Antitrust, Information Blocking, and Compliance by Design: How the 2026 Epic Systems Case Is Reshaping Healthcare IT Risk Management

The 2026 Epic Systems antitrust litigation is a watershed moment for healthcare IT, where compliance failures now carry multi-dimensional risk - from antitrust exposure to information-blocking penalties and Medicare exclusion. For Risk & Regulatory Intelligence professionals, the era of “passive” compliance has ended. This article exposes the new landscape, unpacks operational vulnerabilities, deciphers recent regulatory shifts, and guides leaders through practical steps to achieve defensible, workflow-embedded compliance.

TRANSFORM INNOVATION INTO MEASURABLE ROI-BOOK A MEETINGWITH OUR CEO

Epic’s New Compliance Reality: When Technical Decisions Become Legal Evidence

On March 9, 2026, the American Association for Disability Justice, joined by Larry Miller and John Hodges, filed suit against Epic Systems Corporation in the U.S. District Court for the Western District of Texas (1:2026cv00564). Their complaint - now recognized as a pivotal convergence of antitrust, disability, and information-blocking enforcement - alleges Epic leveraged its dominance in electronic health records (EHR) to stifle interoperability, fragment patient medical records, and obstruct patient and third-party access, particularly undermining those making disability claims under Social Security and the ADA.

The suit is grounded in three statutory frameworks: federal antitrust law, the Americans with Disabilities Act, and the information-blocking provisions of the 21st Century Cures Act. Notably, the complaint asserts that Epic’s MyChart architecture fragments patient records across portals, imposes technical barriers to API-based access, and undermines patients’ ability - especially those with disabilities - to assemble complete health documentation for legal and benefits proceedings.

Epic has moved to dismiss the disability counts, arguing there is no private right of action for individuals under the Cures Act and challenging both antitrust and ADA claims. At stake is the question of whether EHR business practices, technical design, and API policies create monopolistic, discriminatory, or information-blocking harms - a question that now carries industry-wide resonance (Justia Docket; Health API Guy Substack; BenefitsPRO; Becker’s Hospital Review).

Enforcement with Teeth: OIG and ONC Lead a Rigid New Regime

The game changed in earnest when the HHS Office of Inspector General (OIG) began enforcing information-blocking laws with the power to impose civil monetary penalties of up to $1 million per violation - enforcement applying to health IT developers, Health Information Exchanges (HIEs), and Health Information Networks (HINs). Conduct before September 1, 2023, is exempt, but every subsequent decision by developers or networks is live ammunition for enforcement.

OIG’s stated priorities are clear: they target violations that lead to patient harm, disrupt or delay care, last for an extended period, or produce financial losses for public or private payers, especially when perpetrated with actual knowledge or intent. Investigations follow a defined process - triage, fact gathering, collaboration with ONC as necessary, and the opportunity for entities to appeal any adverse findings (HHS OIG Information Blocking; HealthIT.gov Enforcement Alert).

The ONC, for its part, can suspend or terminate certification of noncompliant EHR products - a fate with operational and financial implications. Loss of ONC certification bars affected products from qualifying for Medicare and Medicaid Meaningful Use and Promoting Interoperability initiatives, with providers obligated to transition to certified alternatives or risk payment penalties. Regulatory discretion in enforcement has temporarily adjusted for certain testing and attestation requirements through 2026, but the power to decertify remains immediate for critical failures - underscoring that “compliance by design” is now non-optional (ONC Enforcement Discretion Notices; Fierce Healthcare; QPP CMS Program Guidance).

When APIs and Portals Become Legal Liabilities

In the post-Epic regulatory environment, technical design choices - API restrictions, patient portal configurations, and interoperability setups - are no longer just IT details; they are prime evidence for enforcement. Guidance from the AMA and ONC makes it clear: disabling EHR capabilities that otherwise enable clinical sharing, refusing to register or support applications aimed at patient access, or requiring convoluted, account-fragmented logins all constitute potential information-blocking. Practices that add unnecessary technical burden, delay same-day access, or fail to make reasonable interoperability efforts can fall afoul of regulations unless they fit explicit, well-documented exceptions (AMA Information Blocking PDF; ONC Blog).

Authoritative best practices stress standardization (e.g., FHIR APIs), clear export functionality, and robust logging of all access or configuration changes. National Academy of Medicine perspectives argue for bidirectional, standards-based APIs, granular consent, and clear assignment of responsibilities - all as imperatives for both technical performance and regulatory defensibility (National Academy of Medicine).

Enforcement bodies have not hesitated to scrutinize API and interoperability decisions as practical evidence in proceedings, though the precise operationalization is guided by policy frameworks and practical case-by-case documentation (AMA Information Blocking PDF; ONC Blog; National Academy of Medicine).

The Operational Burden: Defendable Compliance Is Now a Live Discipline

For every incumbent and innovator in the healthcare IT supply chain, the message is unambiguous: documentation, auditing, and policy exceptions must be woven into daily workflows. Simply having compliance policies on paper is no defense; organizations must demonstrate, in real time, not just that they comply, but how.

Current regulatory expectations demand:

• Centralized, tamper-evident audit logging: Centralize logs across cloud environments, ensure immutability, delineate access controls, separate operational from audit logs, and define explicit log-retention and review routines (Orca Security Audit Logs Guide; SonarSource Audit Logging).
• Comprehensive event capture: Log authentications, authorizations, data disclosures, critical system/config changes, and all high-privilege administrative actions, enabling retrospective reconstruction of compliance posture (SonarSource Audit Logging).
• Policy-exception documentation: Use standardized forms, double review, lead ownership, and record every exception invocation with explicit reasoning and timeliness. Educate front-line staff and run periodic audits or scenario tests to ensure only properly justified exceptions are used (Sequoia Project Good Practices; Sequoia Project Policy Considerations).
• API/data design reviews and change controls: Launch APIs only after team-based review against real use-cases, documenting alternatives considered, risks weighed, and approval trails. Capture configuration decisions and link every production push to compliance artifacts and review minutes (Apiconference API Design Reviews; Tech Lead Journal).
• Automated compliance readiness: Employ continuous monitoring, automated evidence retention, real-time alerting on deviation, and checkpoint-based stage-gates where further deployment is blocked unless compliance artifacts are completed (Compliance-by-Design Playbook; FedRAMP Continuous Monitoring; Microsoft Engineering Playbook).

Organizations have adopted these controls not only in anticipation of OIG or ONC audits, but also as a proactive defense against discovery exposure in civil litigation or government investigations.

Benchmarking, Scenario Testing, and Practical Playbooks

Operational readiness is now measured not against theoretical standards but against what can be proven in a live review or investigation. Quantitative public benchmarks are scarce, driving organizations to seek confidential peer benchmarking, scenario-based readiness drills, and external reviews as critical parts of their compliance agenda (Sequoia Project Good Practices). A comprehensive compliance playbook integrates live auditability, clear exception workflows, API and data review evidence, and the capability to produce chain-of-custody records and legal-hold logs at a moment’s notice.

Technical leaders are expected to prepare their teams for "tabletop" regulatory simulations - mock audits or breach scenarios tracing decision-making, documentation, and evidence as if before an enforcement body. Ongoing risk assessments, control self-tests, and peer-reviewed red-team exercises strengthen evidentiary posture and reveal latent vulnerabilities.

The Enforcement Pendulum: Structural Remedies Take Center Stage

Recent healthcare antitrust enforcement - most notably since 2022 - shows a marked regulator preference for structural remedies over behavioral (conduct-based) fixes, particularly in contexts where technical infrastructure or network control risks impeding competition or interoperability. Structural remedies include:

• Divestitures and business line carve-outs: Forcing a dominant actor to sell off parts of its business to restore competitive equilibrium.
• Mandatory supply or access commitments: Imposing enforceable obligations to share critical inputs, APIs, or data with rival systems - especially to prevent customer foreclosure or maintain interoperability (Dechert Vertical Merger Analysis).
• API and interoperability mandates: Commanding open, standards-based interfaces for third-party access or data migration to break lock-in.
• Information firewalls and data separation: Required separation between business units or between sensitive competitively significant information flows (KFF Brief; Urban Institute).

Remedy rationales are clear: structural changes offer clarity and lasting market impact, avoid the difficulties of behavioral oversight, and address root causes of impairment. Agencies have adopted this “remedies-before-litigation” stance to streamline enforcement, preempt ongoing monitoring burden, and catalyze industry-wide improvements in interoperability (Dechert Vertical Merger Analysis; AAI Working Paper).

TRANSFORM INNOVATION INTO MEASURABLE ROI-BOOK A MEETINGWITH OUR CEO

Academic and law firm analyses interpret this shift unambiguously - structural remedies are perceived as more effective at constraining market power and enabling genuine competition, with divestitures or forced interoperability often replicated via consent orders and judicial decrees (Crowell & Moring PDF; Archive.HealthcareValueHub).

In healthcare IT, interoperability mandates - such as API access requirements and data portability obligations - have become direct regulatory and enforcement tools paralleling those in financial data markets and telecommunications (Firely Patient Access API; ONC API guidance; White House OSTP data portability).

Leading Amid Ambiguity: Adaptability in a Shifting Landscape

Even amid this new regime, significant uncertainties remain. The interplay between antitrust remedies and information-blocking penalties is unsettled - an organization may face simultaneous OIG, ONC, and potentially DOJ/FTC actions for the same technical configuration or contract provision. The exact contours of structural versus behavioral enforcement in healthcare IT are still being drawn, and “regulatory layering” elevates the complexity of compliance planning.

Urgent questions confront every regulatory intelligence leader:

• How will future structural remedies translate in the EHR and interoperability domain? Are mandates for open APIs and standardized data portability just the beginning?
• Where are the boundaries between OIG penalty jurisdiction and ONC decertification, and how will appeals or remediation windows flex under the pressure of high-profile cases like Epic?
• To what extent will contract terms, source code, logging configurations, and even error-message patterns be treated as actionable evidence in litigation and regulatory review?

The answer lies in relentless vigilance - embedding compliance not as a periodic checklist, but as a “living discipline” woven into every technical, operational, and policy layer. Ongoing peer benchmarking, forward-looking regulatory watch-lists, and iterative control improvement are today’s strategic imperatives.

Conclusion: From Defense to Strategic Compliance Advantage

The 2026 Epic Systems litigation has ended the fiction that compliance is a static, check-the-box activity. Every configuration decision, workflow logic, and API design is now a latent exhibit in possible future regulatory action or civil proceedings. The converging disciplines of antitrust, information blocking, and disability-rights law demand operationalized, live compliance - no more paper artifacts, no more siloed policy binders.

For leaders, this means integrating real-time auditability, scenario-based testing, and workflow-embedded exception handling as non-negotiable business functions. Compliance is no longer a cost center - it is a core pillar of risk reduction and strategic differentiation. In the coming regulatory environment, nimble, technically savvy organizations will convert compliance depth into long-term market and reputational security. The Epic litigation is only the beginning signal; future-proofing your risk operations is the only durable answer.

TRANSFORM INNOVATION INTO MEASURABLE ROI-BOOK A MEETINGWITH OUR CEO

FAQ:

What is information blocking enforcement in healthcare IT? Information blocking enforcement is regulatory oversight by agencies like HHS OIG and ONC to detect, investigate, and penalize practices that unreasonably restrict access, exchange, or use of electronic health information. Since September 1, 2023, OIG has authority to impose civil monetary penalties - up to $1 million per violation - on health IT developers, networks, and exchanges. HHS OIG Information Blocking

How did the 2026 Epic Systems case change information blocking enforcement? The 2026 Epic Systems litigation heightened regulatory scrutiny on EHR vendors’ interoperability, API policies, and technical design. Regulators now view technical barriers - like isolated MyChart portals or restricted APIs - as legal risk factors. The case established that compliance must be proactive and evidence-based to avoid penalties or ONC decertification. Justia Docket

What are the penalties and consequences for violations? Violations of information blocking rules can result in OIG-imposed penalties up to $1 million per incident for health IT developers and networks. Providers face disincentives like Medicare payment reductions and zero scores in MIPS Promoting Interoperability. ONC can also suspend or decertify EHR technology, making it ineligible for federal programs. HealthIT.gov Enforcement Alert

How does compliance by design reduce information blocking enforcement risk? Compliance by design means embedding regulatory requirements directly into technical, policy, and operational workflows. This includes standardized FHIR APIs, tamper-evident audit logs, and rigorous exception documentation. Strong compliance by design enables live auditability, minimizes enforcement risk, and helps retain ONC certification. Compliance-by-Design Playbook

How does information blocking enforcement differ from ongoing compliance monitoring? Ongoing compliance monitoring is preventive, using self-assessment to detect and resolve risks. In contrast, information blocking enforcement is reactive - a regulatory process triggered by complaints or audits, potentially resulting in investigations, penalties, or decertification for confirmed violations. HHS OIG Information Blocking

What operational problems does information blocking enforcement typically expose? Enforcement often reveals technical and contractual issues such as fragmented portals, restrictive API settings, incomplete audit logging, or workflows that impede patient data access. These deficiencies lead to heightened risk of penalties, regulatory reporting requirements, and product decertification, especially post-Epic case. ONC Blog