Texas Attorney General (AG) Ken Paxton has launched another challenge to the electronic health record (EHR) industry, filing suit against Epic Systems Corporation. At its core, the lawsuit accuses Epic of transforming patient medical records into a private gatekeeping tool — one that allegedly blocks competition, restricts lawful access to data, and undermines parental rights under Texas law.
The State’s Theory: Control the Data, Control the Market
According to the state’s petition, Epic occupies a uniquely powerful position in the health care ecosystem. Its EHR platforms store and manage medical records for more than 325 million patients, including millions of Texans, accounting for roughly 90% of the U.S. population. Once a hospital adopts Epic, Texas alleges, the provider becomes effectively locked in — both economically and technologically.
The lawsuit alleges Epic is more than a software vendor. Texas alleges that Epic has positioned itself as a gatekeeper over patient data, determining who may access records, how that access occurs, and on what terms. While patient records belong to patients and providers — not Epic — the state claims Epic uses its architectural control of EHR databases to impose artificial barriers that prevent hospitals from working with competing EHR vendors or third-party application developers.
Texas further alleges that Epic’s conduct goes beyond passive dominance. The petition describes a multipronged strategy to preserve Epic’s monopoly, including delaying or denying data access to rival EHR companies, penalizing hospitals that attempt to use competing applications, and imposing contractual and technical restrictions that discourage customers from switching platforms. Collectively, the state claims, these practices suppress innovation, raise health care costs, and deprive patients and providers of competitive alternatives.
Parental Access at the Center of the Dispute
The lawsuit also targets Epic’s alleged handling of parental access to minors’ medical records. Texas claims Epic sells EHR systems to health care providers that are preconfigured to remove parental access once a child turns 12, obscuring medication lists, treatment notes, and provider communications. The state characterizes Epic’s justification for these restrictions as misleading and legally unsupported, alleging that the configurations violate Texas law granting parents the right to access their children’s medical records.
Texas frames this conduct not only as a statutory violation, but as a deceptive practice that interferes with parents’ ability to direct their children’s health care — a theme that has featured prominently in the AG’s recent enforcement priorities.
Claims and Remedies Sought
The petition asserts multiple causes of action under the Texas Free Enterprise and Antitrust Act, including monopolization and attempted monopolization across multiple EHR-related markets. Texas also brings claims under the Texas Deceptive Trade Practices Act and the Texas Medical Records Privacy Act, arguing that Epic’s access restrictions and representations to customers are unlawful and misleading.
The state seeks broad relief: injunctive orders barring Epic from continuing the alleged conduct, structural remedies to restore competition, civil penalties, damages, and recovery of attorneys’ fees and costs.
Why It Matters
This case is not an isolated enforcement action. It falls within Texas’s broader effort to scrutinize how EHR systems control access to medical information. Earlier this year, the AG announced a landmark agreement with a Central Texas health care provider requiring restoration of parental access to minors’ medical records after similar access restrictions were allegedly imposed through EHR settings. The Epic lawsuit escalates that focus — shifting attention from individual providers to the technology platforms.
For health IT vendors, the case signals potential antitrust risk where technical design choices intersect with market dominance and data control. And for regulated entities handling health data, it highlights that interoperability, access rights, and competition are no longer abstract policy goals but active enforcement priorities.
As health care data becomes increasingly centralized, regulators are signaling that control over medical records carries not just operational responsibility — but legal accountability.
