Earlier this month, Epic, together with a handful of healthcare suppliers, filed a federal lawsuit in opposition to well being knowledge community Well being Gorilla, aimed toward stopping an alleged scheme to take advantage of and monetize affected person medical data with out consent.

Finally, the dispute displays unresolved ambiguities about handle knowledge interoperability in healthcare. Specialists assume the lawsuit is much less about stopping one unhealthy actor – and extra about the necessity to outline standardized guidelines and bounds across the change of healthcare knowledge.

Alleged conspiracy to monetize affected person knowledge

The criticism, filed on January 13, alleged that Well being Gorilla allowed different corporations to improperly entry and monetize practically 300,000 affected person medical data. Well being Gorilla has denied the allegations.

The plaintiffs are Epic, Trinity Well being, UMass Memorial Well being, Reid Well being and OCHIN. They allege that Well being Gorilla and a community of different corporations arrange fictitious healthcare suppliers, shell web sites, and pretend healthcare supplier IDs to make it seem as if file requests had been for actual therapy functions. As a substitute, the information would have been diverted for non-treatment functions, resembling advertising and marketing to attorneys searching for potential plaintiffs for lawsuits.

The opposite corporations concerned within the community are a cluster of small telehealth, knowledge and shell corporations — lots of that are allegedly linked to the identical founders and operators — that prosecutors say are posing as respectable suppliers.

The criticism additionally said that the defendants inserted “undesirable” data into data to hide their actions and create the looks of real care, which in flip compromised affected person security and wasted doctor time.

When a fraudulent entity was uncovered, the identical actors allegedly created new corporations to proceed the identical conduct, working “like a Hydra,” the lawsuit mentioned.

The lawsuit alleged violations of HIPAA, in addition to different federal and state privateness protections. The plan was additionally framed as a menace to each affected person privateness and the integrity of interoperable well being knowledge sharing methods.

The plaintiffs are searching for injunctive aid to instantly finish the alleged misconduct.

Well being Gorilla is “absolutely ready” to defend its conduct, in line with a press release launched this week by CEO Bob Watson.

“Epic’s lawsuit not solely fails to offer all of the info, but additionally displays an irresponsible use of lawsuits as a weapon slightly than advancing severe claims. As Epic is aware of, when Well being Gorilla discovered of the allegations Epic raised in its criticism, it instantly suspended the compounds in query and commenced investigating its use of healthcare knowledge,” Watson mentioned.

Though Well being Gorilla’s investigation is ongoing, the compounds in query have been suspended, he added.

Watson additionally mentioned that “Epic has executed the equal of shouting ‘fireplace’ in the course of a crowded theater” in relation to interoperability, suggesting that the EHR large’s claims may needlessly alarm the {industry} and disrupt progress towards respectable knowledge sharing.

Interoperability versus governance

The core difficulty on this authorized battle is not interoperability – it is governance, insists Jackie Mattingly, senior director of advisory providers at Clearwater, a healthcare safety and compliance agency.

“It is not about interoperability failures; it is concerning the administration falling behind. It is clear that we want interoperability – as a result of we journey and go to totally different locations, and our knowledge must be accessible. However the administration hasn’t caught up,” she said.

Governance weakens as soon as knowledge leaves the EHR, Mattingly famous. Whereas hospitals sometimes have robust controls inside their EHRs, oversight can break down as knowledge flows to exterior platforms, analytics instruments, and third events. The accountability does not finish when knowledge leaves Epic, she mentioned.

She believes entry controls must be tightened and says granting knowledge entry shouldn’t be a ‘set it and neglect it’ course of. Healthcare organizations want focused entry controls and a relentless reassessment of whether or not knowledge sharing remains to be justified, Mattingly mentioned.

That hole between technical interoperability and accountability is more and more seen as a systemic flaw within the present knowledge sharing infrastructure. One other healthcare chief – Tyler Giesting, director of healthcare M&A at West Monroe – mentioned the lawsuit highlights shortcomings and ambiguities in TEFCA’s present guidelines for exchanging scientific knowledge. The Trusted Change Framework and Widespread Settlement (TEFCA) is a federal initiative designed to standardize guidelines and technical requirements for the nationwide change of well being knowledge.

The framework is new and nonetheless evolving, so it lacks clear, enforceable definitions about who can entry knowledge and for what functions, Giesting famous.

For him, the case highlights the necessity for stricter, probably federally led, requirements for knowledge sharing nationwide.

And it isn’t the one current authorized battle to make clear this difficulty: Over the previous two years, courts have additionally seen lawsuits in opposition to knowledge brokers like BetterHelp and Meta over alleged misuse of delicate well being knowledge, in addition to disputes involving EHR distributors and interoperability networks over how affected person data could be shared.

Suppliers are additionally involved about the issue. Final week, greater than 60 well being care methods — together with Stanford Well being Care and NYU Langone Well being — despatched a letter to Mariann Yeager, CEO of The Sequoia Venture, a nonprofit that influences the governance of well being knowledge sharing networks and calls for higher oversight and transparency.

Closing the holes

Based on Giestling, the sector would profit from shifting to a ‘belief however confirm’ framework.

“[TEFCA] is a trust-based mannequin. I feel the lawsuit might reveal that there might must be some form of shift to a “belief however confirm” mannequin. Is the particular person requesting the well being data actually who she or he says she or he is? And have they got a licensed purpose to obtain the scientific file? That has not but been absolutely resolved within the present framework,” he mentioned.

TEFCA additionally has grey areas round knowledge use by third events, Giestling added. The framework doesn’t clearly tackle eventualities the place knowledge is requested for functions exterior of direct affected person care – so Well being Gorilla may argue that it was following current guidelines and TEFCA steerage as a chosen certified well being data community.

The lawsuit may make healthcare organizations extra cautious about sharing knowledge, Giestling predicted. He thinks some corporations might restrict participation in TEFCA or knowledge sharing to keep away from privateness or authorized dangers.

He famous that this might gradual progress on industry-wide interoperability till clearer federal steerage emerges — echoing considerations raised by Well being Gorilla CEO Watson.

Regardless of this near-term friction, interoperability is just too central to healthcare – by way of value containment, data-driven care enhancements and scientific analysis innovation – to vanish, Giestline mentioned.

He famous that the case underlines a broader sample: innovation within the personal sector is outpacing regulation — particularly within the healthcare world.

“I feel basically the personal sector is pushing the bar a little bit bit to the subsequent part. Even with AI, there shall be innovation, after which regulatory measures will catch up. I feel that is what’s occurring right here, and it simply factors to the significance of very shut coordination between corporations within the know-how ecosystem, like Epic and Well being Gorilla,” Giestling famous.

Strengthen supervision to guard belief

To enhance knowledge sharing throughout the {industry}, interoperability frameworks should actively implement guidelines and never simply transfer knowledge, mentioned Jason Prestinario, CEO of knowledge platform Particle Well being.

He argued that frameworks resembling TEFCA and Carequality can’t be ‘passive conduits’, saying they want higher oversight, compliance monitoring and enforcement. If they do not do that, belief breaks down, he mentioned.

Particle Well being is dealing with its personal Epic lawsuit, though Epic is the defendant on this case, not the plaintiff. In September 2024, Particle Well being sued Epic over claims that the EHR vendor is utilizing its market dominance to stop payer platform competitors. The criticism alleges that Epic erected technical and contractual limitations that restricted entry to affected person knowledge, successfully blocking rivals from constructing competing payer-focused platforms. Final September, a federal decide tossed out the antitrust case.

Whereas Particle and Epic usually are not at present on the friendliest phrases, Prestinario nonetheless believes Epic is elevating respectable considerations about suspicious exercise and the necessity for stronger protections in well being knowledge exchanges.

He famous that Epic’s criticism said that a number of months earlier than the lawsuit was filed, it had raised considerations with Well being Gorilla and different community members about suspicious knowledge entry and attainable misuse of affected person data.

“Assuming that timeline is correct, that’s unacceptable. It places each single implementer, together with Particle, in a tough place,” Prestinario said.

In different phrases, if what Epic is claiming is true, then this lack of transparency and insufficient knowledge management poses a systemic threat to interoperability and competitors within the well being knowledge ecosystem.

Epic reportedly had no visibility into what was being investigated and the way. He warned that this lack of transparency may erode belief and restrict respectable entry to knowledge.

Based on him, all these scandals have two damaging penalties: they usually result in diminished participation in nationwide well being knowledge exchanges, and to stricter restrictions on needed knowledge entry beneath the guise of safety.

“Each scandal turns into a purpose to restrict entry, and I fear that this creates a dynamic the place Epic in the end says, ‘We’re fully exterior this field.’ The reply to all this isn’t much less interoperability. It’s not as much as us to maneuver away from the democratization of respectable entry to knowledge. It means higher enforcement of the foundations on all sides,” Prestinario famous.

He mentioned he hopes the {industry} can tighten safety measures whereas protecting knowledge accessible.

Picture: Aitor Diago, Getty Photographs