Recently, a close friend of mine traveled to Bali and spent ten days in a “spiritual healing” center—an experience she insists is every bit as crucial to her physical well-being as seeing a conventional medical doctor. Another friend routinely undergoes acupuncture to relieve her migraines. Many others I know, including myself, seek out naturopathic doctors for a “full person” approach to health. Should any or all of these be considered treatment? What if certain states do not recognize naturopathic doctors as licensed practitioners—does that matter? And what if the “patient” genuinely believes these services count as “treatment”? Should that matter? These scenarios lie at the center of a controversy currently roiling the HIE and interoperability world. Beneath it all lurks a deceptively simple question: what, exactly, is “treatment”?
Epic v. Particle Health
Last month, Troy Bannister, CEO of Particle Health, published a post claiming that Epic abruptly stopped responding to certain medical record requests submitted via the Carequality network—a decision he says negatively affects thousands of patients and potentially puts more than six million patient encounters a year in jeopardy. Soon after, Epic released a copy of the Issue Notification, which shed light on the reason for the suspension. It then became evident that, at the center of the dispute, was Integritort, a company that had been accessing patient data through Carequality, ostensibly for treatment purposes.
From Integritort’s perspective, their access was warranted. Indeed, on its own website , Integritort highlights its “Innovative Approach” that includes “Holistic Care” and “Timely Medical Intervention.” The company explains:
“While mass tort cases unfold, patients often face a daunting wait, impacting their physical and emotional well-being. Our physician team steps in, using real-time medical records to craft a clinical assessment that address patients’ immediate health needs. This ensures that patients receive ongoing care that is tailored to their conditions and circumstances.”
Although it may be an unpopular opinion, on the surface this seems potentially reasonable. That is, a person who has been injured by another party’s wrongdoing might very well benefit from a medical records review and support. However, the fact that Integritort also shared those duplicate records with a mass tort litigation firm raised alarms—especially for Epic. Surely, the thinking goes, this could not qualify as treatment, and even if it fits within HIPAA’s definition of “treatment,” it must be designed to skirt the system, allowing “ambulance chasers” to gain access to medical records for lawsuits. But is that assumption entirely fair?
Playing devil’s advocate, consider what happens if the individual—the patient and potential plaintiff—indeed views the review of their records as beneficial for their well-being. Is that so different from seeing a naturopath? And if we say the “data sharing system” was never meant to transmit records to “nontraditional” provider types or for such “non-clinical” purposes, are we essentially imposing our own interpretations on what the person—the patient—wants done with their medical records?
Particle Health, which had facilitated the access, ended up suspending Integritort, but the bigger question remains: could what Integritort did actually fit within the broad definition of “treatment” under HIPAA? Depending on how you interpret the rules, maybe.
What Does HIPAA Say About ‘Treatment’?
The Treatment Scope is Broad
In December 2000, HHS finalized the definition of “treatment,” which appears in the Privacy Rule at 45 C.F.R. 164.501:
“…the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”
In the preamble to the Final Rule, HHS repeatedly emphasizes that “treatment” includes a broad array of activities where a health care provider furnishes, coordinates, or manages the individual’s health care and that “treatment” is intentionally defined to be broad.
The Scope of Health Care is Very Broad
In 45 C.F.R. § 160.103, “health care” is defined as:
“Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of the body; and sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.”
This means that just about any activity or service linked to a person’s health or bodily functions—beyond what might traditionally be thought of as “medical care”—can be considered “health care” under HIPAA.
In the preamble to the 2000 Final Rule (65 Fed. Reg. 82492–82493, 82499–82500), HHS explains that the term “health care” was deliberately given a broad scope. This ensures that activities such as preventive services, mental health counseling, and non-traditional therapies (if they address the health of the individual) can fall under the HIPAA definition.
Although state licensing rules vary, the Rule does not strictly limit “health care” to what is traditionally recognized as allopathic or osteopathic medicine. In the preamble (65 Fed. Reg. 82476, 82499), HHS clarifies that:
- Any person or organization “furnishing” care or services to maintain or improve an individual’s physical or mental condition can be considered to be providing “health care.”
- This can include complementary or alternative modalities—if they are carried out for health or wellness reasons (e.g., acupuncture, chiropractic services, certain forms of naturopathy), as long as the purpose is related to improving or maintaining health.
The Scope of Provider Type is Also Broad
The Privacy Rule incorporates a definition of “health care provider” from HIPAA’s statutory provisions and from 45 C.F.R. 160.103. HHS explains in its preamble to the Final Privacy Rule (65 Fed. Reg. 82476, 82498, 82504–82505) that a health care provider is:
“…a provider of services (as defined in section 1861(u) of the Act), a provider of medical or health services (as defined in section 1861(s) of the Act), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”
In the preamble, HHS emphasizes that this definition is functional rather than strictly limited by license type or location. Essentially, if you are providing health care services, you may be considered a “health care provider” under HIPAA. Thus, in the view of HIPAA, many different professionals or entities can provide “treatment” (see 65 Fed. Reg. 82506).
The preamble to the Final Privacy Rule also addresses the fact that health care providers can be individuals or institutions (e.g., physicians, hospitals, skilled nursing facilities, clinical laboratories, or even alternative medicine practitioners) if they meet the basic standard of furnishing or being paid for health care. HHS notes that the Rule does not confer state licensure authority; it simply applies HIPAA’s definition for federal privacy purposes (65 Fed. Reg. 82476–82477).
Covered Entity Statuts is Not Required
The preamble clarifies that one may provide health care (treatment) without necessarily being a “covered entity” under HIPAA. Being a “covered entity” depends on whether the person or organization:
- Meets the definition of a “health care provider” and
- Transmits health information in electronic form in connection with a standard transaction (e.g., electronic billing or claims) (65 Fed. Reg. 82502–82503; see also 45 C.F.R. 160.102).
HHS specifically notes that there may be health care providers who do not engage in any HIPAA-standard electronic transactions—thus, they would not be subject to the HIPAA Privacy Rule as covered entities (65 Fed. Reg. 82476, 82502).
Nevertheless, as HHS points out in the preamble, the Rule’s definition of “treatment” itself does not hinge on whether the provider is a covered entity. The term “treatment” is about the nature of the service or activity being performed (65 Fed. Reg. 82498–82506). In other words, “treatment” can be provided by a covered entity or by a non-covered health care provider.
The “Treatment” Battlelines
Epic’s View: “This Is Not Treatment”
Epic took a hard stance: Integritort was not a health care provider, so it had no business accessing records under the treatment exception. Instead, Epic argued, the company’s real goal was to gather data for legal purposes, not to provide or coordinate actual patient care.
From this perspective, Integritort’s actions were a clear violation of Carequality’s trust, and Particle Health failed to prevent an entity from misusing health data under the guise of treatment.
Particle Health’s View: “We Followed the Rules”
Particle Health, while ultimately cutting ties with Integritort, initially stood by the argument that it was acting within HIPAA’s framework. After all, HIPAA doesn’t put strict limitations on who can provide or coordinate treatment. If a company is helping connect a patient with medical care, does it matter whether they’re also connected to a law firm?
Particle’s position seemed to be that it’s not their job to judge the intent behind the request—if it fits under HIPAA’s definition of treatment, then it fits.
Now, let’s step back from the outrage over trust and look purely at the letter of the law.
- Could a law firm facilitate or arrange for medical professionals (like nurses) to independently evaluate whether a person needs further health care services? Yes.
- Could those medical professionals access records to make that determination? If they’re coordinating treatment, HIPAA suggests yes.
- If a patient knowingly allows their records to be accessed by these professionals, does that strengthen the case? Absolutely.
Even if the ultimate goal was legal action, there’s an argument to be made that part of the process did, in fact, involve assessing health needs—which can be enough to qualify as treatment.
Is that a popular interpretation? Probably not. But loopholes are loopholes. I didn’t write HIPAA—I’m just pointing them out.
Final Thoughts: Loopholes, Trust, and the Future of Health Data Access
At the end of the day, this isn’t just a story about one company getting caught—it’s about the gray areas in HIPAA that allow for broad interpretations of treatment.
Here’s the reality:
- The definition of treatment under HIPAA is vague, and that vagueness leaves room for creative interpretations.
- When the patient is the one authorizing access, the case for access and use becomes even stronger.
- If the industry wants stricter protections, the rules need to be clearer—because as it stands, a good lawyer could argue that what Integritort did was not outright illegal under HIPAA.
Does this sit well with the health IT world? No (see the title to this post). But let’s not pretend that gray areas don’t exist. As long as HIPAA remains open to interpretation, cases like this will keep happening.
Moral outrage aside, if the industry wants real change, it’s going to need more than just finger-pointing—it’s going to need even clearer guidelines for networked data exchange. The other option is to enable individual access services (IAS) which would allow the individiual/patient to request and direct their medical records to go to whoever they want and for whatever reason they want — and, ironically, that will include the Integritorts of the world.
