Dry January, Wet Signals

Dry January has started out torrentially wet, at least in terms of health tech news. Brad is back from vacation just in time for us to break down the newest lawsuit and other comings and goings with Pryce and me:* Epic’s case against Health Gorilla and why this one is going after mass-tort * Anthropic (and OpenAI) entering healthcare through patient-directed data access* Why nationwide exchange networks are straining under non-treatment demand* What ambient AI and administrative networks (Abridge × Availity) tell us about where workflows are headingAs an aside - editing took a tad longer than usual, so apologies for the delay.Relevant Articles and Posts* Epic v. Health Gorilla: A New Fight Begins* Pryce’s Excellent “Epic Lawsuit 101” LinkedIn Post* Epic’s Tactical Strike Beyond the Grey Zone* The Particle v. Epic Casebook* Another One: Anthropic’s Healthcare Debut* One Copilot to Rule Them AllChapters* 00:00 - Introduction and Overview of the Epic Lawsuit* 03:07 - Understanding Healthcare Data Networks* 07:57 - The Role of Health Gorilla and Other On-Ramps* 12:46 - The Competitive Landscape of EHRs and On-Ramps* 20:18 - The Ethical Implications of Data Usage* 27:54 - The Need for Court Actions in Healthcare Networks* 29:02 - Understanding Individual Access Services (IAS)* 30:22 - The Role of Technology in Patient Data Access* 34:41 - Collaboration Challenges in Healthcare* 39:42 - Streamlining Prior Authorizations with New PartnershipsTranscriptWe ran the transcript through an LLM to smooth it out. So it’s a rough approximation of the conversation (and in many cases significantly clearer than our rambling), but notably diverges from the word-by-word blows quite a bit.Brad Thorson (00:01)Gentlemen, it’s been a while. I’m recovering from the flu, as you can hear, but I really enjoyed last week’s discussion. Sorry to have missed it. I thought we were going to talk about Anthropic’s entry into healthcare, but something bigger happened earlier this week. Pryce, talk to me about Epic and Health Gorilla. What’s going on?Pryce (00:23)I posted on LinkedIn this week explaining the Epic–Health Gorilla lawsuit for beginners.The background is that nationwide health data exchange networks have existed for a long time. For people newer to healthcare data portability—who may have just downloaded ChatGPT Health and realized they can pull their charts—doctors have been able to exchange data like this for decades.The premise is that when you request data on these networks, you generally must be treating the patient. That’s the HIPAA “Treatment” purpose of use. These networks were built primarily for providers delivering care.There are gray areas. For example, what about a provider-facing application that isn’t an EHR but is used by clinicians? The user is still a provider requesting data to treat a patient, but you start to see edge cases. Eventually, some uses cross into fraud—where no one is actually treating patients.At their core, these networks exist so physicians can query each other for clinical data. Non-physician entities often try to join, not to sell charts on the black market, but for adjacent use cases like care management or analytics. Brendan, can you walk through the prior cases that set the stage here?Brendan Keeler (02:29)In April and May 2024, Epic initiated a Carequality dispute—not a lawsuit—against Particle Health. Several Particle customers were cited, including Integritort, which focused on mass-tort use cases similar to what we’re seeing now. Another was Reveleer, which operated at the payer–provider boundary.That dispute didn’t resolve, and Particle later filed antitrust claims against Epic in September in Particle v. Epic. That case focuses on business-associate applications connecting to EHRs on behalf of providers and being blocked.This lawsuit is different. Until now, it was a category of one. It concerns nationwide networks being used for purposes outside their original design. The dispute centers on where creativity crosses into abuse.Epic is not targeting gray-area use cases that many people might defend—like patient access, clinical trials, or value-based care. Instead, this case is narrowly focused on mass-tort data harvesting. Lawyers allegedly used the networks to identify patients with PFAS exposure and market lawsuits to them.That use case has almost no sympathy across the industry. If the allegations are true, it’s clearly outside acceptable bounds. That’s why the case is structured this way: it isolates a behavior very few people will defend, unlike the broader debate over treatment versus adjacent uses that can do societal good.Brad Thorson (05:48)Let me interrupt. I’ve learned this from working with both of you, but many people didn’t start their careers embedded in EDI or health data exchange. Can we briefly describe the ecosystem? What are these networks, and why do on-ramps like Health Gorilla exist?Pryce (06:18)Historically, Epic created Care Everywhere so Epic customers could exchange data with each other using CDA documents for continuity of care.Other EHRs responded. That evolved into networks like eHealth Exchange and CommonWell. The key point is that any node querying data must be trusted to be providing treatment.Over time, these networks interconnected—Care Everywhere, CommonWell, and eHealth Exchange shared trust frameworks. Now we’ve moved into TEFCA, with QHINs acting as intermediaries. Epic’s Nexus is one. Health Gorilla is another. Kno2 is another.QHINs onboard participants and commercialize access, similar to telecom carriers. The challenge is vetting customers appropriately. Once a node is on the network, the system largely trusts that it’s acting appropriately.At scale, however, patterns emerge. Some nodes query large volumes of data but never contribute new clinical information. That raises questions about whether they’re actually providing care.If Epic brought this lawsuit, it likely believes it has strong evidence. At sufficient scale, misuse becomes visible.Brendan Keeler (10:47)Yes and no.Originally, EHRs were the only on-ramps. Over time, non-EHR connectors were allowed to simplify access and expand adoption—similar to how Stripe simplified card networks.This massively expanded the ecosystem to vendors that lacked the expertise to build CDA or XDS integrations themselves.The business incentives differ. EHRs sell software to providers; network access is a feature. On-ramps sell access itself. Their revenue levers are value-added services, better APIs or UI, price competition, and—critically—who they sell to.Competitive pressure leads to boundary-pushing. If one on-ramp sells to a questionable use case, others feel pressure to follow. That’s not moral failure; it’s capitalism.That history explains the tension between EHRs and on-ramps.As for the “smoking gun”: a complaint must survive a motion to dismiss. Epic cites traffic spikes, relationship webs, and low-value returned data. That may not be conclusive proof, but it’s enough to reach discovery. The goal is to obtain indisputable evidence and demonstrate that this isn’t hypothetical abuse.Pryce (16:22)EHRs weren’t built to monetize data; they were built to document care. But data became valuable. On-ramps then arrived to add value—similar to how Google Flights disintermediated airlines.The network shifted from universal trust to skepticism. Privacy concerns are real, but business incentives also matter. The solution isn’t to shut everything down; it’s responsible expansion so trust remains intact.Brendan Keeler (17:52)Another perspective is that these networks were designed to replace fax-based transitions of care—not to be general data collaboratives.There’s massive unmet demand: payer workflows, quality measurement, patient-directed sharing, life insurance, litigation. People look at existing infrastructure and try to repurpose it.Providers originally agreed to participate only because rules limited use to treatment. That trust is now under strain.Meeting this unmet demand responsibly could unlock efficiency, just as payer–provider exchange eventually did. But it’s a bet.Brad Thorson (24:04)I worry that patient-directed data access through AI tools could create even more fraud vectors.Brendan Keeler (24:39)Individual Access Services (IAS) change the equation. They provide a paved path where the patient is identity-verified and explicitly authorizes access. That reduces misuse routed through treatment claims.These implementations will improve over time. Importantly, any fraud here involves patient choice. That shifts the debate from “is this treatment?” to “are we enabling patient agency?”As long as treatment boundaries remain narrow, people will keep forcing non-treatment uses through them. That pressure is the catalyst for everything happening now.Pryce (27:18)So we’re cramming non-treatment use cases into the treatment box because no alternative exists.Brendan Keeler (27:28)Exactly.Pryce (28:10)Who actually solves for this? In Carequality, it would be the Recognized Coordinating Entity pushing new operating procedures to participants. But everyone has to agree. That RCE is the Sequoia Project.Brendan Keeler (28:30)No single entity is fully in charge. It’s collaborative.The federal government lacks direct authority to mandate participation. Even certification is voluntary, tied indirectly to CMS. Because of federalism, health IT regulation relies on convoluted levers.ASTP was given a limited mandate under the Cures Act to establish a voluntary nationwide network. It has no authority to compel behavior. CMS has taken a similar approach through the Health Tech Ecosystem pledge—encouragement without enforcement.Absent congressional authority, agencies can only shift incentives. They try to overcome natural competitive dynamics and the difficulty of collaboration. That’s hard enough at a regional level, let alone nationally.We already built one network for treatment. Now we’re trying to do it again for individual access, operations, and payment. These are different jobs with different stakeholders and incentives. The work is difficult because collaboration is difficult.Pryce (30:31)What I’m hearing is that these are trust networks where everyone is expected to follow the rules—yet participants are often competitors. Participation is voluntary.That explains disagreements over operations and governance, and why new networks keep forming. TEFCA feels like another restart.In the last few years, I’ve started seeing the broader policy and economic forces at work. Capitalistic incentives dominate. It’s frustrating, but that’s why ASTP and the RCE exist. We need people to accept new use cases responsibly. IAS seems like one of the better paths forward.Brad Thorson (32:27)That analogy works.Pryce (32:29)IAS feels like the next obvious step beyond provider-to-provider exchange. Everyone should be able to access their data. The challenge is building trusted rails to make that possible.Brendan Keeler (32:52)Building the rails isn’t the hard part.Implementation guides for individual access have existed for years with limited adoption because incentives weren’t there. Health systems weigh limited upside against major HIPAA risk. A breach brings regulatory scrutiny, lawsuits, and long-term damage.Without financial upside, why prioritize this over payer exchange or internal operations?What changed is the demand signal. Disputes like Epic–Particle made it clear that if no safe path exists, people will off-road. That forces prioritization.Government signaling—particularly from CMS—has also helped shift the calculus. Together, that’s enough to move things forward.Pryce (34:35)When you lay it out that way, it’s all economics. Organizations don’t move until incentives force them to.Brendan Keeler (35:15)When decisions are framed as moral choices, adoption is limited.Electric vehicles struggled when they were more expensive and less capable. Adoption increased once incentives aligned and performance matched alternatives. Most people choose economics over morality.The same applies here.Brad Thorson (36:02)We should wrap up. Let’s shift to a private network example. Availity and Abridge announced a partnership that could reduce prior authorization delays. As a patient, that’s exciting. Who wants to explain why this partnership matters?Brendan Keeler (36:44)Availity is one of the largest administrative clearinghouses in healthcare. After the Change Healthcare cyberattack, Availity is widely viewed as a primary clearinghouse, alongside Waystar and Change.Abridge is a leading ambient scribe platform. Ambient scribes started by generating clinical notes from conversations. They’re evolving into co-pilots that reduce every keystroke required of providers.Beyond notes, scribes are expanding into orders, diagnoses, coding, and now prior authorization. Prior auth is a major administrative burden. Ambient systems can pre-populate payer-specific documentation using conversation data and clinical context.Abridge piloted this with Highmark and demonstrated ROI. To scale nationally, they needed a payer network. Availity was the logical partner.This fits a broader trend: every provider keystroke is becoming contestable territory for AI co-pilots. These functions will likely converge into fewer platforms over time.Brad Thorson (40:15)What stands out is that most ambient tools rely on a single data source—the EHR. This feels like one of the first examples where an ambient tool uses an external network.Brendan Keeler (40:37)That’s a fair observation. In this case, it’s mostly transactional—sending documentation to payers.But you’re right: some scribes are already pulling longitudinal records via HIEs. Inputs, jobs-to-be-done, and UI are all competitive surfaces. Epic’s approach pushes scribes into backend infrastructure, while others aim to pull clinicians into new interfaces. That difference defines much of the VC upside.Pryce (42:01)Prior auth boils down to whether a procedure is justified based on clinical history. HL7 Da Vinci defines this through CDS hooks and FHIR questionnaires.I’m curious how ambient systems actually respond to these structured requirements. Are they using CQL? How do generative models handle this determinism?Brendan Keeler (43:13)That’s a real tension point. Prior auth has multiple parallel solution paths—FHIR APIs, portals, phone calls.It’s worth a future episode to unpack those approaches in detail. For now, we’ll leave it there. Have a great weekend.Pryce (43:59)Thanks. Get full access to Health API Guy at healthapiguy.substack.com/subscribe