GuardDog Telehealth acknowledged that it accessed patient medical records through health information exchange systems for purposes not related to treatment and shared the information with law firms seeking potential litigation cases.
Unauthorized Use Of Patient Information
GuardDog Telehealth stated that access to patient records was for treatment-related activities, including chronic care management. Legal filings indicate that the company accessed and reviewed patient information, including protected health information (PHI), for other purposes. The records were analyzed and summarized to identify individuals who could be included in legal actions, and the resulting data was provided to law firms.
Method Of Access Through Interoperability Networks
The company obtained patient data through a Health Information Exchange network using Health Gorilla’s interoperability platform. Health Gorilla operates as a Qualified Health Information Network under the Trusted Exchange Framework and Common Agreement.
These interoperability frameworks are designed to allow healthcare organizations to exchange patient information to support care coordination. Through this access, GuardDog Telehealth was able to retrieve medical records from connected systems.
Legal Claims And Named Entities
Epic Systems, OCHIN, and three healthcare providers initiated legal action against Health Gorilla and multiple organizations. The complaint alleges that certain entities gained entry to interoperability networks under representations that did not reflect their actual use of the data.
Organizations identified in the legal filings include GuardDog Telehealth, RavillaMed, Mammoth Path Solution, and Llamalab. The complaint states that these entities obtained access to systems connected to Carequality, Trusted Exchange Framework and Common Agreement, and other health information exchanges.
The filings describe conduct involving the promotion of access to patient data for use by law firms. The purpose included locating individuals who could participate in class action lawsuits. The claims include fraud, aiding and abetting fraud, violations of the Federal Computer Fraud and Abuse Act and the California Business and Professions Code.
The legal action states that close to 300,000 patient records were accessed under the representation that the activity was for treatment. Among the entities named, only GuardDog Telehealth has acknowledged improper conduct.
Terms Of Agreement And Pending Court Action
GuardDog Telehealth entered into an agreement with Epic Systems that includes a request for a court order. The proposed order would prohibit the company from requesting patient records through Carequality and Trusted Exchange Framework and Common Agreement systems.
The agreement requires GuardDog Telehealth to delete all patient records obtained through these systems within one week. The company also agreed not to use or disclose any patient information acquired through the health information exchanges. Court approval is pending.
Health Gorilla Position and Ongoing Case Activity
Health Gorilla rejected the allegations and stated that GuardDog Telehealth did not disclose any non-treatment use of patient data. The company stated that it complies with applicable data-sharing requirements and disputes the claims raised in the lawsuit.
Health Gorilla reported that it attempted to review GuardDog Telehealth’s activities with participation from interoperability networks and healthcare providers. GuardDog Telehealth did not respond to those efforts and did not participate in the review process.
Epic Systems stated that litigation against Health Gorilla and other defendants remains active. The company also indicated that it is open to resolving claims with other parties through similar legal agreements.
Additional Litigation Involving Epic Systems
Separate class action lawsuits have been filed against Epic Systems and other organizations. The claims state that these parties failed to prevent Health Gorilla and its clients from connecting to the Epic Care Everywhere health information exchange.
The allegations state that Epic Systems and others were aware, or should have been aware, of the use of the system to obtain patient data for purposes not related to treatment. The lawsuits also state that corrective measures were not implemented in a timely manner.