News & Insight

Information Blocking Litigation Update: Real Time v. PointClickCare

On March 12, 2025, the U.S. Court of Appeals for the Fourth Circuit affirmed the district court’s grant of a preliminary injunction to Real Time Medical Systems (RTMS), a health data analytics company, to stop PointClickCare (PCC) from unlawfully restricting RTMS’s access to its electronic health record systems. In ruling in favor of RTMS, the court found that PCC’s use of indecipherable CAPTCHAs and blocking RTMS user accounts constitute information blocking under the 21st Century Cures Act and that violations of the Cures Act’s prohibition on information blocking are a partial basis for a claim of unfair competition under Maryland law.  The court also upheld the district court’s decision that once RTMS demonstrated that PCC had engaged in “facial” information blocking, the burden of proof shifted to PCC to show that its actions were not information blocking because an exception was applicable.  

Information Blocking Exceptions 

Ultimately, the court again agreed with the district court and found that PCC failed to carry this burden for each of their claimed exceptions to the information blocking prohibition: the manner exception, the health IT-performance exception and the security exception.   A summary of the court’s analysis is below: 

  • The manner exception provides that an actor, PCC in this case, must fulfill a request for electronic health information in any manner requested unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the manner request. 45 C.F.R. §171.301(a). The court found that the fact that PCC and RTMS had not reached an agreement, alone, was not enough to demonstrate that the parties could not reach agreeable terms for purposes of the manner exception and that PCC needed to demonstrate “some good-faith efforts to reach agreeable terms before claiming it ‘cannot’ do so,” which it did not do.  PCC had attempted to argue that its being unwilling to come to an agreement with RTMS was sufficient for the purpose of this exception. 
  • The health-IT performance exception permits action against a third-party application that is negatively impacting the health IT’s performance provided that the practice is implemented in a consistent and non-discriminatory manner.  45 C.F.R. §171.205(b)(2). The court found that PCC’s introduction, escalation, de-escalation, and re-escalation of the CAPTCHAs and blocking policy, during a time when PCC was looking to compete with RTMS, was highly suggestive that the actions targeted RTMS and PCC failed to present adequate evidence to the contrary. The court also noted that PCC’s evidence that RTMS’s bots constituted an ongoing threat to PCC’s IT performance was “extremely limited and tenuous.” Thus, PCC’s actions did not meet the exception’s requirements that the security measures be implemented in a consistent and non-discriminatory manner. Other requirements of this exception include that such actions be taken for a period that is no longer than necessary and consistent with applicable service level agreements, but the court did not address PCC’s compliance with those requirements. 
  • The security exception permits it to take action to protect the security of electronic health information when it is directly related to the safeguarding, confidentiality, integrity, and availability of the ePHI and tailored to the specific security risk being addressed.  45 C.F.R. §171.203(b). The court found that PCC failed to articulate any security risk posed by RTMS’s use of bots to access PCC’s systems, which had been ongoing since 2014, and that there was no evidence that RTMS’s use of bots had ever led to a security breach. Other requirements of this exception include that such actions be implemented in a consistent and non-discriminatory manner, but the court did not address PCC’s compliance with those requirements. 

Key Takeaways 

Based on the court’s decision, actors that are subject to the Cure’s Act, as well as third parties seeking access to electronic health information maintained by actors subject to the Cure’s Act, should take note of the following: 

  • The suit brought by RTMS is a useful roadmap for third parties seeking to enforce the Cure’s Act information blocking prohibition without having to rely on regulators to act. 
  • An actor regulated by the Cure’s Act that wishes to avail itself of an exception to the information blocking prohibition must have evidence specific to the third-party whose access to electronic health information is to be denied or terminated, and that evidence much show that each element of the exception has been met.  As the court noted repeatedly in this case, broad gestures and testimony will not suffice. 

Next Steps for Actors 

  • Review policies and procedures for modifying, denying or terminating a third party’s access to electronic health information and their implementation. 
  • Consider whether fact gathering and related documentation procedures are sufficient to support each of the required elements of an exception to the information blocking prohibition and modify procedures accordingly. 
  • Establish parameters for “good faith” negotiations with third parties seeking access to electronic health information. 

 

  Mar 31, 2025  |  By    |   On Data Privacy and Protection
© 2025 Hogan Marren Babbo & Rose, Ltd. All Rights Reserved. Attorney Advertising and Legal Notices. Sitemap  |  A PaperStreet Web Design