Disclaimer: I am a 15-year employee of Epic, love my job, and love that we have a CEO who cares deeply about patient privacy as well as patient care. I'm not writing as a company spokesperson, but as a private individual who's frustrated by fake news and misinformation.
Recently, many, many news organizations have written about Epic's opposition to a new regulation from the Department of Health and Human Services that would make it easier to share medical records data with patients and apps. These organizations are saying that Epic opposes the new regulation because Epic opposes data sharing and wants to keep patient information locked up, in the pursuit of outrageous profits. Nothing could be further from the truth.
Epic loves data sharing. Patients are healthier and safer when every doctor, nurse, medical assistant, lab tech, pharmacist, etc. can see their full medical records. We developed:
- Care Everywhere and Care Anywhere—data sharing between Epic organizations and standards-compliant data sharing between Epic and non-Epic organizations
- MyChart—allowing enable patients to access their own data
- Lucy—allowing patients to easily consolidate their charts from multiple healthcare systems
- Share Everywhere—allowing patients to directly share their records with anyone in the world, even clinicians who are still using paper charts
Our concern about the new rule comes down to one reason: worries about patient privacy. Many, many Android and iOS apps earn revenue by selling user data. The majority of the time users are unaware that their apps are tracking them, unaware of how much their apps are tracking them, and unaware of how many different companies their apps are selling their data to. There is a real risk that giving apps access to your healthcare information could mean that those apps are reselling your healthcare records to anyone and everyone, without your knowledge or consent.
We published an open letter stating these concerns.
- Family member data may inadvertently be shared. The data sent to the apps might include family member data, without the patient realizing it and without the family members’ knowledge or permission. Almost all medical records contain family history, which may be threaded throughout the record.
After surgery, Jim’s doctor wants to prescribe an opioid for Jim during his recovery. Jim prefers not to take an opioid because his brother Ken struggles with addiction. The doctor makes a note about that in Jim’s medical record. When Jim’s health data is sent to an app, and that data is used, shared, or sold, Ken’s addiction status may become public without Ken’s knowledge or permission.
Jim and Ken’s story is similar to what happened to Facebook friends who did not give their approval for their information to be harvested by Cambridge Analytica.
- Apps may take much more of the patient’s data than the patient intended. There are no transparency requirements to make it very clear to the patient what data the app is taking and what the app will do with that data.
A wellness app offers Liz a cholesterol study and asks her to approve sending the app her lab results. Liz does not realize that the app has gathered all of her lab results, including sensitive information such as her pregnancy status and STD testing results. She does not know that the app will sell that data. Once her health information is out, she cannot pull it back.
We have always, and will always, support patients’ right to use their data as they see fit. However, it is the role of government to ensure that patients have the information they need to make those decisions knowledgeably, like they have for nutrition and food or labels in the clothes they buy. Patients must be fully informed about how apps will use their data, and apps and other companies must be held accountable to honor the promises they made to patients.
For patients to benefit from the ONC rule without these serious risks to their privacy, we recommend that transparency requirements and privacy protections are established for apps gathering patient data before the ONC rule is finalized.
Epic does not typically comment publicly on national policy issues. However, our goal is to keep the patients at the heart of everything we do, and we must speak out to avoid a situation like Cambridge Analytica. The solution has a clear precedent in HIPAA protections, and creating similar protections that apply to apps would make a difference in the privacy and well-being of millions of patients and their families.
Please. Before you jump on the bandwagon of people attacking Epic, take a moment to think about the privacy implications of your health records being used as an income stream for app developers.