EHR powerhouse Epic Systems poured fuel on the patient data privacy debate this week with a public statement likening HHS efforts to promote interoperability to Facebook's Cambridge Analytica scandal.
The country's largest EHR vendor has campaigned to stop the rules, or at least ease their data-sharing requirements. A statement posted Monday on Epic's website is a novel turn for the typically tight-lipped vendor, coming amid backlash from patients rights advocates.
The statement re-ups Epic's concerns that making it easier to share patient data between healthcare organizations and third-party apps would seriously compromise the privacy and security of the sensitive medical information. It's a valid concern, but privacy and access is not an either-or scenario, experts say.
"The ability of people to access data about them is a hallmark of privacy. Privacy is about access," Deven McGraw, chief regulatory officer at medical record aggregator Ciitizen, said Tuesday at the Office of the National Coordinator for Health IT's annual conference in Washington, D.C. "These are not two distinct things we're talking about."
Epic argues the ONC final rule stopping data blocking, due out from the Office of Management and Budget any day, would make it easier for providers to share health records with third-party applications at the patient's request. Epic claims two "highly likely" risks with this idea are that family member data could unintentionally be shared and apps may end up with more of the patient's information than the patient wanted.
Inadvertently sharing unapproved information will be "similar to what happened to Facebook friends who did not give their approval for their information to be harvested by Cambridge Analytica," Epic said, referencing the 2018 scandal over that political firm gaining access to the private data of millions of Facebook users while working for President Donald Trump's campaign.
Michael Abrams, managing partner at consultancy Numerof & Associates, called the comparison "overblown."
For its part, ONC leadership said patient knowledge and consent comes first with these outside applications, and the rules will mandate any health apps inform the patient in clear, readable language what they plan to do with the patient's information.
There's been a "huge marketing campaign on the risks of this data," ONC head Don Rucker said in a keynote Tuesday. "But I don't think we can let the risks that are real prevent all of us as citizens and members of the United States from having all of our data."
Rucker also slammed how Epic is framing the nationwide conversation about interoperability as "disempowering," telling Healthcare Dive on the sidelines of the conference that special interests are ignoring the "vast public interest in right of access to patient data."
"Look at what Epic has put out publicly — they obviously have an understandable view of the world, versus their potential competitors," Rucker said. "It’s certainly within their right to defend their turf however they wish."
Epic wants the federal government to stipulate transparency requirements and privacy protections for applications before the upcoming ONC rule is finalized, a step that would set back publication of the rules by months if not years.
"We have always, and will always, support patients' right to use their data as they see fit," the Epic statement reads. But "we must speak out to avoid a situation like Cambridge Analytica."
But some industry experts believe such arguments are smokescreens to keep the status quo in place — especially a behemoth like Epic, which counts 60% of large U.S. hospitals among its clients, according to KLAS.
"When privacy is used to prevent transparency and prevent patient access, that's a problem," Morgan Reed, president of the App Association, said on a privacy panel at the conference Tuesday.
A firestorm was sparked earlier this month with leak of a letter from Epic CEO and founder Judy Faulkner to health system clients, urging them to oppose the two final rules prohibiting data blocking.
But in its new statement, Epic defended its track record enabling interoperability. It created the MyChart patient portal two decades ago, followed by a program called Lucy in 2010 allowing patients to download their health data to a file or thumb drive and 2017's Share Everywhere, allowing patients to share their record to anyone with internet access, according to the company.
Still, the vendor has received criticism for smooth data sharing within Epic-branded systems but difficulty sharing data out of them.