By Leslie Francis
Practice Fusion, an electronic health record (EHR) vendor, just settled with the Department of Justice to pay a $145 million fine for alleged kickbacks from an unnamed pharmaceutical company. The DOJ contended that the company had taken kickbacks in exchange for including practice alerts to encourage physicians to prescribe opioids. But paid-for prescription alerts were not the only practices engaged in by Practice Fusion with de-identified patient data.
Practice Fusion is an EHR vendor used by over 20,000 small office-based practices, serving more than 5 million patients. It was acquired by AllScripts in 2018 for $100m, although just a few years earlier it supposedly had been valued by as much as $1b. Practice Fusion initially became highly successful by marketing free EHR systems to physicians in office practices. The systems were particularly attractive because they enabled physicians to obtain the $40,000 incentive bonus from the federal government for becoming “meaningful users” of health information technology.
Practice Fusion provided the EHRs for free because their business model was to monetize de-identified patient data for sale to pharmaceutical companies. The pharmaceutical companies could then determine which physicians were frequent prescribers of their brand name drugs. The companies could also determine which physicians were slipping in the frequency of the prescriptions they wrote. Companies could then target their marketing to the physicians’ behavior. Although the business model was ultimately unsustainable without the meaningful use incentives and the Practice Fusion EHR now markets for a small monthly fee, similar sales of de-identified patient data continue. This business model is fully legal under HIPAA, as the patient data sold are de-identified even though providers are identified. Moreover, state efforts to rein in similar sales of prescription data de-identified as to patients but not as to providers had been struck down by the Supreme Court as a violation of the First Amendment, Sorrell v. IMS Health Inc. (2011).
In short, prescription alerts were not the only practices engaged in by Practice Fusion with the potential to significantly affect patient care. The alleged illegality that resulted in the recent settlement was a kickback. But the monetization of physician-identifiable data remains fully legal because it is conducted with de-identified patient data. De-identification fails to protect patients against data uses that may affect their care in ways that remain under-recognized.