Overview
On April 23, 2025, the US Court of Appeals for the Fourth Circuit denied PointClickCare Technologies, Inc.’s petition for en banc review in Real Time Medical Systems, LLC v. PointClickCare. A Fourth Circuit panel previously affirmed a preliminary injunction issued by the US District Court for the District of Maryland. The injunction issued on July 29, 2024, required PointClickCare to remove certain restrictions on Real Time’s access to electronic health record (EHR) data that PointClickCare hosts for skilled nursing facility customers. Real Time sought access to the data to provide data analytics services to the skilled nursing facilities and alleged unfair competition in the form of information blocking.
The case has generated intense interest among stakeholders that maintain or request electronic health information, including EHR software developers and other actors subject to the information blocking regulations adopted by the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) under the 21st Century Cures Act. The Fourth Circuit panel’s decision interprets ambiguities in the information blocking regulations in ways that favor access by information requestors and raises the prospect that requestors can enforce the information blocking regulations through lawsuits based on state unfair competition law claims or other state law claims, despite the lack of a federal private right of action under the Cures Act for information blocking violations. Lawsuits based on state law claims are attractive to some requestors that have grown frustrated by the absence of enforcement of the regulations to date by the HHS Office of Inspector General (OIG).
On the other side, the American Hospital Association (AHA) and Electronic Health Record Association (EHRA) have filed multiple amici curiae briefs in support of PointClickCare, including a brief filed on April 2, 2025, supporting its petition for rehearing. AHA, EHRA, and many regulated actors generally believe the information blocking regulations should be interpreted to only require the provision of access through standards-based access methods and not to require actors to develop bespoke methods unless the actor and requestor mutually agree to the bespoke methods.
For more information about enforcement of the information blocking prohibition, see our On the Subject on the information blocking disincentives final rule and our webinar titled, “Information Blocking: Defense of Cures Act Investigations and Enforcement.”
In Depth
BACKGROUND ON REAL TIME V. POINTCLICKCARE
PointClickCare provides a cloud-based EHR system to skilled nursing facilities and other health care providers. PointClickCare has added clinical decision support and other analytics capabilities to its EHR system that compete with Real Time’s services. PointClickCare’s standard customer agreement prohibits customers’ use of automated users, commonly called “bots,” to extract data or access services in a way that adversely impacts performance.
Real Time provides health data analytics services under agreements with certain skilled nursing facilities and other providers that are PointClickCare’s customers by accessing and analyzing information stored in the PointClickCare system. While PointClickCare and Real Time contract with some of the same customers for their respective services, they do not contract with each other to address Real Time’s access to PointClickCare’s technology.
In Real Time’s standard business model, it downloads information needed for its analytics from PointClickCare’s system through login credentials provided by the common customer and assigned to Real Time’s bots. The bots reduce Real Time’s time and labor to download and analyze the information. Some of the downloaded information is available through standards-based application programming interfaces (APIs) required for certification under ASTP’s Health IT Certification Program while other information, such as certain customizable point-of-care data, is only available through bespoke access methods.
In November 2022, PointClickCare began presenting the access control Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) to users that PointClickCare thought were bots based on historical usage. CAPTCHAs are designed to ensure that bots cannot log in to online platforms. The CAPTCHAs displayed text or puzzles for the user to decipher to access the EHR. PointClickCare stated that it implemented the CAPTCHAs to address security and system performance issues related to bots.
In October 2023, PointClickCare began presenting allegedly indecipherable CAPTCHA images that could not be solved by humans to certain users. Real Time’s users could generally not decipher the images and access information stored in PointClickCare’s system. When the CAPTCHAs were not solved, Real Time would lose access to accounts.
The parties began discussing an agreement for alternative access methods, including a “USCDI connector” and “Marketplace API” that would enable access to about 30% of the data that Real Time stated it needed for its analytics services. The US Core Data for Interoperability (USCDI) is a standardized data set that is available through certain APIs certified under the ASTP’s Health IT Certification Program. To address Real Time’s additional data requests, the parties also discussed data export services from PointClickCare. The parties exchanged drafts of an agreement, but negotiations ended without an executed agreement. The Fourth Circuit’s decision indicates that PointClickCare ended the negotiations.
After Real Time determined that it could not reach a negotiated business deal, Real Time sued PointClickCare on January 9, 2024, alleging unfair competition, tortious interference with Real Time’s contracts with skilled nursing facilities, and several other claims that were not at issue on appeal to the Fourth Circuit. The district court concluded that Real Time demonstrated a likelihood of success on the merits of its Maryland unfair competition claim and tortious interference claims and issued an injunction to stop PointClickCare from using indecipherable CAPTCHA images and deactivating Real Time’s EHR system accounts. The district court’s analysis of the unfair competition claim focused on whether PointClickCare’s deployment of indecipherable CAPTCHAs amounted to unfair competition in the health care analytics market through information blocking that violates the Cures Act. The district court rejected PointClickCare’s position that its use of CAPTCHA images and related practices did not violate the Cures Act because they satisfied the health IT performance, security, and manner exceptions of the information blocking regulations. PointClickCare appealed the district court decision to the Fourth Circuit.
FOURTH CIRCUIT INFORMATION BLOCKING ANALYSIS
On appeal, the Fourth Circuit reviewed the Maryland unfair competition claim that was based on a finding of an information blocking violation. The Court first concluded that a federal statute (i.e., the Cures Act) without a private right of action can support a Maryland unfair competition claim and that the Cures Act does not preempt state law claims.
Like the district court, the Fourth Circuit noted that PointClickCare conceded that using indecipherable CAPTCHAs meets the Cures Act’s definition of information blocking absent an applicable exception. The Court then turned to an analysis of whether PointClickCare’s deployment of indecipherable CAPTCHAs is information blocking that does not meet the manner, security, and health IT performance exceptions. The Fourth Circuit decision is most noteworthy for its interpretation of ambiguous language under the manner exception, the impact of which could extend well beyond the dispute between Real Time and PointClickCare.
Manner Exception
To meet the manner exception, an actor (such as PointClickCare) must fulfill a request for electronic health information in any manner requested, unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested. If an actor does not fulfill the request in the manner requested because it is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested, the actor must fulfill the request in an alternative manner. The exception requires the actor to fulfill the request without unnecessary delay in an alternative manner in the following order of priority, and to only proceed to the next manner if the actor is technically unable to fulfill the request in the prior manner:
- Using technology certified to standards adopted by ASTP for the Health IT Certification Program
- Using content and transport standards specified by the requestor and published by the federal government or a standards developing organization accredited by the American National Standards Institute
- Using an alternative machine-readable format, including the means to interpret the electronic health information, agreed upon with the requestor.
In the Fourth Circuit’s analysis of whether PointClickCare’s attempt to negotiate an access agreement with Real Time met the manner exception, the Court interpreted the language of the exception differently than some actors and requestors have interpreted it since its adoption. For example, the Court interpreted the phrase “cannot reach agreeable terms” in the exception’s manner requested prong to require an actor to engage in “good-faith,” “reasonable,” and “genuine” efforts to reach an agreement over any manner requested and to have “articulable reasons why the parties cannot come to an agreement.”
PointClickCare in its petition for rehearing, and AHA and EHRA in their amici brief supporting the petition, argued that the manner exception does not require actors to negotiate or make any level of efforts to reach agreeable terms. In their view, pointing to HHS preamble guidance, the manner exception is intended to allow the parties to mutually agree on a market-based information sharing solution or, if not, to permit the actor to fulfill a request through a standards-based manner such an API or export technology certified to standards of the ASTP’s Health IT Certification Program. They asserted that “HHS crafted the Manner Exception to allow requestors to receive nonstandard access only when they agree to the actor’s terms.”
The Fourth Circuit also addressed whether an alternative manner, such as use of certified technology under the first alternative manner, must provide all of the information requested by the requestor even if the standard for the certified technology does not include all of the requested information. The Fourth Circuit concluded that the standards-based API offered by PointClickCare during negotiations was insufficient because the API only provided about 30% of the information sought by Real Time. Instead, the Court concluded that PointClickCare must meet the manner exception for each category of requested information. In contrast, PointClickCare (and AHA and EHRA in their amici brief) argued that offering any alternative manner under the alternative manner prong complies with the manner exception because ASTP intended to favor standards-based solutions.
Under the current information blocking regulations, if the actor and requestor are unable to agree on an alternative manner and meet the manner exception, the actor can potentially meet another exception such as the infeasibility exception, which includes a manner exception exhausted condition for circumstances where an actor offers alternative manners but cannot reach agreement with a requestor. The district court and Fourth Circuit did not address whether PointClickCare met the infeasibility exception based on the requirements of the manner exception exhausted condition. It appears that PointClickCare did not raise the condition because the indecipherable CAPTCHAs were in place before the February 8, 2024, effective date of the final rule that added the manner exception exhausted condition to the infeasibility exception. For more information about the condition, see our On the Subject regarding ASTP’s Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) final rule.
Health IT Performance and Security Exceptions
After rejecting PointClickCare’s position that it met the manner exception, the Fourth Circuit turned to the health IT performance and security exceptions. The Court determined that PointClickCare did not meet these exceptions because, among other reasons, they require a practice to be “implemented in a consistent and non-discriminatory manner.” Like the district court, the Fourth Circuit concluded that PointClickCare’s bot-prevention practices were targeted at Real Time and “correspond[ed] with PointClickCare’s entrance into the field as a competitor.” The court noted that PointClickCare failed to articulate a specific security risk posed by Real Time’s bot access, stating that arguments that broadly pointed to the potential malicious use of bots were insufficient. The Fourth Circuit also noted that PointClickCare never sued a customer to enforce its customer contract provisions prohibiting bots.
NEXT STEPS
Actors seeking to avoid state law claims similar to those made by Real Time should consider the following steps:
- Maintain a log or other documentation of attempts to negotiate an agreement with requestors, particularly requestors seeking bespoke solutions.
- Maintain documentation of the technical requirements and anticipated resources needed for any requested solution.
- Implement consistent, repeatable procedures regardless of whether a requestor is a competitor for any product or service.
- Conduct any vendor security assessments for bespoke data access solutions in accordance with a security policy that is tailored to documented security risks and consistent with the information blocking regulations’ security exception.
- Document any system performance issues caused by third-party applications to support assertions of the health IT performance exception.
Requestors seeking access to electronic health information should consider the following steps in light of the Fourth Circuit decision:
- Obtain a representation and warranty or other assurance that the customer has contractual rights from the certified health IT developer or other data source to provide the requestor with access to the health IT.
- Determine whether the developer offers APIs or other standards-based interoperability elements that meet the requestor’s needs.
- If a bespoke solution is needed, seek a nondisclosure agreement to present the use case to the developer and seek a development or access agreement under the manner exception.
- Document all steps to seek and negotiate an agreement and any corresponding steps (or non-responsiveness) by the health IT developer.
- If an actor will not agree to a commercially reasonable manner that provides the electronic health information requested, the requestor should consider available options to incentivize the actor to provide the requested information, including prelitigation remedies and potential state law claims in light of the Fourth Circuit’s decision.
For more information about compliance with the Cures Act’s information blocking prohibition and state laws with potentially similar prohibitions, contact any of the authors of this On the Subject or your regular McDermott lawyer.