In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. If you’ve already read my previous blog post “Epic v. Particle Health: The Controversy that Launched a Thousand Comments” then you’ll recognize many of the underlying issues (if you didn’t see my previous post on this saga, you can read here). This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.
Key Findings and Implications
1. No “Masking Gateway,” But Clarity Was Needed
One of Epic’s core claims was that Particle Health had built a gateway that concealed the identities of organizations requesting medical records. However, the dispute panel found that Particle had appropriately populated the necessary attributes in its security assertions and was not, in fact, “masking” its customers. The technical standards governing these identifiers had room for interpretation, which contributed to the confusion. Epic had previously pressured Particle to modify its approach, but ultimately, the panel determined that Particle’s implementation was within acceptable boundaries.
2. Violations of the Treatment Permitted Purpose
Perhaps the most significant finding was that certain Particle Health customers were improperly using Carequality’s “Treatment Permitted Purpose” to access medical records. Epic argued that Particle allowed non-provider organizations to claim treatment access rights when their actual use cases were outside of HIPAA’s definition of treatment. The panel found that two of Particle’s customers had, in fact, inappropriately used Carequality to obtain patient records. One organization appeared to be screening individuals for legal claims rather than coordinating patient care. Another was helping patients obtain copies of their medical records—an important function, but one that falls under individual access rights, not treatment. Both organizations were barred from participating in Carequality for at least 12 months.
A third organization, which had been using Carequality as part of a health plan-supported program, was more complex. The panel ruled that its data queries could qualify as treatment under certain conditions, provided that business associate agreements were in place and that the program was structured appropriately. However, past queries conducted before full implementation of provider opt-outs raised compliance concerns, leading to additional oversight requirements.
3. Reciprocity and Data Exchange Imbalances
One of the most striking revelations in this dispute was the significant disparity in record exchange volumes. Epic reported that Particle Health’s customers had pulled over 7 million records from Epic users while sharing back only 100,000—a 70:1 ratio. Carequality’s framework emphasizes mutual exchange, and this imbalance raised concerns about whether Particle was fully meeting its obligations. As part of the resolution, Particle is now required to implement additional oversight on how its connections exchange data. It must confirm that new connections comply with reciprocity requirements within two weeks of activation and will be subject to monthly reporting to Carequality.
4. Epic’s Handling of Directory Entries Under Scrutiny
Epic’s own policies also came under review, particularly its “Phonebook Policy,” which governs how it loads Carequality directory entries into its system. While Epic argued that its review process was designed to ensure compliance, the panel found that it lacked clear, objective criteria for determining which organizations qualify as treatment providers. To address this, Epic must now update its Phonebook Policy with specific, transparent criteria and provide monthly reports on how it is applying those rules. Additionally, if Epic declines to load an entry, it must notify the impacted organization and specify the reason.
Corrective Actions and What Comes Next
The resolution imposes a six-month corrective action plan on Particle Health, requiring:
🔹 Monthly reporting on new directory entries and data exchange patterns
🔹 Stricter onboarding requirements, including documented verification of relationships for “On Behalf Of” (OBO) connections
🔹 Immediate suspension of any connection if credible objections arise
🔹 A two-week grace period for Particle to review and remove any connections that may not be compliant
Epic, meanwhile, must refine its policies and ensure it applies its directory review process fairly and consistently.
Final Thoughts
This resolution clarifies Carequality’s rules, particularly regarding how the Treatment Permitted Purpose should be applied and enforced. It also highlights the growing tension between established EHR and Health IT vendors and newer data access connectors seeking to broaden the ways in which patient data is used.
While the immediate dispute has been resolved, the broader policy implications and questions remain:
-
-
-
- How should frameworks like Carequality balance desired data sharing with needed restrictions?
- How can data exchange be both secure and equitable?
- How will enforcement mechanisms evolve as more organizations push the boundaries of what’s possible within interoperability networks?
-
-
Answers to these questions remain unanswered for now … but at least the masks are off! 🎭
