 The next time you get a letter asking you to join a class-action lawsuit for something that is in fact relevant to you … it’s probably not a coincidence. Epic Systems is the largest vendor of electronic health records (EHR) in the United States. A few years ago, its engineers noticed that some of its customers were behaving suspiciously. Their internal investigation revealed what they allege are “organized syndicates” that purchased records under false pretenses in order to use the data for non-treatment purposes – mostly to generate client leads for law firms. It's all in a new federal lawsuit against Health Gorilla and its customers. This suit was filed by Epic and various healthcare partners, including UMass Memorial, as detailed by Daniel Gilbert in The Washington Post last week (paywalled story here). Among other things, Epic’s investigation revealed that as many as thirty law firms appeared to have accessed patient records. Though no firms are named in the litigation, Epic says they don’t need to be. The suit alleges that, as gatekeeper, Health Gorilla was knowingly “in league with its connections’ misuse of health information as a commodity.” Epic also claims that Health Gorilla’s customers went to great lengths to disguise themselves as healthcare providers to hide their true intent. These tactics included adding junk data to patient charts to “give the false impression they are treating patients.” Fictitious websites, shell companies, and the use of sham National Provider Identification numbers are cited as additional evidence of malfeasance mentioned in the complaint. The lawsuit suggests that the schemers operate like a Hydra: “When one fraudulent entity is exposed, the bad actors birth a new one.” If Epic asked one company about unusual patterns in its records requests, submissions would abruptly stop only to be restarted by another. As Brittany Trang of STAT News notes, the current lawsuit “raises fresh questions about how to guarantee patient records are only shared with legitimate medical providers.” Industry expert Don Rucker agrees, calling it “a fight over who controls access to clinical data and how those data are governed once they move outside the provider's EHR.” Rucker and others point out that the HIPAA Privacy Rule – like most federal statutes on the matter – poorly defines “purpose of use,” leaving room for broad secondary categories that include, among other things, marketing. The legitimate use of anonymized patient data is beyond dispute, especially when combined with responsible AI practices. Meta-analyses, for example, can lead to scientific breakthroughs including lifesaving treatments and cures. Anonymized data can improve quality standards and innovations in both practice and research methods. In order for that to happen, HIPAA needs to be updated to protect privacy. A good first step would be for Congress to put guardrails on data brokers’ selling of Americans’ personal digital data. Comments are closed.
|
Categories
All
|
RSS Feed