Charges fly as Epic files legal complaint against Health Gorilla
Records company and providers contend patient data was being monetized, while defendants say Epic is blocking data exchange.
Interoperability has long been pursued as the Holy Grail for healthcare data, enabling it to be gathered, shared and used to facilitate patient care across the healthcare system.
The blessing also can be the curse, if it is felt that data flows too easily to the wrong parties, used for purposes other than for that which it was intended.
A complaint seeking “immediate and permanent injunctive relief” filed by Epic and several other provider organization clients are charging exactly that, contending that Health Gorilla and several related organizations have misused 300,000 patient medical records from providers that are co-plaintiffs in the suit. The plaintiffs also allege that “an unknown number of records were taken from organizations nationwide, including the VA and providers using other EHRs.”
In response to the complaint, Health Gorilla denies the allegations and characterizes the Epic suit as “yet another example of Epic’s exclusionary actions that limit competition and restrict access to healthcare data.”
The brewing legal battle highlights how access to data through increased interoperability can give rise to questions about how that data may be used, counterbalanced by how to ensure interoperability in an industry dominated by a few technology vendors.
Nature of the complaint
The complaint, filed on Tuesday, January 13, in U.S. District Court in the Central District of California, charges fraud, aiding and abetting fraud, violations of California business and professions code, breach of contract and violations of the Federal Computer Fraud and Abuse Act.
Both Verona, Wis.-based Epic and Coral Gables, Fla.-based Health Gorilla operate qualified health information networks (QHINs) as part of the Trusted Exchange Framework and Common Agreement (TEFCA).
The plaintiffs contend they are taking legal action “to defend patient privacy and protect sensitive medical information,” saying that the Health Gorilla information network enabled Mammoth Rx, RavillaMed and other related companies claimed a treatment purpose to access data and then regularly monetized patient records.
This use of such information jeopardizes “some of a person’s most sensitive data, such as genetic, mental wellbeing and reproductive information, and the ability of physicians to keep their promises to patients that their information will be kept private.” Such actions also risk stalling progress on nationwide interoperability, Epic contends.
Charges in the compliant
The complaint notes that TEFCA and Carequality operate as two national frameworks that handle a billion patient record exchanges a month, enabling the transfer of patient data to network participants. It appears to contend that TEFCA’s and interoperability’s Achilles heel enabled too easy access to sensitive clinical patient records.
The complaint by Epic and co-plaintiffs contends that Health Gorilla “operate as organized syndicates to monetize patient records without patients’ knowledge or consent.” It also contends that bad actors use the access to data market it to communities such as lawyers, doing so by using “fictitious websites, shell entities and sham National Provider Identification numbers.”
In the complaint, Epic contends that it had confronted Health Gorilla about how it was using the data but could not reach an agreement. Health Gorilla had contended that efforts by “Epic and providers to safeguard patients’ private medical information (were) information blocking that is harmful to patients and as unlawful obstruction,” Epic’s complaint noted, terming those charges “an intimidation campaign … designed to chill scrutiny and preserve … access to patient records.”
Co-plaintiffs in the complaint – OCHIN, Reid Health, Trinity Health and UMass Memorial Health – say they are harmed because they have been forced to expend resources in the form of funds and employee time to investigate the breadth of Defendants’ misconduct and address data integrity and privacy issues and have also had to spend time on monitoring and attempting to mitigate the harms.”
Health Gorilla response
In its response, Health Gorilla says it intends to fight the litigation. “Because this is active litigation, we can’t comment on specific allegations. What we can say is this: Health Gorilla denies the allegations, has acted in good faith, and will vigorously defend the claims against Health Gorilla.”
The company says it acted promptly three months ago when Epic raised concerns about how the entities were using data, “and we have been working constructively with Epic and the relevant network authorities to address those concerns.”
The company also attacked Epic, saying its actions “reflect broader, ongoing concerns raised by others in the industry and by government actors about monopolistic practices in health information exchange by Epic. Health Gorilla supports efforts to promote competition, patient choice and fair access to health data.”
Risks to interoperability
Actions such as those charged in the complaint pose a risk to interoperability initiatives because they are using the data for purposes other than treatment. For example, the complaint contends that one of the defendants, RavillaMed, misled provider organizations and accessed their patient information “under the false pretense that RavillaMed is providing treatment when in fact it sells the patient records for profit to unauthorized third parties.”
The filing cites other misconduct, including that the defendants cover their tracks by inserting junk data into patient medical records “to give the false impression that they are treating patients, which risks patient safety and wastes valuable clinician time.”
The risks of misuse of patient information poses risks to the progress of wider use of interoperability, the plaintiffs contend, because patients will be less likely to allow distribution of their data and will add to providers’ burdens in policing data use.
“These actors are putting the enormous positive patient outcomes achieved through interoperability at imminent risk,” the legal filing explains. “When used appropriately, interoperability ensures that medical care is informed by a patient’s medical history, allowing healthcare providers to improve patient outcomes.”
The complaint contends defendants’ actions amounts to “exploitation of the interoperability frameworks,” and further contends they add costs on plaintiffs “to incur and to preserve the trust upon which the frameworks are founded.” The complaint seeks “immediate injunctive relief to stop the misconduct that threatens not only their institutions and patients and their privacy rights but also healthcare interoperability’s very viability. Without judicial intervention, there will be continuing and irreparable damage to patients; providers such as Reid, Trinity, UMass Memorial Health and others; Epic; OCHIN; and the overall integrity of interoperability.”
For its part, the Health Gorilla statement concludes that “patients and providers depend on trusted, open interoperability to support care. We intend to be part of the solution through transparency, accountability, and a continued investment in privacy and safeguards.”
Fred Bazzoli is the Editor in Chief of Health Data Management.