The Feed: June 23, 2026
HHS-OIG, ASTP/ONC, and CMS are now running an enforcement architecture for information blocking that Appropriate Use Criteria never had, and the prior auth piece I wrote two days ago may have underestimated it.
Eli Lilly is cutting 340B discounts at hospitals that won’t produce claims data, and the operational problem underneath is an EHR data problem.
WHOOP just landed native in Epic flowsheets, where uncalibrated proprietary signal is now indistinguishable from gold-standard measurement.
Epic dropped SelfRx from the Health Gorilla case after the founder swore someone else used the company’s identity to pull 100,000 records. The dismissal is a maneuver, not a retreat.
Medicaid work requirements go live in two states July 1, and the EHR build is harder than the policy story suggests.
Off-Label: McKinsey says 88% of organizations use AI and more than 80% report no EBIT impact. They diagnose workflow redesign. I’d add data.
The Feed is a quick take on the highest-profile health IT news of the week, with one piece from outside the beat at the close. Free through June, paid thereafter.
Last week I argued that regulatory mandates without enforcement architecture behind them tend to die quietly. Appropriate Use Criteria was the canonical example: mandated, repeatedly delayed, paused indefinitely in 2023. I used it as the parallel for the new prior auth standard (CMS-0062-P) and the Da Vinci profile that makes it work (The Feed, June 18, 2026).
The TEFCA enforcement story this week complicates that opinion. HHS-OIG, ASTP/ONC, and CMS are actively coordinating information blocking enforcement under the 21st Century Cures Act. OIG has CMP authority of up to $1 million per violation against developers, HIEs, and HINs. ASTP/ONC began issuing letters of nonconformity to certified EHR developers in February. CMS administers provider-side disincentives (Medicare Promoting Interoperability denial, MIPS zero scores, Shared Savings Program exclusion) that went live July 31, 2024. Patients can report suspected blocking through a public ASTP/ONC portal. TEFCA is moving roughly a billion clinical documents per month (HHS press release; June 19 briefing).
The contrast with AUC is more distinct than I originally thought last week. AUC had one enforcer, CMS, with one tool, administrative claim denial, and no investigative arm. Information blocking has three coordinated agencies, civil monetary penalties with teeth, certification termination authority, a public complaint portal, and active letters of nonconformity already touching developers. The structural difference is OIG. An investigative agency with subpoena authority and CMP power is the difference between a rule on the books and an active enforcement framework. Patient access to records also has a retail constituency in a way utilization-management policy never did.
The OIG-style infrastructure has not yet been built around the new prior auth standard. If it gets built, the AUC parallel I drew breaks. The trend may not follow Epic orgs. Instead, Epic orgs will be forced into compliance along with everyone else. I am correcting my own homework in real time.
Eli Lilly Isn’t Just Fighting Hospitals Over 340B. It’s Exposing The Hospitals’ Data Problem.
Eli Lilly began cutting 340B discounts on June 16 at the roughly thousand DSH hospitals that refused its June 1 demand for comprehensive claims data (STAT News; Dutch Rojas). Roughly 2,350 of the 3,350 affected systems complied. The refusers were coordinated through AHA and 340B Health. The trade press is framing this as pharma versus hospitals. The operational mechanism is an EHR data problem.
Lilly is withholding discounts because hospitals cannot or will not produce comprehensive claims data on demand. Claims, encounter data, and patient eligibility all flow through Epic workflows. Systems that cannot produce a clean data extract when a manufacturer demands it are now exposed to contract termination. The contract is the lever. The data is the choke point.
The program is interesting on its own terms. The “stretch scarce federal resources as far as possible, reaching more eligible patients and providing more comprehensive services” language that everyone treats as the North Star of 340B comes from House Report No. 102-384, Part 2, issued by the House Energy and Commerce Committee in 1992. The statute itself contains no explicit statement of purpose. Courts, HRSA, and healthcare attorneys treat that single committee-report sentence as the program’s definitive intent. It was never statutory text. It was never executive regulatory commentary. It was a House committee opinion (GAO 340B reference).
I have no sympathy for pharma. The providers have also taken advantage of the program. Both can be bad players. 340B purchases grew to $66.3 billion in 2024, up 27-fold from 2005. Large wealthy systems have acquired 340B-eligible hospitals as procurement strategy, routing pharma purchasing through the eligible entity and distributing expensive medications across the whole system regardless of the socioeconomic status of the delivery site. Rural referral center designations went from 3 in 2017 to 425 by 2023, with 82% of 340B-affiliated RRCs in urban areas. New York-Presbyterian, in midtown Manhattan with over $10B annual revenue, holds one (House Ways and Means testimony).
The story in the trade press will be pharma-versus-hospitals. The story from the EHR side is that bad data architecture has a price, and the bill arrived in the form of a contract clause. The political fight gets framed as 340B reform. The operational fix is data infrastructure. Most organizations are built for the political fight. Where there is mystery there is margin, and the mystery here has been the data layer the entire time.
Epic’s Flowsheet Doesn’t Know Where The Data Comes from. It Just Records the Number.
WHOOP announced direct EHR integration on June 17, partnering with an interoperability vendor to push wearable data into clinical records and launching on-demand video consultations with licensed clinicians inside its own app. A 2026 Rock Health analysis found 59% of wearable owners have already discussed biometric data with a provider (TechTarget / MobiHealthNews; Brendan Keeler, The Wearables Interoperability Stack).
The marketing reads as a step toward interoperability. The architecture reads as something else. A heart rate from a wristband running a photoplethysmography sensor with proprietary motion-filtering and duty-cycled sampling is not the same measurement as a heart rate from a 12-lead ECG. Epic flowsheets record numeric values, timestamps, and unit codes. Standard configurations strip the sampling frequency, sensor modality, and algorithmic processing metadata at intake. Uncalibrated, vendor-proprietary signal streams into the same clinical decision support pipelines as gold-standard measurement. A “heart rate” field looks identical regardless of source. The credentialed provider who signs the chart carries the diagnostic liability either way.
This is the inverse of the front-door piece coming tomorrow, which is about the patient-side disruption when affluent users assemble their own ambient data stack outside the institutional path (forthcoming Epic Won the EHR War. Will it Lose the Front Door?). This one is the EHR-side trap on the other side of the same wave. The independent middleware vendors built businesses normalizing this data and applying device-aware filtering before it reached the flowsheet. Direct integration eliminates that layer. The pipeline survives. The interpretive risk-filtering layer that was protecting clinicians from device-induced noise does not.
Epic Didn’t Lose the SelfRx Case. It Won the Witness.
Epic and four co-plaintiffs voluntarily dismissed SelfRx from the Health Gorilla case on June 3 with prejudice, after founder Martin Hensel swore under oath that SelfRx requested records for only 21 patients between April 2024 and January 2025, received records for 15 of them, totaling fewer than 100 records. Epic’s complaint had alleged SelfRx, via broker Unit 387 and QHIN Health Gorilla, pulled more than 100,000 records from Epic and OCHIN customers. Hensel also swore that Unit 387 set up SelfRx’s Carequality connection without having SelfRx execute the required Connection Terms. SelfRx’s name was in the participant directory. SelfRx never signed the governing contract. The door was open. The locks were not checked. Hensel testified he does not know who used SelfRx’s identity to pull records under that name. Epic alleged the volume was more than 100,000. SelfRx’s own count was fewer than 100. Epic has confirmed it will continue investigating (Becker’s; Healthcare Dive).
I have no inside Epic information and this is my interpretation. In my opinion, the dismissal is not a retreat. I think Epic walked away from a defunct defendant after extracting exactly what the rest of the case needs: a sworn declaration that the framework’s onboarding controls failed at the gateway. The QHIN onboarded an entity without having that entity sign the framework’s governing contract. The directory listed the entity as a participant anyway. Someone unknown used the unsigned ghost identity to pull tens of thousands of records. The witness against the gateway is now the gateway’s own customer, on the record.
Health Gorilla frames this differently. Their motion to dismiss argues Epic bypassed the framework’s contractual dispute resolution, threatens interoperability itself, and stands to profit most from the networks’ downfall (FierceHealthcare). That framing is not nothing. It is the crux of the polarization around the entire flurry of interoperability lawsuits. Both positions have a legitimate base. Open interoperability maximizes data flows to where it can positively affect care. The sensitivity and sanctity of the data also requires careful gating. Accomplishing both requires more than edicts and pronouncements. It requires Phase 2 reality: the operational architecture, the audit trail, strict liability at the gateway, real consequence for the QHIN that onboarded an unsigned participant. The framework was sold as Phase 1. The Phase 2 work is what these lawsuits are forcing into the open.
Where is Brendan Keeler when you need him?
Two States Implement Medicaid Work Requirements July 1, and the EHR Build Is Not Trivial
Montana and Arkansas begin live state-level enforcement of Medicaid work requirements July 1, ahead of the federal January 1, 2027 deadline. Nebraska already went live May 1. The CMS interim final rule published June 3 requires state agencies to conduct member outreach June 30 through August 31. Comment period closes July 31 (KFF Health News tracker; June 17 briefing).
This is being covered as a policy story. It is also an IT build story with a hard deadline. Epic and other enterprise EHRs are designed to document clinical encounters for billing and medical necessity, not to audit a patient’s weekly economic activity or community service hours. State Medicaid eligibility systems are mostly run by legacy vendors like Deloitte or Gainwell that rarely support modern HL7 FHIR APIs for real-time eligibility tracking. The interface that does not yet exist has to exist by July.
The technical friction points are concrete. ADL and IADL data lives in custom nursing flowsheets, not problem lists, so the structured exemption signal a state engine wants is not where state engines look. SUD-related data collides with 42 CFR Part 2, which blocks automated queries via standard HIE channels without explicit granular patient consent. USCDI captures employment status as a categorical variable, not as a rolling hourly ledger matching a 20-hour weekly compliance clock. Third-party administrative feeds (corrections records, school enrollment logs) operate at the state MMIS level via batch flat-file processing, bypassing provider data pipelines. The build burden lands on health systems. The data assets are misaligned to the task.
Your audience is not asking about the policy merits. They need to know whether their Epic eligibility verification workflow is ready for outreach starting June 30 and live enforcement July 1. Most are not.
The Throughline
The shiny layer keeps getting installed. The foundation keeps getting referenced as if it were already there. Interoperability frameworks moving a billion documents a month onboard unsigned participants. Epic flowsheets ingest wearable signal without device-modality metadata. State eligibility engines query clinical data assets that were not built for the question. The enforcement architectures the field is finally building (OIG investigation, civil monetary penalties, strict gateway liability) are the foundation writing back. Whether they hold is the next question.
Off-Label
Off-Label. Not health IT, not my usual lane, but something that made me think. Here’s why it should matter to people who do what we do.
McKinsey’s State of AI 2025 reports 88% of organizations regularly use AI, 72% use generative AI, and more than 80% report no tangible enterprise-level EBIT impact from any of it (McKinsey). McKinsey’s diagnosis is that AI is 20% algorithms and 80% organizational rewiring, and that workflow redesign is the single strongest correlation with bottom-line impact.
That diagnosis is right and incomplete. The other half is the data. If the underlying data is dirty, the tool does not work no matter how shiny it is. Light sweet crude through a refinery designed for heavy sour will fail every time, and the refinery being the most advanced in the world does not change the outcome. Workflow redesign is necessary. It is not sufficient. Healthcare audiences evaluating their own AI ROI claims should be asking which 17% they are in, and whether the answer involves redesigning the work, refining the data, or admitting that neither has happened yet.
John Lee is an emergency physician and Epic consultant who helps health systems bridge the gap between Epic’s capabilities and operational reality. He specializes in data architecture, registry optimization, and making Epic’s tools actually deliver results.
If you need help configuring your Epic environment to support these capabilities, connect with him on LinkedIn (https://www.linkedin.com/in/johnleecmio/) or via his website (https://www.hitpeakadvisors.com/).



I'm right here: https://healthapiguy.substack.com/p/epic-v-health-gorilla-prisoners-dilemma?utm_source=publication-search