An inside look at Epic’s confidential vendor services agreement
Startups have for years complained about the difficulty of working with Epic, the electronic health record company with the largest hospital market share in the country. But there’s been very little publicly available documentation to demonstrate that in practice. That’s largely because people are afraid to publicly air grievances about Epic for fear they’ll be blacklisted from their ecosystem and data.
A company shared an Epic’ Vendor Services Agreement with Second Opinion to give the healthcare community a sense of what startups struggle with when it comes to Epic.
I shared Epic’s Vendor Services agreement with Sharona Hoffman, professor of law and bioethics at Case Western Reserve University, who says it strongly favors Epic.
“There is no provision that jumps out as blatantly illegal,” Hoffman told Second Opinion, “but it sort of accumulates all these very, very one-sided—and perhaps questionable— provisions that perhaps together would raise a lot of questions about whether this contract is unconscionable and perhaps unenforceable.”
For example, she says, with 30 days’ notice, Epic can change the details of the vendor services agreement at any time. “The words ‘at Epic's sole discretion’ appear a lot,” notes Hoffman.
Webinar Topic | Panelists’ | Timing | Registration |
|---|---|---|---|
What will AI do for employer healthcare and benefits? | Christina Farr | May 19th, 2026 | |
Privacy AI and the future of HIPAA with the former founding director of ONC | Jodi Daniel, Christina Farr | June 3rd, 2026 |
In response to a request for comment about the vendor services agreement, Epic confirmed the document and informed Second Opinion that the vendor services agreement was updated today, because of confusion over some of the provisions in it. The company sent over the following statement:
“We regularly update our agreements to reflect the ongoing evolution of our programs. As an example, we recently removed a section pertaining to employment practices that confused vendors and was not applicable to many of them.”
Despite these changes, we are still going to look at the vendor services agreement of yore and compare it to the new contract. A copy of the legal services agreement shared with me by one founder, who requested anonymity for fear of retribution, is pasted below for our premium subscribers.
Hoffman notes that Epic caps the damages they can incur from the vendor. The provision caps Epic’s liability at fees paid the preceding 12 months with complete exclusion of consequential damages, she said. “No lawyer is going to take that case because they can't make money,” she said.
Though this stuck out to Hoffman, Epic is not the only company that caps its liability in contracts. Apple caps its own liability at $50 in its contract with developers that build and sell apps in its App Store.
Other contract language that Hoffman called out was employee non-compete provisions, which limit the circumstances under which vendors can hire former Epic employees. She said these provisions could be illegal under some state laws.
Epic’s non-compete agreements are currently the subject of litigation. Veeva Systems, a cloud platform for life sciences companies, is suing Epic in Wisconsin over its non-compete agreements, saying they are overly broad. Epic has filed a motion to dismiss the case.
Hoffman said Epic protects its platform and products by placing restrictions around how vendors use “Epic Confidential Information,” a term that includes any materials, software, services, and events that Epic hosts and isn’t already public.
“Any information whatsoever that they provide to the vendor is absolutely confidential, but if you provide information to Epic, it's not confidential, and they can even use it to create a competing product,” she said, “that could be seen as possibly bordering on antitrust violations.”
Elsewhere the contract says, “the agreement will not impair (i) Your right to design, develop, acquire, license, market, promote, or distribute any type of product or technology, including any products or technologies that perform the same or similar functions as, or otherwise compete with, Epic Software, or (ii) Your right to work with any third parties that may do so.” However, that section is caveated by compliance with the aforementioned sections that, according to Hoffman, heavily restrict vendors.
So why do startups even have to sign this agreement? Startups selling technology to health systems often need to be able to access information in the electronic health record system, whether for diagnostic or billing purposes. Much of that data is available through some 600 free and open application programming interfaces, digital methods for sending and receiving data. However, some data can only be pulled and written back into the record using proprietary APIs. To get access to these proprietary APIs, health system companies need to sign a vendor services agreement with Epic. The company also charges fees for using its proprietary APIs.
Epic says it’s changing its contract
Epic shared with Second Opinion that it is removing two sections of its Vendor Services Agreement. The first is a significant portion of Section 5, which creates restrictions around unauthorized access of Epic’s platform and proprietary information. The new contract removes the language mentioned above, which says that vendors have an obligation to ensure their employees and subcontractors with access to Epic information and software, and cannot participate in the design and development or enhancement of any software that has overlapping features or functionality with Epic.
|
Epic has also removed section 11 of the former contract, which prohibited vendors from interfering with commitments Epic’s employees may have made to the company around its intellectual property. This is the non-compete section that Hoffman said could be illegal in some states.
The new language, which is now in section 5, stipulates that vendors that hire former Epic employees within a 12-month period must instruct those employees in writing not to disclose Epic’s confidential information or trade secrets.
Epic also added new language to the contract around fee changes associated with its APIs. It now says that developers will be able to keep the old fee structure for up to 15 months if they are already locked into a financial agreement with their customer. The company says this was an existing practice.
Some 1300 entities are currently operating under Epic’s vendor services agreement.
A coming crackdown
Epic says that changes to its contract came about in response to feedback gathered from vendors at its Open@Epic conference last year.
The changes come against a complex backdrop of regulatory change, lawsuits, and debate over how and under what circumstances patient health data should be accessed.
Texas Attorney General Ken Paxton filed a lawsuit against Epic in December 2024, alleging that Epic stifles perceived competitors from accessing its platform and the data it holds. The suit also alleges that Epic imposes fees on health systems that try to use products that compete with Epic’s platform and products.
Epic denies the allegations and is fighting the lawsuit. The company is facing two other similar lawsuits from CureIS and Particle Health. Claims that Epic is acting in anti-competitive ways are tied up with allegations that it withholds access to patient data from competitors, an act that violates federal law.
At the same time, the Office of the National Coordinator for Health IT has promised a coming crackdown on information blocking, a prohibited practice wherein health systems, electronic medical record companies, health information exchanges, and other health IT developers intentionally obstruct patient data from reaching approved recipients as laid out in the 2016 21st Century Cures Act.
Violations carry civil monetary penalties up to $1 million per infraction.
Since President Donald Trump has taken office, there has been increased pressure from ONC to get health systems and electronic health record companies to increase use of a free standard for exchanging data called Fast Healthcare Interoperability Resources (FHIR). This push is part of a larger campaign to free up patient data so that Americans can take control of their own health. The idea is that patients, armed with their medical histories, will be better equipped to get second opinions on medical diagnoses and make use of a barrage of new-fangled health apps and wearable devices to make them healthier.
In its most recent proposed rule, the agency slashed compliance requirements in order to refocus certification for EHRs around their use of FHIR APIs.
In addition to certifying the methods by which health systems and their partners send and receive data, the agency is also looking to free up data in other, more aggressive ways. In February, at ONC’s annual meeting, ONC head Thomas Keane announced the agency is in the process of issuing notices of investigation of potential nonconformity with information blocking rules.
That conference also featured a panel discussion with members of the federal health department’s Office of the Inspector General, which enforces information blocking provisions, as well as members of the Justice Department and the Federal Trade Commission. The discussion centered heavily on how some companies use info block as a way to cement their market position and fend off competitors.
“Our goal is to support the next generation of health IT innovators,” said Markus Brazill, assistant chief of the Department of Justice’s Healthcare and Consumer Products section, during the panel. “When you have info blocking, or other related anti-competitive practices, not only do you stifle competition in that one discreet area, but you create a chilling effect for so many other innovators throughout health care IT.”
He added that helping HHS respond to information blocking was a key priority for his department.
Data security
As the Trump administration pushes to make patient data more available, Epic has called for more scrutiny of health data networks. The company asserts that patient data is not being safely exchanged. In January, Epic, along with four of its clients, launched a lawsuit against Health Gorilla, which connects a variety of health care operators to large national health data networks, alleging that Health Gorilla isn’t adequately vetting its clients.
The lawsuit, which names Health Gorilla in addition to several smaller telehealth operations, alleges Health Gorilla allowed several companies, misrepresenting themselves as treatment providers, to illegitimately pull patient data off of national health networks. The lawsuit suggests that no one is safeguarding how patient information is shared or for what purposes, thereby putting that data at risk.
After that lawsuit was filed, over 60 of Epic’s clients wrote a letter to the CEO of the Sequoia Project, a nonprofit that oversees two large health data sharing networks, asking her to implement new measures to counter fraud.
The sloshy debate over patient data security versus more open sharing has spilled over into ONC policymaking. There are nearly 6,500 comments on the proposed rule, and within them reside concerns over deregulation, security, and automated access to patient information.
About the author