Skip to main content

Special Report: Epic Uproar Exposes Conflict Between Data Privacy and Innovation

Analysis  |  By Mandy Roth  
   February 11, 2020

Many healthcare leaders agree that Epic has valid concerns about open APIs, but some question whether the company has underlying motivations for delaying ONC's proposed patient data-sharing ruling.

It's been exactly a year since the U.S. Department of Health & Human Services (HHS) released two proposed interoperability rulings, designed to give patients access to information that resides inside their electronic health records (EHR) and take advantage of new tools that could expand their care and treatment options.

As anticipation heats up about impending Office of Management and Budget (OMB) approval of one of these proposals, a controversy has emerged. Verona, Wisconsin, EHR vendor Epic Systems unchained a furor after sending an email to health system executives asking them to sign a letter to HHS Secretary Alex Azar opposing the release of the final ruling from the Office of the National Coordinator for Health Information Technology (ONC), as CNBC reported.

From the moment the initial news broke about the letter, Epic's stance spawned a backlash from those advocating for patient control of their personal health information, including a not-so-veiled rebuke from Centers for Medicare & Medicaid Services (CMS) Administrator Seema Verma, who said, "The disingenuous efforts by certain private actors to use privacy—as vile as it is—as a pretext for holding patient data hostage, is an embarrassment to the industry."

Yet the imbroglio has focused the spotlight on an issue that nearly everyone HealthLeaders spoke with for this story agrees is a problem. Patient data from electronic medical records could be compromised by consumer apps, which don't necessarily afford the same protections patients have come to expect from HIPAA—a key tenet in Epic's position. The proposed ruling recommends that EHRs must have an open Application Programming Interface (API), which will enable patients to provide their health information to third-party developers.

The Letter That Fueled the Controversy

The letter from Epic's customers to Azar, dated February 3, was provided to HealthLeaders. It carries about 60 signatures—mostly from health systems who are clients of Epic—and states, "The ONC's proposed rule on interoperability will be overly burdensome on our health systems and will endanger patient privacy." It requests changes before the final rule is released. Among the suggestions:

  • Companies that want access to patient data should be held to the same privacy and security standards as the healthcare industry.
  • "The rule should narrowly focus on the medical and financial data that is most useful to the patient and can be exchanged in a standardized format (e.g., USCDI). Non-standardized data should not be required to be exchanged, even if there are existing APIs."
  • "The rule should protect the intellectual property of EHR developers to allow them to continue to innovate for health systems and patients."
  • It also requests extended timelines before the rule is enforced.

Before the letter was released, Epic said in a written statement to HealthLeaders, "Before ONC finalizes the proposed rule, third-party app vendors should be subject to federal privacy regulations similar to HIPAA. Patients must be fully informed about how apps will use their data, and apps and other companies must be held accountable to honor the promises they made to patients."

Health System Leaders Speak in Favor of Patient Access to Data

When asked about his reaction to the Epic controversy, Intermountain Vice President and Chief Information Officer Marc Probst, a past chair of the CHIME Board of Trustees, said, "I don't know everything [Epic CEO Judy Faulkner] is thinking or saying, but I disagree with the underlying premise. To me, we should be increasing transparency, and interoperability, and access by patients." He says that Faulkner is "wise" and "a great health IT leader," and it's possible that in the backlash of Epic's actions, people are reading more into her comments than intended.

"I don't pretend to fully understand her perspective, [but] that underlying premise—what it feels like [Epic] is saying—is not something I support or agree with," says Probst. He noted that Intermountain is not an Epic customer and did not sign the letter to Azar.

UPMC Enterprises, which has committed to invest one billion dollars to develop new drugs, diagnostics, and medical devices over the next four years—some of which could be impacted by a delayed ruling— expresses similar concerns. UPMC Enterprises President Tal Heppenstall says, "On its surface, it sounds like Epic and HHS are having some differences about how interoperability rules should work. I'm not going to comment on who's right and who's wrong, but I would say that in the end, it's really about the vision for having this data owned by the right kinds of people. I think Epic has some very distinct opinions about who should own the data, and who should have access to the data. It sounds like HHS has different [opinions]."

Heppenstall continues, "Obviously we collect lots of data, and our commitment is to surface that data subject to appropriate regulations and rules as they exist. From UPMCs perspective, our commitment is to provide our patients, our consumers, with the best quality care at the lowest costs and the data infrastructure we need to do that is the one that we're pursuing." UPMC uses both Epic and Cerner EHRs and Heppenstall says, "I don't know if we received the letter [from Epic]. I know we didn't sign it."

Industry Experts Agree that Open APIs Could Compromise Patient Data Privacy

When it comes to the specific issue about open APIs, many agree Epic has valid concerns. Prominent industry associations, including representatives from the American Health Information Management Association (AHIMA), the American Hospital Association (AHA), the American Medical Association (AMA), the American Medical Informatics Association (AMIA), the College of Healthcare Information Management Executives (CHIME), the Federation of American Hospitals (FAH), the Medical Group Management Association (MGMA), and Premier Inc., met with ONC on December 2, 2019.

Among the documents filed as reference for the meeting was a letter dated September 23, 2019, to Sen. Lamar Alexander (R-TN) and Sen. Patty Murray (D-WA), signed by all associations with representatives present at the meeting, except the AHA. An attachment to that letter, which is not associated with the letter Epic asked health systems to write, details problems with the use of APIs and third-party applications, warning that it "brings us into uncharted territory as patients leave the protections of HIPAA behind."

The letter goes on to say, "We support patients using apps to access their information; however, there is building concern that data will be commoditized by app developers and other third parties and used in ways not intended by patients." Among other protective measures, the letter recommends privacy notices and transparency statements be required to strengthen "patients' trust in an increasingly digital healthcare system."

Harlan Krumholz, MD, SM, the Harold H. Hines, Jr. professor of medicine, epidemiology, and public health at Yale University School of Medicine and director of the Yale-New Haven Hospital Center for Outcomes Research and Evaluation, says misuse of patient data is already happening, and it has nothing to do with open APIs. Sometimes, he says, the culprits are health systems and electronic medical record companies.

"So much data is moving behind people's backs—in ways that they're not aware of—and it's being commercialized without their participation," Krumholz says. Deidentified data that can later be reidentified is "leaking out of the healthcare systems," he says. "I believe the idea that certain electronic health record companies are selling data behind the scenes without the participation of patients is also a problem."

Should Patient Access to Data Trump Privacy Concerns?

While Krumholtz agrees that the problem may accelerate with the advent of open APIs, he says patient access to their own data trumps those concerns. Issues should be addressed after the ruling is released, he says, and perhaps involve other government agencies, such as the Federal Trade Commission (FTC) to ensure consumers make informed choices about their health data, as they do about their money.

"I think that [Epic is] advocating for health systems to oppose many of the progressive features of the proposed rules by the government … to slow down a rule whose primary purpose is to put patients in the driver's seat," says Krumholz, who writes a blog for Forbes and also founded Hugo Health, a personal health platform designed to give people access and agency over their health data. "To say that we need to protect [patients] to some such great extent that we need to put the brakes on a rule that's about to come out—and really put [patients] in a strong position—would be unfortunate and wrong. In the end, the interest of patients has to win out."

Former ONC Chief Privacy Officer Lucia Savage, JD, who now serves as chief privacy and regulatory officer of digital health company Omada Health, provides further insights into the issue.

"Open specification API is a really important way to automate a right patients already have" to obtain their PHI [protected health information] and store it in any manner they desire," says Savage. That could be "on a bulletin board at their home, on an Apple HealthKit, a computer spread sheet, or a bank vault," she says. "We don't regulate consumers' behavior that way." Automating those rights is an initiative that she says began during her ONC tenure between October 2014 and January 2017.

"This rule can really help support further innovation that meets patients where they are," says Savage. Yet she admits that progress comes with risks.

Healthcare and Consumer Protections Differ

"In the American system, one set of privacy rules applies to traditional healthcare, and a different set of privacy rules apply to consumer products," Savage says. "We wrote a report for Congress about it when I was at the ONC. There is a difference in the privacy oversight in those two domains, so that point that Epic is making is true. But what is also true is that nothing ONC is doing is changing that. It's not fixing weak laws in the consumer space. It's not eroding strong laws in the health space. It's just a different technological method."

The letter to senators, signed by multiple associations attending the December 2 ONC meeting (and separate from the health system letter inspired by Epic), suggests an approach to resolve the issue, pointing out that multiple federal agencies have jurisdiction over the privacy and security of patient and consumer information, including the HHS Office for Civil Rights, the FTC, CMS, and ONC. "We recommend the federal government adopt a holistic and coordinated approach to addressing the access, exchange, and use of health information by third parties not governed by HIPAA, including the sale and commoditization of data not intended by patients," the letter says.

Does Epic Have Deeper Motivations?

While industry representatives confirm the concerns Epic has expressed about open APIs is valid, they also say that the company may have other motivations. 

"I think at best it's an unfortunate strategy that will slow progress," says Krumholz. "At worst, it's a company trying to promote its own economic interest and using this as a scare tactic." He points to comments recently made by former Wisconsin governor Tommy Thompson, who served as HHS secretary from 2001 to 2005.

In a January 10 guest column in the Wisconsin State Journal, Thompson urged HHS to reconsider its data-sharing requirements.

"These rules would unfairly harm Wisconsin’s health IT industry and, along with it, the Wisconsin economy," said Thompson. "These rules would compel Epic to give its trade secrets away to venture capitalists, Big Tech, Silicon Valley interests, and overseas competitors for little or no compensation. HHS’ rule would conscript Epic to work for these new entrants, subverting free market principles at the expense of Wisconsin residents."

"I do think it's reasonable [to address the impact of open APIs]," says Krumholz, "but I don't think it should undermine all the work that it took us to get to this point. Unlike every other area of our society, there hasn't been any data liquidity [in healthcare], and we haven't been able to move data to leverage it for the greater good. We are on the precipice of this advance. To slow it down now would be unfortunate."

Final Ruling Date Is Unknown

There is a lot of speculation about when ONC will release the final ruling, officially titled "21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program." The proposal has been with OMB for review since October 28, 2019, and the office is prohibited from disclosing the date when a proposed rule will be released.

At the time of this article's publication, the last scheduled meeting related to this ruling on ONC's agenda takes place February 13. Last year the proposed rulings were released to time with the Healthcare Information and Management Systems Society (HIMSS) annual conference, and Verma used the event to address the topic. Verma and ONC National Coordinator Don Rucker, MD, have been invited as keynote speakers on March 11 at HIMSS20 in Orlando, but have not yet confirmed their appearance.

The second proposed rule, Interoperability and Patient Access, issued by CMS last year and considered a companion piece to the ONC ruling, was delivered to OMB on September 26, 2019. It may languish there for a while, as it has been earmarked for "long-term action," with a deadline that could be as late as March 2, 2022.

Editor's note: The fifth paragraph of this story has been changed to expand the excerpt from the letter Epic's customers sent to Azar: "The ONC's proposed rule on interoperability will be overly burdensome on our health systems and will endanger patient privacy." 

“Open specification API is a really important way to automate a right patients already have.”

Mandy Roth is the innovations editor at HealthLeaders.


Industry experts agree that open APIs could compromise patient privacy if protections aren't in place to guide third-party developers.

While there are risks, many healthcare leaders feel that patient access to their data is paramount to move to a digitally based healthcare system.

Healthcare and consumer protections differ; some advocate that government agencies should marshal a coordinated approach to safeguard health data in the consumer sector.

Some question whether Epic has underlying motivations to protect its business model.

Get the latest on healthcare leadership in your inbox.