Epic sues multiple health data providers, alleging fraudlent sale of health data
healthcareitnews.comIt took me a bit to get my head around this one; https://healthapiguy.substack.com/p/epic-v-health-gorilla-a-... has a great alternative breakdown. This is my understanding of the situation; if someone has any corrections, I would love to be enlightened!
Essentially, Epic, a massive healthcare company running the majority of electronic healthcare/medical record systems for hospitals/etc. makes data available to various data brokers, who then subcontract to other healthcare providers. The goal of this subcontracting is that if you e.g. come into an emergency department unconscious, but with identification, doctors can pull data from the broker, solemnly swear that they're treating you, and gain access to your whole medical record. Generally, good actors in this space will seek signed consent paperwork, or have policies in place with narrow carve-outs for emergency access, but there is (to my understanding) not a centralized, standardized system of access request, patient approval, and auditing.
There have been many issues in the past with shady providers who are, indeed, treating the patients, also turning around to sell the data they have to legal firms looking for plantiffs for lawsuits under the guise of "we're helping the patient by potentially giving them access to lawsuits that will advocate for them."
This current lawsuit alleges that the data brokers this time were simply turning a blind eye to completely fraudulent actors who never had the patient under their care, and that their access was knowingly used to bulk-mine patient data for lawsuit opportunities.
I wouldn't call CareQuality a "data broker" as much as it is an interoperability framework. It's essentially a big distributed system of participants who agree to instantly share patient records - CareQuality maintains a central list of participants and the URLs where they can be reached. Since the technical requirements to actually participate in this network are fairly complex (far more than a hospital IT can or should manage), there are companies like Health Gorilla which serve as QHINs (Qualified Health Information Networks) which query the network on behalf of their customers (i.e. doctors engaging in some form of care).
There are many gray areas to this - for example, a value-based care program or ACO can pull records en masse, for the purpose of "care coordination" (i.e. checking if a particular patient requires intervention). However, what Health Gorilla has done is certainly no gray area as some articles on this matter suggest - if the allegations are true, then they have engaged in outright criminal behavior along with their co-conspirators (RavillaMed, LlamaLab, and others). Thankfully, this situation has completely eroded all trust in Health Gorilla and prompted a massive customer exodus.
That's wild; thanks for the clarification.
Crazily, I only stumbled upon this because I ordered some discount blood labs and the requisition had Health Gorilla on the letterhead, which I found an absurd company name, so I googled them, and found the lawsuit which was filed the day prior. Absolute chance.