Home » News » Currently Reading:

Epic Lists Its HHS Interoperability Rule Concerns

January 27, 2020 News 22 Comments

Epic posts its concerns about HHS’s proposed interoperability rule:

  • The rule would require health systems to send data to any app that a patient requests.
  • 79% of healthcare apps have been found to sell or share patient data.
  • Those app vendors would not be required to ask the patient for approval to use their data for other purposes.
  • The patient’s data might also include family member data, such as family history, that the patient doesn’t realize, and those family members would not necessarily approve of having their information disclosed.
  • The proposed rule does not limit the extent of information that an app can request or how its developer can use it.

The company concludes that while it rarely comments on national policy issues, “We must speak out to avoid a situation like Cambridge Analytica. The solution has a clear precedent in HIPAA protections, and creating similar protections that apply to apps would make a difference in the privacy and well-being of millions of patients and their families.”


Meanwhile, HHS Secretary Alex Azar said in his keynote speech at ONC’s annual meeting on Monday:

Health records today are stored in a segmented, balkanized system, and it’s not just affecting the patient and provider experience—it’s affecting care. This has to change, which is why, last year, we proposed ONC’s bold interoperability rule, as well as accompanying rules from CMS. I want to briefly lay out the context of the interoperability rule, which is the result of years of thinking about what’s needed to deliver on the potential of health IT.

The rule was authorized and required by the 21st Century Cures Act, a piece of legislation that passed on a nearly unanimous, bipartisan basis, and a law that I know many of you in this room either worked on or advocated. The details of the rule may be complex, but the goal is very simple: It’s about access and choice. Patients should be able to access their electronic medical record at no cost, period. Providers should be able to use the IT tools that allow them to provide the best care for patients, without excessive costs or technical barriers. 

This sounds like a pretty intuitive, appealing standard. Unfortunately, some are defending the balkanized, outdated status quo and fighting our proposals fiercely.I want to be quite clear: Patients need and deserve control over their records; interoperability is the single biggest step we can take toward that goal.

In determining how to implement it, we will take very seriously all input from our stakeholders, including all of you in this room. We extended the comment period for the interoperability rule, and have done extensive in-person outreach as well. We will pursue the goal of patient empowerment while providing robust enforcement of and protection for these same patients’ privacy.

This is not about one software system design or the other. This is about ensuring that patients have access to information about their own health, and that providers have a choice in tools and solutions to provide the best possible care. Our work toward that end will in no way limit patients’ privacy protections.

Look at the status quo: Patients cannot easily access their medical records, providers on different systems cannot effectively communicate, and those holding patient data have prevented new market entrants from participating in this space. Defending a system like this, defending that status quo, is a pretty unpopular place to be … scare tactics are not going to stop the reforms we need.

HIStalk Featured Sponsors


Currently there are "22 comments" on this Article:

      • As a non-Epic affiliated observer, there is a remarkable difference in maturity level displayed by the people at or ex Epic and the peanut gallery here.

        • Admit it, this has been the biggest slap in the face to Epic, an epic slap to the face. They failed miserably here, point blank, no other way to spin it.

          BTW, your bias, evident by your comment, is another example of the Epic leech-ism in this industry. How do you even quantify your statement, how do you know who is Epic, ex-Epic, yellow, brown, white? Do you have some secret filter that takes you to the resume of everyone who posts a comment–where you can then view their Epic experience and confirm their maturity level? Anything Epic gets a bunch of likes, anything else gets disliked, PLAIN and SIMPLE. Leeches. This is a one-way website starting to have less relevance by the day due to the amount of bias.

          Here comes Apple, Google, Amazon and a trillion other vendors who weren’t built in 1960s tech…..PLAIN and SIMPLE.

          • While I’m feeling like when I occasionally try to converse with my dog, I can’t help myself – do you have any thoughts on the first half of this article? Any insight regarding Epic’s cited complaints?

          • You just got Kobe’d, broke you down until you reverted to name calling. Lost your cool and missed your shot. That’s what was fascinating about him, his mental game was stronger than his physical one.

            So calling someone a dog, is that an example of your epic maturity?

            No more responses from me needed. Look at the likes/dislikes above—point proven.

          • Why would my butt hurt? Why is it bad if someone’s butt hurts? It seems like you are implying that I am gay and that there is something wrong with that.

          • My favorite people are the ones that make irrelevant arguments about old technology. When is technology too old to be used? Should I give up my Amazon account because they use technology from the 80s? Will Epic be miraculously acceptable once they transition to Java?

            Maybe third time will be the charm for Google. Or, maybe Google could not care less about making a better experience/EMR for providers and they’re after the data they’ve been desperately trying to get.

          • The issue with Azar’s comment is that no one is actually defending the status quo. The industry has been steadily advancing patient’s access to their own records and interoperability between vendors for years. And rather than taking the time to analyze the current state of functionality and suggest specific improvements, HHS seems to think that clumsily opening the floodgates will be some kind of cure-all. “If we expose all of the data, it will solve all of our problems”. Sure, go ahead and pretend like Carequality, Commonwell, and CareEverywhere have done nothing for the industry. And go ahead and blame the EHRs, when it’s almost always the IT departments at healthcare organizations that are the gatekeepers.

            EHR vendors and hospital organizations are bringing up valid privacy concerns, and HHS and others continue to talk past them and make appeals to patient rights to access their data. And for the other commentators who are gleefully holding this statement up as some kind of “smack down” of Epic…I would encourage to wait until the final rule is actually issued, and we get to actually observe the impact of the final rule. It seems a bit pre-emptive to declare some kind of “victory” from something that hasn’t happened yet. You’re setting yourself up for quite a fall from pride.

            If you think the federal agencies under the current administration actually care about your privacy, just remember that Facebook got a laughably small fine. Far worse, Equifax leaked over 150 million financial information records that could actually be used for identity theft, and only ended up paying about $4.70 per person. Your medical data is worth a lot more than financial information alone, because of how it can be used to generate fraudulent claims. Forget your medical privacy for a second – what happens when people start trading your insurance member ID or your Medicare participant ID on an opaque data exchange? EHRs store that information…should they make that available to any app that asks for it, too? Well I guess they have to because the proposed rule doesn’t draw any meaningful lines around what data EHRs have to provide. It would be a beautiful irony if this proposed rule lead to a sharp spike in Medicare/Medicaid fraud.

            I have not yet heard a SINGLE defense of the privacy framework (or lack thereof) created with the proposed rule. Which to me just says “we don’t actually think your privacy is important”. And if that’s the case, just say so and defend it. The closest I’ve heard is “well some organizations are already selling medical data”, as if that’s some kind of defense.

  1. Also, a huge wildcard in the plans for the proposed rule is Google v. Oracle. If the Supreme Court upholds the Circuit Courts ruling, EHRs will have to live a in a regulatory landscape where both of the following are true:

    – their APIs are protected by copyright and they are within their rights to restrict their use and charge fees for such use
    – their APIs must also be exposed and offered for free

    If the SC upholds the ruling, EHRs will immediately sue arguing that the proposed rule is illegal (and they would be correct).

    • What you said: “– their APIs must also be exposed and offered for free” is incorrect. Companies would be able to charge a reasonable fee for people to use their API. What EHR’s won’t be able to do is to use fees and arbitrary acceptance as a barrier to data exchange. Only the mafia charges you a percentage of your revenue to operate a business “in their territory.”

  2. Back in the early days of patient portals and wannabe consolidators like Google Health and Microsoft Health Vault, constant comparisons were made to financial data – that patients would want to manage their health data like they do their financial data, a la Quicken or Mint.

    Didn’t happen, but what did happen on the financial side was fairly open access to data by consumers, who could send it to whatever financial app they wanted. Sure there were some issues, but the world didn’t end.

    Maybe it’s time to make the same leap of faith with healthcare data.

    • When did the federal government step in to mandate that big banking make financial data available with APIs?

      I’ll say what I said to another person who could only muster up a “FHIR BAD” response and a lie about needing to join App Orchard (btw you only need to enroll for free in open.epic to get a client ID to access FHIR endpoints, you don’t need to pay – I’ve done it)….

      What is missing from the FHIR spec today preventing someone from creating a Mint for healthcare application?

      • They didn’t, that’s the point. More importantly they also don’t require financial apps to be covered by a smothering HIPAA analog.

    • It’s a good thought but I think the use case just doesn’t make sense. People have one or two entities from which they receive medical care. People have >5 credit cards and bank accounts across which they want to aggregate and budget. In the banking sector, your bank can’t solve the problem by making the UI better. If Mychart was better, nobody would use a Mint for healthcare.
      Most care delivered to the under 65 crowd is episodic. The only people who need to consistently monitor and interact with their data are over 65 or the caregivers of the over 65. Demand for tech solutions is less among that crowd.
      Consumer apps in healthcare are really really hard. Most are ad supported, which means they increase utilization (more eyeballs, more ads.)

  3. With regards to the current discussion of the Cures Act, Info Blocking, etc., I think it might be worthwhile looking at a broader picture of the health data privacy landscape. We’re discussing if it is in the best interest of the patient to allow unrestricted access and freedom-of-use of a patient’s information by the patient themselves. Without expressing my opinion on this, I would posit that this decision has for all practical purposes, already been decided for us.

    Healthcare data breaches since 2014 have exposed over 200,000,000 records. And the really good hackers get in and out without setting off alarms, so who knows what the total number of exposed records is. Black hats are always one step ahead, so breaches won’t slow anytime soon.

    There are indications that there are far more health systems with Google-Ascension type of agreements than have been publicly acknowledged. Given the current furor, would you publicize that you have such an arrangement? De-identification techniques are readily available, and given access to the databases, could be effectively used.

    And for the gold standard of information that companies would love to have…the top 5 private DNA testing companies have in the neighborhood of 29 million customer’s complete genome with no restriction on how that data may be used, sold, etc. And their follow-on survey questions only add more information on personal lifestyle and family history.

    So what is the chance that we’re discussing whether or not to lock the barn door when a walk around the barn reveals the back wall is already gone?

    • I’d say there’s a difference between onesie-twosie breaches of incomplete records or batches of radiology images (which still get counted as “medical records”), and giving unfettered ongoing longitudinal access to full medical records. They’re both bad. One is a lot worse, though. And breaches are illegal, and required to be reported depending on thresholds of patients involved. Patients have some limited recourse with breaches, and healthcare organizations have legal requirements to attempt to prevent them. Patients have zero recourse if an app sells their data per the terms of service. People sue hospitals all the time for privacy breaches. Good luck suing an app after approve the click-through agreement.

      The DNA testing issue is a separate, massive problem as well. I convinced several people to return their 23-and-me Christmas gifts when I explained how that data could be used to legally deny you access to insurance, since nothing clearly defines genetic information as a “pre-existing conditions” from a legal standpoint.

  4. If you want to get a sense of the sorry state of healthcare data management in the US by patients, check out this post on a popular technical forum. These are software professionals, not in healthcare for the most part. If these folks can’t figure out how to navigate it, who can?

    Most common answer? Scan everything and use filenaming conventions to keep track of stuff.

    In the US we have the worst of both worlds: No national repository for patients to access, and smothering regulations that make it impossible to do any alternative in the private sector.


    • That’s a pretty disingenuous representation of the discussion in that post. No one is struggling to “navigate” their data.

      -The original post is about a guy who receives care at a practice that does not use an EHR. Hence, the need to scan things.

      -You are correct that the most common answer is to scan files and name them, because they consider that to be a perfectly adequate way to “navigate” their documents and data.

      -Many, many of the comments are about managing data outside of the United States.

      -Not a single person there requested API access to their data.

      -There is one comment praising the centralized nature of record keeping in Denmark. Or as HHS would probably call it, “Balkanized” record keeping.

Text Ads


  1. I share your concerns about a lot of similar projects, but I think this one's an outcomes comparison thing, not…

  2. "Ascension Via Christi sent several ICU nurses home after they raised concerns about inadequate staffing." Nice. That'll show em.

  3. Thank you for sharing the full HIStory file. What a great tribute to Mr. Ciotti. “Those who cannot remember the…

  4. "Epic will roll out a “patients like this one” type tool to its users in Indiana this summer. It will…

  5. I don't see Cerner winning employee satisfaction surveys. I can't see VHA pivoting to Epic. It's going to be some…

Founding Sponsors


Platinum Sponsors








































Gold Sponsors









RSS Webinars

  • An error has occurred, which probably means the feed is down. Try again later.