Earlier
this
month,
Epic,
together
with
a
handful
of
healthcare
providers,
filed
a
federal
lawsuit
against
health
data
network
Health
Gorilla
aimed
at
stopping
an
alleged
scheme
to
exploit
and
monetize
patient
medical
records
without
consent.
Ultimately,
the
dispute
reflects
unresolved
ambiguities
in
how
data
interoperability
should
be
governed
across
the
healthcare
industry.
Experts
think
the
lawsuit
is
less
about
stopping
one
bad
actor
—
and
more
about
the
need
to
define
standardized
rules
and
boundaries
around
healthcare
data
exchange.
Alleged
conspiracy
to
monetize
patient
data
The
complaint,
filed
January
13,
claims
that
Health
Gorilla
enabled
other
companies
to
inappropriately
access
and
monetize
nearly
300,000
patient
medical
records.
Health
Gorilla
has
denied
the
allegations.
The
plaintiffs
are
Epic,
Trinity
Health,
UMass
Memorial
Health,
Reid
Health
and
OCHIN.
They
allege
that
Health
Gorilla
and
a
network
of
other
companies
set
up
fictitious
healthcare
providers,
shell
websites
and
fake
provider
IDs
to
make
it
look
like
records
requests
were
for
real
treatment
purposes.
Instead,
the
data
was
allegedly
diverted
for
non-treatment
uses
—
such
as
marketing
to
lawyers
seeking
potential
claimants
for
lawsuits.
The
other
companies
involved
in
the
network
are
a
cluster
of
small
telehealth,
data
and
shell
companies
—
many
allegedly
linked
to
the
same
founders
and
operators
—
that
the
plaintiffs
say
were
used
to
pose
as
legitimate
providers.
The
complaint
also
stated
that
the
defendants
inserted
“junk”
information
into
records
to
hide
their
activity
and
give
the
appearance
of
genuine
care,
which
in
turn
risked
patient
safety
and
wasted
clinician
time.
When
one
fraudulent
entity
was
exposed,
the
same
actors
allegedly
created
new
companies
to
continue
the
same
conduct,
operating
“like
a
Hydra,”
according
to
the
lawsuit.
The
lawsuit
alleges
violations
of
HIPAA,
as
well
as
other
federal
and
state
privacy
protections.
It
also
frames
the
scheme
as
threatening
both
patient
privacy
and
the
integrity
of
interoperable
health
data
sharing
systems.
The
plaintiffs
are
seeking
injunctive
relief
to
immediately
put
an
end
to
the
alleged
misconduct.
Health
Gorilla
is
“fully
prepared”
to
defend
its
conduct,
according
to
a
statement
released
this
week
by
CEO
Bob
Watson.
“Epic’s
lawsuit
not
only
fails
to
provide
all
the
facts,
but
reflects
an
irresponsible
use
of
litigation
as
a
weapon
rather
than
to
advance
serious
claims.
As
Epic
knows,
when
Health
Gorilla
learned
of
the
allegations
Epic
raises
in
its
complaint,
Health
Gorilla
immediately
suspended
the
connections
in
question
and
began
investigating
their
use
of
healthcare
data,”
Watson
stated.
Although
Health
Gorilla’s
investigation
is
still
ongoing,
the
connections
in
question
have
remained
suspended,
he
added.
Watson
also
said
that
“Epic
has
done
the
equivalent
of
shouting
‘fire’
in
the
middle
of
a
crowded
theater”
when
it
comes
to
interoperability,
suggesting
that
the
EHR
giant’s
claims
could
unnecessarily
alarm
the
industry
and
disrupt
progress
toward
legitimate
data
exchange.
Interoperability
vs.
governance
The
core
issue
of
this
legal
battle
isn’t
interoperability
—
it’s
governance,
pointed
out
Jackie
Mattingly,
senior
director
of
consulting
services
at
healthcare
security
and
compliance
firm
Clearwater.
“It’s
not
a
case
about
interoperability
failing
—
it’s
the
governance
that’s
lagging
behind.
Obviously
we
do
need
interoperability
—
because
we
travel,
and
we
go
to
different
places,
and
our
data
needs
to
be
accessible.
But
the
governance
hasn’t
caught
up,”
she
declared.
Governance
weakens
once
data
leaves
the
EHR,
Mattingly
noted.
While
hospitals
typically
have
strong
controls
within
their
EHRs,
oversight
can
crumble
when
data
flows
to
external
platforms,
analytics
tools
and
third
parties.
Accountability
doesn’t
end
when
data
leaves
Epic,
she
said.
She
thinks
access
controls
have
to
get
stricter,
saying
that
granting
data
access
can’t
be
a
“set
it
and
forget
it”
process.
Healthcare
organizations
need
purpose-based
access
controls
and
continuous
reassessment
of
whether
data
sharing
is
still
justified,
Mattingly
stated.
That
gap
between
technical
interoperability
and
accountability
is
increasingly
seen
as
a
systemic
flaw
in
today’s
data
sharing
infrastructure.
Another
healthcare
leader
—
Tyler
Giesting,
director
of
healthcare
M&A
at
West
Monroe
—
said
that
the
lawsuit
exposes
shortcomings
and
ambiguities
in
TEFCA’s
current
rules
for
exchanging
clinical
data.
The
Trusted
Exchange
Framework
and
Common
Agreement
(TEFCA)
is
a
federal
initiative
designed
to
standardize
rules
and
technical
standards
for
nationwide
health
data
exchange.
The
framework
is
new
and
still
evolving,
so
it
lacks
clear,
enforceable
definitions
around
who
can
access
data
and
for
what
purposes,
Giesting
noted.
To
him,
this
case
highlights
the
need
for
stricter,
possibly
federally-led
standards
governing
nationwide
data
exchange.
And
it’s
not
the
only
recent
legal
battle
that
has
shone
light
on
this
issue
—
in
the
past
two
years,
courts
have
also
seen
lawsuits
against
data
brokers
like
BetterHelp
and
Meta
over
alleged
misuse
of
sensitive
health
data,
as
well
as
disputes
involving
EHR
vendors
and
interoperability
networks
over
how
patient
information
can
be
shared.
Providers
are
concerned
about
the
problem
too.
Last
week,
more
than
60
health
systems
—
including
Stanford
Health
Care
and
NYU
Langone
Health
—
sent
a
letter
to
Mariann
Yeager,
CEO
of
The
Sequoia
Project,
a
nonprofit
that
influences
the
governance
of
health
data
sharing
networks,
demanding
better
oversight
and
transparency.
Closing
the
gaps
In
Giesting’s
view,
the
industry
would
benefit
by
shifting
to
a
“trust
but
verify”
framework.
“[TEFCA]
is
a
trust-based
model.
I
think
the
lawsuit
is
potentially
exposing
that
there
may
need
to
be
some
type
of
a
shift
to
a
‘trust
but
verify’
model.
Is
the
person
requesting
the
health
information,
truly
who
they
say
they
are?
And
do
they
have
an
authorized
reason
to
receive
the
clinical
record?
That
is
not
fully
ironed
out
in
the
current
framework,”
he
stated.
TEFCA
also
has
gray
areas
around
third-party
data
use,
Giesting
added.
The
framework
doesn’t
clearly
address
scenarios
where
data
is
requested
for
purposes
outside
direct
patient
care
—
so
Health
Gorilla
could
argue
it
followed
existing
rules
and
TEFCA
guidance
as
a
designated
qualified
health
information
network.
The
lawsuit
could
make
healthcare
organizations
more
cautious
about
sharing
data,
Giesting
predicted.
He
thinks
some
companies
may
limit
participation
in
TEFCA
or
data
exchange
to
avoid
privacy
or
legal
risks.
He
noted
that
this
could
slow
progress
on
industry-wide
interoperability
until
clearer
federal
guidance
emerges
—
echoing
the
concerns
raised
by
Watson,
Health
Gorilla’s
CEO.
Despite
this
near-term
friction,
interoperability
is
too
central
to
healthcare
—
in
terms
of
cost
control,
data-driven
care
improvements
and
clinical
research
innovation
—
to
disappear,
Giesting
said.
He
noted
that
the
case
underscores
a
broader
pattern:
private-sector
innovation
moves
faster
than
regulation
—
especially
in
the
healthcare
world.
“I
think
the
private
sector
generally
kind
of
pushes
the
bar
to
the
next
phase.
Even
with
AI,
there
will
be
innovation,
and
then
regulatory
measures
will
catch
up.
I
think
that’s
what’s
happening
here,
and
it
just
points
out
the
importance
of
having
very
close
coordination
between
companies
in
the
technology
ecosystem,
like
Epic
and
Health
Gorilla,”
Giesting
remarked.
Boosting
oversight
to
protect
trust
In
order
to
improve
data
sharing
across
the
sector,
interoperability
frameworks
must
actively
enforce
rules,
not
just
move
data,
according
to
Jason
Prestinario,
CEO
of
data
platform
Particle
Health.
He
argued
that
frameworks
like
TEFCA
and
Carequality
can’t
be
“passive
pipes,”
saying
they
need
better
oversight,
compliance
monitoring
and
enforcement.
When
they
fail
to
do
this,
trust
breaks
down,
he
stated.
Particle
Health
is
dealing
with
an
Epic
lawsuit
of
its
own,
though
in
this
case
Epic
is
the
defendant
and
not
the
plaintiff.
In
September
2024,
Particle
Health
sued
Epic
over
claims
that
the
EHR
vendor
is
using
its
dominance
in
the
market
to
prevent
competition
in
the
payer
platform
space.
The
complaint
claims
that
Epic
imposed
technical
and
contractual
barriers
that
limited
access
to
patient
data,
which
has
effectively
blocked
rivals
from
building
competing
payer-facing
platforms.
Last
September,
a
federal
judge
advanced
the
antitrust
lawsuit.
Even
though
Particle
and
Epic
aren’t
on
the
friendliest
terms
right
now,
Prestinario
still
believes
that
Epic
is
raising
legitimate
concerns
about
suspicious
activity
and
the
need
for
stronger
protections
in
health
data
exchange.
He
noted
that
Epic’s
complaint
said
that
it
had
raised
concerns
to
Health
Gorilla
and
other
network
participants
about
suspicious
data
access
and
potential
misuse
of
patient
records
several
months
before
filing
the
lawsuit.
“Under
the
assumption
that
that
timeline
is
accurate,
that’s
unacceptable.
It
puts
every
single
implementer
out
there,
including
Particle,
in
a
difficult
position,”
Prestinario
declared.
In
other
words,
if
what
Epic
is
alleging
is
true,
then
this
lack
of
transparency
and
inadequate
data
control
poses
a
systemic
risk
to
interoperability
and
competition
in
the
health
data
ecosystem.
Epic
allegedly
had
no
visibility
into
what
was
investigated
or
how.
Prestinario
warned
that
this
lack
of
transparency
can
erode
trust
and
restrict
legitimate
data
access.
In
his
view,
scandals
like
this
have
two
damaging
effects:
they
often
lead
to
reduced
participation
in
nationwide
health
data
exchange,
as
well
as
tighter
restrictions
on
necessary
data
access
under
the
guise
of
security.
“Every
scandal
becomes
a
reason
to
restrict
access,
and
I
worry
that
this
sets
up
a
dynamic
where
Epic
eventually
says,
‘We’re
out
of
these
frameworks
entirely.’
The
answer
to
all
of
this
is
not
less
interoperability.
It’s
not
for
us
to
move
away
from
the
democratization
of
legitimate
data
access.
It’s
better
enforcement
of
the
rules
on
all
sides,”
Prestinario
remarked.
He
said
he
hopes
the
industry
can
tighten
safeguards
while
keeping
data
accessible.
Photo:
Aitor
Diago,
Getty
Images