Health information network Health Gorilla is asking a district court to throw out Epic's lawsuit, arguing the case is "an attack on interoperability" and threatens patient safety and the stability of interoperability frameworks.
In January, electronic health record giant Epic and a group of healthcare providers sued Health Gorilla and several of its clients over allegations that the companies fraudulently accessed and monetized patient medical records.
In the lawsuit, filed in a California district court, Epic and the providers allege that Health Gorilla and its clients exploited nationwide interoperability frameworks, namely, Carequality and the Trusted Exchange Framework and Common Agreement (TEFCA).
The lawsuit was filed Jan. 12 by Epic, Reid Health, Trinity Health, UMass Memorial Health and OCHIN, a health IT solutions provider and consultancy. Epic and the healthcare providers claim they are taking legal action to defend patient privacy and protect sensitive medical information.
Health Gorilla is a qualified health information network under the federal TEFCA and also is an on-ramp to Carequality. TEFCA and Carequality are both national frameworks responsible for more than 1 billion patient-record exchanges each month. TEFCA and Carequality are not named in the lawsuit.
According to the lawsuit, Health Gorilla, as an on-ramp to TEFCA and Carequality, enabled health tech companies Mammoth, RavillaMed, LlamaLab, Unit 387, SelfRx, GuardDog and others to improperly access and monetize nearly 300,000 patient medical records from members of the Epic community.
OCHIN, Reid Health, Trinity Health, UMass Memorial Health and Epic said the organizations filed the lawsuit to "stop conduct that threatens patient privacy and the integrity of care."
Epic and the other plaintiffs seek immediate relief for fraud, aiding and abetting fraud, breach of contract and violation of the California Business and Professions Code as well as violation of the federal Computer Fraud and Abuse Act, according the lawsuit.
Health Gorilla filed a motion to dismiss Thursday, arguing that Epic and the other plaintiffs bypassed mandatory contractual dispute resolution procedures designed to allow the networks to self-govern and resolve disagreements through established mechanisms. The plaintiffs instead "sought to escalate what is fundamentally a healthcare governance dispute into a federal action and smear campaign," the company said in a press release.
In its motion to dismiss, Health Gorilla also describes the lawsuit as part of a pattern of conduct by Epic to deter both its competitors and customers from embracing innovation in interoperability.
The company said in its motion that it agrees with the plaintiffs that the Carequality and TEFCA networks can only proceed based on trust. But Health Gorilla and Epic have opposing views on which organization is eroding that trust.
"Epic has abused that trust in the guise of acting as the networks’ unappointed protector. By calling into question the networks’ ability to self-police—which is written into the very operative contracts that Epic helped to draft in the formation of Carequality and TEFCA—plaintiffs have done far more damage to the networks than the limited instances of alleged improper record requests," Health Gorilla wrote in its motion to dismiss. "Make no mistake: this lawsuit is an attack on interoperability, led by a party that stands most to profit from the networks' downfall."
By calling into question the networks’ ability to self-police, Epic's lawsuit threatens the stability of systems that providers rely on daily to deliver safe and efficient care, Health Gorilla said in the press release.
“Carequality and TEFCA protect patients by ensuring clinicians have the information they need at the point of care,” said Bob Watson, CEO of Health Gorilla, in a statement. “Bypassing them risks destabilizing systems that hundreds of millions of patients and providers depend on.”
The company also argues that Epic's lawsuit relies on facts Health Gorilla provided to Epic after it cooperated in investigations concerning certain network participants, during a monthslong process involving Carequality, the TEFCA network administrator and several of the nation’s largest health providers. Health Gorilla asserts its involvement in that investigation demonstrates its commitment to vet and investigate concerns.
"None of the providers that joined Health Gorilla’s investigation are plaintiffs, which is telling—as discovery and trial would show, there is nothing there that supports claims against Health Gorilla for wrongdoing," the company said in the motion.
In asking the court to dismiss the case, Health Gorilla argues that Epic and the health systems participating in the lawsuit failed to satisfy Carequality’s and TEFCA’s mandatory dispute resolution provisions and that the plaintiffs have no enforceable contractual rights against Health Gorilla.
The company also argues that the fraud and aiding and abetting claims in the lawsuit are deficient because the plaintiffs must allege Health Gorilla actually knew about the fraud. "The complaint pleads at most that Health Gorilla should have been more suspicious; i.e., was negligent. That is not enough," the company said in the motion.
In a statement issued Thursday, Epic hit back at Health Gorilla's moves to dismiss the case.
"Medical records are deeply personal and exploiting them is wrong. In their motion, Health Gorilla asserts that they should be dismissed as a defendant in the lawsuit because they had 'lack of actual knowledge' of wrongdoing. That is not an acceptable reason—Health Gorilla had a responsibility to safeguard sensitive patient data and know why it was being taken," an Epic spokesperson said in a statement to Fierce Healthcare.
"The public deserves a complete investigation and transparent resolution in federal court. It should not be done behind closed doors," the Epic spokesperson said.
In the lawsuit, Epic and the provider organizations allege that Health Gorilla and some of its clients "operate as organized syndicates to monetize patient records without patients’ knowledge or consent."
Epic claims Health Gorilla and the health tech companies requested patient records for the purpose of treating patients but took those patient records for other purposes, including to market them to lawyers looking for potential claimants with specific conditions and diagnoses that would qualify them to join mass tort class-action lawsuits.
Health Gorilla, in a statement issued Jan. 12, said it "vehemently" denies the allegations. The health data network claims, similar to Particle Health's beef with Epic, that the EHR company uses its market power in the health tech industry to control access to medical data.
The case represents more than just a business dispute as many industry executives say it raises broader issues about the future of data sharing.
Don Rucker, former national coordinator for health IT and now chief strategy officer at 1upHealth, told Fierce Healthcare that the Epic-Health Gorilla lawsuit is essentially a fight over who controls access to clinical data and how those data are governed once they move outside the provider's EHR.
Epic's lawsuit could shift the policy conversation in favor of more gatekeeping, auditing or policing for access and use of patients' medical data, according to Brendan Keeler, an interoperability and data liquidity practice lead at HTD Health.
If Epic succeeds in this legal fight, it sets a precedent that could chill "grey-zone activity," Keeler wrote in a LinkedIn post, referring to secondary uses of patient data that create a grey zone in data exchange practices.