Readers Write: ONC Regulations: Why Epic is Wrong and Judy is Right

ONC Regulations: Why Epic is Wrong and Judy is Right
By Chinmay Singh

Chinmay Singh, MSE, MBA is co-founder and president of Asparia of Saratoga, CA.

In August 2018, a highly satisfied medical practice customer of a company I co-founded decided to join a large, multi-state group. As part of this deal, they were required to switch to Athenahealth’s EHR, which was used by the large group. My company was an Athenahealth More Disruption Please partner, so I thought we would get an opportunity to go live across thousands of practices.

My jaw dropped when I got the email below from the medical group’s vice-president of clinical informatics, indicating that the group had decided not to integrate our solution:

This is not the only case where my startup suffered due to information blocking. As any other health IT startup founder can attest, my mailbox is Exhibit A for proving that information blocking is rampant. Thousands of patients can also attest that such blocking impacts their wellbeing.

Despite of all of this, I ended up siding with Epic CEO Judy Faulkner last week.

As many of you know, Judy (my mom in India would be aghast if she knew I was addressing a 75-year-old woman by her first name) asked customers to oppose ONC’s proposed interoperability regulations, which are expected to be announced as soon as next month. CNBC published a series of articles that singled out Judy and hijacked the issue. The tone of the articles and associated tweets was similar to the partisan rhetoric that we regularly see on some national TV channels.

The article ignored Judy’s concerns about patient privacy. The Twitter world competed to paint the most successful health IT entrepreneur — a woman who has not taken a penny from VCs or from the stock market — as the villain.

Epic has done the right things by opening up App Orchard and enabling over 600 APIs. But is that enough? The answer is no.

App Orchard requires a company to pay a hefty membership fee and then a per-API call fee. There is no justification for the fee model. As an entrepreneur, I think the fee is arbitrary and excessive. The hefty membership fee does not make any meaningful contribution to Epic’s revenue (did someone at CNBC say $3 billion?) The only thing it does is to give ammunition to Epic’s opponents.

Similarly, Epic wants hospitals to use its software as the single source of truth. Unfortunately, by charging for each API call, Epic is encouraging the developer community (defined as “API Users” by ONC) to minimize use of such APIs, leading to the creation of new data silos. Why in the world you would develop 600+ APIs and not want them to be used is beyond my comprehension.

Epic’s flat-footed response does not end here. A few months back, the company decided to revoke developer access to all the APIs. Epic wants developers to contact Epic TS with their use case, who in turn will expose APIs on a case-by-case basis. You guessed it right — Epic will charge for this consultation.

Information blocking has hurt me and my company financially. Despite media portrayal of entrepreneurship, it is not fun to drive a rear-ended, 11-year-old Kia in Silicon Valley.

So why do I side with Judy? (sorry mom!) Because she is right to express privacy concerns.

I think everyone agrees that health information data is valuable. Mined at scale, it has the potential to help discover new treatments and reduce costs. At an individual level, interoperability can provide significant relief to patients as they seek treatment from a team of clinicians for conditions such as cancer. I have no doubt that the proposed ONC regulations will allow this. But patient privacy will suffer, and in the end, we will get overpriced and lower quality care.

The proposed regulations mention “API user” 40 times. As far as I can see, the regulations do not ask the API user to sign a business associate agreement or anything equivalent. Not once.

Not only this, the regulation requires “health IT developers” (aka Epic or Athenahealth) to approve the API user rather than their use case. Moreover, the regulation requires that such approval should not take more than five business days.

Who else, other than entrepreneurs like me, will get access to your health data?

Let’s start with law firms. Would malpractice premium jump because law firms will be mining such data at scale to find that one instance where a physician slipped? If that happens, will we continue to attract the best possible talent for medical schools?

Now imagine a cancer survivor who exchanges their health information for a free ride after chemo. Will they be discriminated against in job interviews because of publicly available information? Will politicians pit them against ALS patients in seeking votes?

What if this free ride was given to a teenaged incest victim from an underserved community who went for an abortion? Would the shaming ever end for her?

That is why Judy is right. But I do understand that she may not have said this as eloquently as a fellow Blue Devil from The Fuqua School of Business – “privacy is not an afterthought.”