, and they are also no longer Carequality Connections. They are terminated for 12 months, and reinstatement to the framework would require the approval of the network's steering committee.

"The resolution confirms Epic and its customers took appropriate action to protect patient privacy," Epic said in a statement.

Unclear technical requirements 

Particle acknowledged that a customer took records inappropriately, and a second customer admitted taking records inappropriately, according to Epic.

For the third organization, Particle agreed to secure additional documentation about its relationships with healthcare providers and agreed to a six-month corrective action plan to adhere to Carequality's process requirements.

"Carequality found that the customer did not have required HIPAA agreements in place with those organizations," Epic said. 

In the resolution, Carequality said Epic asked that Particle "delete and confirm deletion of data obtained through Carequality in violation of HIPAA and Carequality policies." 

While one of Particle's now-terminated customers confirmed in an email to Particle that "it has deleted all patient health data obtained through Particle out of an abundance of caution," the resolution said, the other must do so in 20 days. 

For the customer that did not have required HIPAA agreements in place, it has 20 days to provide proof of valid agreement or must also delete the information it obtained.

While Epic and Particle agreed to Carequality's release of the resolution, the framework said it released a redacted version due to multiple parties that declined, and three Particle customers in question are not named.

Epic has charged the population health data analytics provider with masking its clients, based on interpretations of network technical requirements, Carequality said. 

"It was demonstrated that Particle Health was not using a 'masking gateway,'" it said, noting that the dispute helped to clarify technical requirements under the framework.

"Epic has agreed to update its policies to include clear, objective criteria to be used by Epic to determine whether Epic believes an organization participating in Carequality is performing treatment and, for a period of six months, to provide information to Carequality to confirm that it is acting in accordance with these policies," according to the summary.

Meanwhile, Epic said the resolution reveals data transparency failures in Particle's process for connecting new customers to the framework and was also warned about misleading marketing. 

"Particle processes failed to prevent inappropriate access by its customers to medical records from thousands of hospitals across America," Epic said. "Particle puts information on requesters in a different location than almost every other Carequality implementer."

For its part, Carequality said it has initiated new compliance-monitoring and auditing processes to proactively identify potential future issues.

Stated positions

"We remain dedicated to maintaining the trust instilled in our interoperability framework and protecting sensitive patient information," Carequality said in a statement. "The resolution of these disputes not only affirms the effectiveness of our framework but also highlights our steadfast commitment to advancing interoperability while protecting patient data."

"The increased transparency and clarity outlined – particularly as it calls on Epic to make changes for more open communication with the ecosystem – will benefit all participants and drive positive innovation for patient care," Prestinario said.

"Epic did not single out Particle or its customers," the EHR giant stated.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.