Bridging the Trust Gap as The Public Battle Over Access to Patient Data Heats Up
by Bart Howe, President, AHIOS & CEO, HealthMark Group
If you follow healthcare news, you’ve likely heard about the recent dispute between Epic and Particle Health. ICYMI: both companies are members of Carequality, a nationwide healthcare data exchange, and they are locked in a very public battle over how patient data from Epic’s systems can be shared and used by Particle Health’s customers.
The balance between privacy and access to patient data is essential, and disputes like the one between Epic and Particle Health highlight the friction that exists between these two objectives when digital access to patient data is happening at scale. Rapidly growing health information exchanges and interoperability frameworks, like Carequality and TEFCA, bring the potential for speed and efficiency to the exchange of patient data, but they also raise questions about how patient data will be sufficiently protected and released only to authorized recipients for specifically approved purposes.
This article from Modern Healthcare about the Epic and Particle Health situation is an excellent summary of what is at the heart of this debate - trust. It talks about how information moves at the speed of trust, and what’s happening with these two companies is an example of how a lack of trust has hindered the more widespread execution of interoperability. Patients deserve transparency on how their health data is being used, and complexities around how patient data can and should be used are proving difficult to normalize across the scale of these networks (for example, Carequality exchanges 400 million documents across its network each month).
The Epic and Particle Health disagreement is between two legitimate organizations, but we also have to consider the rise in illegitimate attempts to access patient data, which are further eroding this trust gap - look no further than the Change Healthcare hack for a recent example. Medical records are 50 times more valuable than credit cards on the black market(1), and in today’s digital landscape, hackers can access not just one but thousands or even millions of records in one fell swoop. If bulk patient data is accessible without the necessary guardrails to ensure patient privacy and proper limitation on use, suddenly the security risk and the associated liability are huge.
The way to start bridging this trust gap and realizing the full potential of seamless health data interoperability is to start building confidence that health data is truly only accessible by the parties who are authorized to receive it, something that AHIOS (Association of Health Information Outsourcing Services) and its members do daily for millions of patient medical records. When medical records are requested through an AHIOS member organization, that request is systematically logged, tracked, verified, retrieved, protected and then finally released. The trust gap we’re experiencing is because elements of this process are not always happening transparently when data exchange is fully automated and at scale.
To add further complication to an already complex situation, we have not been able to align on universally accepted definitions for different data use cases as an industry. Even definitions for common terms like “treatment”, “payment” and “operations” are elusive; at the heart of the dispute between Epic and Particle Health is different perspectives on the definition of treatment. And then there’s the issue of achieving fully informed patient consent, which is becoming increasingly difficult as use cases for data proliferate in an interoperable world.
There’s not a silver bullet here, but as experts in release of information who support compliant data sharing on behalf of thousands of health systems and providers, AHIOS believes that bringing real-world release of information experience and proven best practices into the conversation can help bridge the trust gap. The interoperability train has left the station, and we are advocating for good, thoughtful governance and constituent engagement to solve these challenges before that gap continues to widen.
(1) Cynerio Report: The State of IoMT Device Security 2022