Skip to Main Content

Epic, the nation’s largest electronic health record (EHR) company and a major beneficiary of a $48 billion Obama-era federal program to promote the adoption of EHRs, has launched a full-scale effort to block the flow of data out of its software and into apps that benefit doctors and patients. That’s wrong for many reasons.

Epic is attempting to scuttle finalization of a rule from the Department of Health and Human Services that would implement the interoperability and information blocking provisions of the 21st Century Cures Act. The thoughtfully crafted rule, proposed by the Office of the National Coordinator for Health Information Technology, and now under final review at the Office of Management and Budget, requires that EHRs operate seamlessly with third-party apps, and prevents EHR vendors and health care systems from blocking or inhibiting the flow of information between health information technology systems or to patients. The rule is intended to underpin a digital ecosystem on top of the government’s investment to transform the health care system.

Perhaps reluctant to see data flowing out of Epic’s monopolized silos, the company’s CEO, Judith Faulkner, wrote to leaders of hospital systems, asking them to oppose the proposed HHS rule. And if that effort doesn’t work, Faulkner told Politico that her company might sue HHS over the final rule.


By opposing the rule at this pivotal moment, Epic is doubling down on its monopolistic hold on American health care and would be blocking vital improvements in it.

Interoperability, along with better and more affordable information flow, will benefit patients, improve outcomes, and reduce costs and waste by the health system. The proposed rule would also meaningfully enforce individuals’ right to access digital copies of their health records, something that was theoretically possible under the Health Insurance Portability and Accountability Act (HIPAA).


Hold on a second, you might say. Isn’t health care already a data-driven enterprise? Most Americans believe that the information their clinicians type into their EHRs during appointments is used to benefit their care, perhaps to ensure that a patient isn’t placed on a medication that that hasn’t worked for other patients like her, or to automatically detect a decline in kidney function that means he needs to see a specialist, or to coordinate essential information across different sites of care.

But it doesn’t really work like that. At the cost of millions to billions of dollars per hospital or health system, health care relies on pre-internet proprietary and non-interoperable software where, as in the old “Roach Motel” ads, data check in, but they don’t check out. In addition, EHR software is sold under contracts that contain both hold harmless clauses to abdicate responsibility for adverse events associated with their products and nondisclosure clauses to inhibit reporting of serious adverse events. As described in “Death by a Thousand Clicks, EHRs have contributed to an epidemic of physician burnout.

In Faulkner’s missive to health leaders, she misleadingly claims that patients have been able to download copies of their records since 2010. In fact, that was not possible at scale until about a year and a half ago.

In early 2018, Apple used the SMART on FHIR Application Programming Interface (API) — an interface we developed so apps could be added to or deleted from an EHR just as on smartphones — to connect its native Health App to hundreds of health care systems so iPhone users can acquire copies of their health records in an electronic computable format. What is important about this approach to standardized data download is that Apple’s Health App users acquire a structured and computable copy of their data that they can then share with a growing number of apps of their choice.

SMART on FHIR is required under the proposed rule, which also makes imperative that Epic and other EHR companies expose a much fuller data set to patients who want it. Access to all elements of a patient’s record across an API is required under the 21st Century Cures Act; the proposed rule details how that must be done.

Epic’s CEO points out that in an imagined world where Epic is the only EHR, data can be exchanged between health care systems using the company’s Care Everywhere. Unfortunately, this vision of interoperability for the entire U.S. health care system relies on information technology provided by a single, privately held company.

In its arguments against the rule, Epic claims that its concern is about protecting patient privacy. It is supporting a meme that patients cannot be trusted to choose their own health apps. We fully agree that patient protections are needed and have long argued for privacy-preserving patient control of health data. Here, Epic has taken the position of the fox arguing that chicken wire is a threat to chickens’ freedom to walk around.

Rather than continuing to work as a member of a larger ecosystem to ensure appropriate patient protections in the digital and connected information economy, Epic is instead deflecting progress in the fundamental need for interoperability. A cynic might believe that Epic prefers not to share the vast amount of data its systems collect in order to commercialize it. Anyone doubting that Epic’s position is monopolistic should read the recent editorial by Tommy Thompson, a former HHS secretary and Wisconsin governor, opposing HHS’ proposed rule to protect jobs in Wisconsin and bemoaning that it would require Epic to “spend a significant amount of its time on work to share its trade secrets with newcomers.”

Yet many of those “trade secrets” were underwritten by billions of dollars in federal investment, not to mention the original work at Massachusetts General Hospital that underlies Epic’s technology.

Epic could have decided to fully support the patient-enabling API and interoperability specified in the proposed rule and committed itself to making sure its implementation of the rule is a model of patient control and data security. Instead, by conflating these two goals, the company is attempting to provide political cover to stop what it sees as a threat to its business model.

For the past several years, Epic representatives have been collaborative and effective in participating in coalitions of academic and commercial groups that have made real progress toward universal APIs and interoperability. That makes the 11th hour full-on opposition to the proposed rule a particularly unfortunate assault on shared progress. If Epic is allowed to position itself as the only party able to innovate in health IT, then the health information economy should prepare for a recession.

Patient advocates — and that means all of us — are standing by to welcome Epic back to the table as a member of a growing community. But in the meantime, it should take back its last-minute call to thwart the HHS rule and inform its representatives in Congress and hospital leaders that the company supports the final rule because it will lead to better and safer care.

Kenneth D. Mandl, M.D., is director of the Computational Health Informatics Program at Boston Children’s Hospital and professor of pediatrics and biomedical informatics at Harvard Medical School. Isaac S. Kohane, M.D., is chair of the Department of Biomedical Informatics and professor of biomedical informatics and pediatrics at Harvard Medical School.

  • Can’t agree enough with concerns raised by other comments. Of course other big tech wants to open up the EHRs.
    Today, the main way for a third party to get medical data is through buying de-identified data from a covered entity or business associate. Under HIPAA, identifiable data cannot be sold by either. The de-identified data set will have contractual limitations on use, prohibiting re-identification and combination with other data sources in attempt to re-identify.

    The other way is to ask for patients to provide the data themselves; however, most patients don’t do this and the data is incomplete for those who do. However, the interop rules will force this data to be shared with any number of third parties (upon the patient’s request to pull their data into the app from the EHR) and it will not be de-identified and it is not regulated by HIPAA when the patient provides it themselves.
    The value of identifiable medical data from patients is astronomical. Tech will fetch $$$ per patient record, multiplied by however many companies want to buy it. The only protection in place for patients will be user agreements which are full of legalese and subject to change over time. Even small, seemingly trustworthy companies could be bought by big tech with less patient-centered interests and then find ways to sell the data. Even if the data isn’t directly “sold” it could still be used for commercial purposes such as developing AI/ML algorithms that will fetch big money for big tech with unknown effects on pt outcomes.

    Patients are going to be targeted for access to their data. The most vulnerable patients are traditionally the most exploited and that trend will continue. They are the ones who most need access to their data and the least equipped to understand and interpret the user agreements they will sign.

    Within healthcare, we talk about informed consent and ethical human subjects research. We seriously limit who can view and use patient data. Physicians struggle with accessing aggregate data on the populations they treat. Any research requires at minimum an IRB review. Yet we think that third party apps should have unfettered access to identifiable patient data? Why have we spent a century learning about informed consent and medical ethics to throw it all away now?

  • The primary battle here is not between Epic and patients; it’s between Epic and Google/Microsoft/IBM/Apple. The ONC API standard will just shift the balance of power from one evil empire to an even larger one. Just about everyone outside of health care has woken up to the threat of surveillance capitalism and the death of meaningful privacy. I find it disappointing that so many in the medical informatics community continue to push for interoperability without accountability given what we’ve learned about Big Tech in the past few years.

  • IMO, these topics of data sharing for EMRs is hobbled more by a shoddy legal framework and lack of some pretty simple things, like a national health record, in achieving what this bill wants to happen. From Epic’s perspective I think they are likely more concerned about legal costs related PHI disclosures and being in line with a specific state’s laws. From a high level this law is ill-conceived and concur with some of the other comments that amazon and apple aren’t going to be the saviors of EHRs. Apple pulled out its effort to make an EHR not cause of interoperability but cause of the complexity of legal compliance. While Epic isn’t great they aren’t some monopolistic boogey man in this story.

  • As an analyst working for an Epic customer, your paragraph about relying on the Care Everywhere framework is wrong. We exchange with governmental orgs via eHealth exchange, other EHRs via carequality, and any EHR via the Direct standard. The biggest problems we have sharing data are small, specialized systems we have in house and getting our smaller regional partners to join one of the mentioned networks.

    If you really want the patient to control all their data, you should start with getting healthcare orgs to track where it might be sent internally and externally, not with expanding FHIR. Then go to all those companies and do the same. And again. And again.

  • I have two opinions about this:
    One; you are right about EPIC in terms of why the are seeking to block the rule, I was at their last UGM and Judi was going on about if they wanted to make an API for every data point they have they would have to make 10 to the 1024 APIs or something ridiculous. Not only is that wrong, but highlights how ham-shambled their software is on the backend.

    Two; I disagree that opening the doors to Apple, Amazon etc. is going to lead to a healthcare revolution. These companies are only focused on one thing: profiteering from more datapoints to sell you something. This will do nothing to improve the quality of care because everyone fails to realize that the digital tools we were given in healthcare are akin to getting a screwdriver instead of an automobile. These developers know nothing about healthcare delivery and never will. You can recruit 500 Atul Gawandes and still be just as clueless to this fact.

  • Dr. Mandl comments are right on. Epic technology has not added much to the health care system other than getting paid to regurgitate data on paper to an electronic format. The real innovation is being done by small aggressive developers who see the need to have Real Time healthcare data available in an actionable format to the providers of healthcare services in any setting. EMRs business model is so bureacratic and monopolistic that maintaining control under the premise that they know how best to guarantee the privacy of patient data is laughable.

Comments are closed.