Epic Systems to support government TEFCA program for health records

It's about to get a lot easier for patients in the U.S. to access their own medical records.

Healthcare software provider Epic Systems announced Thursday that people will be able to securely publish their health data across different apps they choose to use, meaning they will have more direct control over their medical information than ever before.

For example, if patients use a health coaching app or an app that reminds them to take their medications, they can choose to import their records directly into those platforms. All they need are the credentials they use to log in to Epic.

This seemingly simple feat is actually a major technological leap for the healthcare sector and reflects the beginning of a new standard of data sharing practices that will take shape across the country.

Epic is one of the organizations that has been helping the federal government establish the Trust Sharing Framework and Common Agreement (TEFCA). It was launched in December and aims to address the legal and technical requirements for sharing patient data at scale.

Historically, healthcare data in the U.S. has been siloed and difficult to move. Clinics, hospitals, and health systems can store their information in a variety of formats across dozens of different vendors, and there hasn’t been a reliable national mechanism for securely transporting it. This means that if a patient moves to another state or visits a new hospital, their medical records may not always follow them.

A number of companies and information-sharing networks have sprung up in the private sector to try to address this problem, but none of them have been able to solve it on their own. TEFCA was designed to help bring all these different players together.

TEFCA is overseen by an office within the U.S. Department of Health and Human Services. Patients can think of TEFCA the way they think of their cellphone use, said Micky Tripathi, assistant secretary for technology policy and national coordinator for health information technology at HHS.

If one person uses Verizon as their carrier, a second person uses AT&T, and a third person uses T-Mobile, they can all still call and text each other. The same rule applies to TEFCA.

“The idea was, 'We should really have that user experience where wherever I am, whatever system I'm using, I know it's going to connect to all the other networks, whatever network I'm on,'” Tripathi told CNBC in an interview.

“It's going to be revolutionary”

The main groups that participate in health data exchanges through TEFCA are called qualified health information networks (QHINs). These networks volunteer to participate (they are not compensated) and must go through a two-step approval process to ensure they are eligible and have the necessary technical infrastructure.

There are currently seven QHINs, including Epic, in operation within TEFCA, and Tripathi said a couple more are nearing completion. To help contextualize the kind of scale TEFCA requires, Tripathi estimated that Epic’s own network facilitates upwards of 10 to 12 million data transactions each day.

“Remember, this is about connecting networks that are already in place,” he said.

To participate in TEFCA, QHINs must support six different “sharing purposes,” which are the reasons an organization can request health data. These purposes include treatment, payment, health care operations, public health, government benefits determination, and individual access services.

Most sharing networks have previously supported “treatment” sharing purposes, meaning the recipient, such as a doctor or hospital, is providing care to the person whose records they are requesting. But by introducing other approved sharing avenues, TEFCA may be able to avoid some disagreements, such as those that have arisen this year over what exactly counts as treatment.

Individual access services, for example, are a new exchange purpose that will allow people to easily request all of their records and bring them into a single application. This means that patients can choose to see their entire history of doctor visits and hospital stays at once, as long as all the necessary providers are connected to TEFCA.

“I think it's going to be revolutionary in the next few years,” Steve Yaskin, CEO of Health Gorilla, a QHIN within TEFCA, told CNBC. “If you look at every other industry, they're using data to benefit them, aren't they? From banking to telecoms to any industry that's deeply rooted in understanding data.”

Since TEFCA is so new, many QHINs are still working on setting up all six sharing purposes. Epic’s announcement on Thursday means they are officially ready to support the individual access services track.

Rob Klootwyk, Epic’s director of interoperability, said implementing individual access took some time because it needed to be done in a thoughtful way. He said TEFCA needed to set boundaries that could describe how patients would be authenticated, how they could be informed if they needed to hand over their data to an app, and how apps could be held accountable to consumers.

Now, those questions have been answered, he said.

“We believe and our community believes that those pieces are now aligned and that TEFCA is the right path for this,” Klootwyk told CNBC in an interview.

For example, after a patient enters their Epic credentials to try to submit their data to an app, they will be presented with a patient information screen, according to Matt Doyle, a software developer on Epic’s interoperability team. The screens outline what information the patient would be disclosing and ensure they are comfortable with that decision.

Patient data is inherently sensitive and valuable, and it is protected by the Health Insurance Portability and Accountability Act (HIPAA), a federal law that requires patient consent or knowledge for third parties to access it. However, while some apps must comply with HIPAA, many others do not.

As a result, HHS decided that apps can volunteer to participate in TEFCA as long as they agree to comply with HIPAA, even if they are not legally required to do so. This means that QHINs like Epic will be able to inform users whether an app is a HIPAA-covered entity, part of a federally sanctioned data-sharing network, or neither.

“We say, 'Hey, we're not saying you're a bad group, we just don't know what your policies are on this. You should make sure you're informed and educated before you decide to share this,'” Doyle told CNBC.

At its core, whether people are interested in using apps to support their care or just want an easy place to look at their information, TEFCA aims to establish the foundation of trust needed to make that happen, Klootwyk said.

It will take about two weeks for Epic customers to see these new features roll out, though it will likely be longer before individual access services are widely used across the country.

HHS's Tripathi said that now that the TEFCA framework is in place, QHINs and the broader marketplace just need to get on board.

“This is a really important next step for a patient to be able to access their own information through an app of their choice so they can be more directly involved in their own health care,” Tripathi said.