Battle of the Bots Continues…Fourth Circuit Affirms Preliminary Injunction Against PointClickCare

by | Mar 25, 2025 | 42 CFR Part 2, Data Breach Laws, HIPAA Privacy

Continuing the saga of Real Time and PointClickCare in the battle of the bots, the United States Court of Appeals for the Fourth Circuit recently affirmed a preliminary injunction granted in favor of Real Time Medical Systems, Inc. (“Real Time”) against PointClickCare Technologies, Inc. (“PointClickCare”). Although the court’s decision re-emphasizes significant issues surrounding the access and use of electronic health records (EHR) and the competitive dynamics in the health analytics industry, certain assumptions made by the court raise concerns.

Background

As you may remember, Real Time provides analytics services to skilled nursing facilities by accessing health records hosted on PointClickCare’s customers’ EHR systems. For years, Real Time used automated “bots” to download data for its analytics services that it provided to its facility customers. The conflict escalated when PointClickCare blocked Real Time’s access to its customers’ EMRs by introducing indecipherable CAPTCHA images. Real Time and PointClickCare then failed to enter into an agreement for Real Time to obtain the data it required through data export and API functionality, leading to Real Time’s lawsuit and the subsequent preliminary injunction this past August.

Real Time argued that PointClickCare’s actions constituted tortious interference with business relations, unfair competition (via violations of the 21st Century Cures Act), and breach of contract as a third-party beneficiary. PointClickCare responded that Real Time could not rely on a violation of the Cures Act to support a claim of unfair competition under Maryland law; that even if it could, PointClickCare did not violate the Cures Act; and that even if it did, Real Time’s claims should fail for other reasons.

Key Points from the Court’s Decision

1.  Medical Records Ownership and Patient Involvement.

The Fourth Circuit makes two problematic assertions regarding the services that Real Time provides to its facility customers and the current lay of the land for medical records.  First, the court stated, “Medical records remain the property of the patient, even when stored on an EHR system.” This assertion vastly oversimplifies the complex legal landscape surrounding medical records ownership.

In many states, medical records are considered the property of the healthcare provider or institution that created them, not the patient. Even in Maryland, patients do not appear to own their medical records and instead, these are owned by the health care professional or health care facility. Other states, like New Jersey, are silent on this, but it’s not uncommon for health care professionals/facilities to treat the records as under their ownership and control.  While patients typically have rights under both state laws and HIPAA to access, inspect and copy their records (avid Seinfeld fans will know that Elaine’s attempt to look at her medical chart, of course, predates HIPAA), actual ownership varies significantly depending on state laws and specific circumstances.

Second, the court also mentioned that Real Time accessed medical records through permission/login information provided by the patient through the customer facility.  This implies direct patient involvement in Real Time’s access to facility records when the reality more likely is that skilled nursing patients are not aware that their information is being accessed by third-party analytics companies, much less specifically Real Time. No authorization from the patient is required by HIPAA for a business associate to use and disclosure Protected Health Information to provide services to a covered entity. The only statement likely to put patients on notice is a generalized statement in a covered entity’s Notice of Privacy Practices that they may use contractors (which could be hundreds for a large facility) to provide them with services and that such contractors may use and disclose their health information when doing so.

2.  Information Blocking Under the Cures Act. 

The Fourth Circuit also found that PointClickCare’s actions likely constituted “information blocking” under the 21st Century Cures Act, which prohibits practices that interfere with the access, exchange, or use of electronic health information. The indecipherable CAPTCHAs and other actions taken by PointClickCare, arguably in the name of security and health IT performance, resulted in practices that materially discouraged access to health information. Although PointClickCare argued these actions were taken in accordance with the Information Blocking Security and Health IT performance exceptions (see my prior article for more information about meeting these exceptions), the court disagreed that these applied because PointClickCare did not implement or document its actions in a consistent and non-discriminatory manner and Real Time had utilized bots for many years before PointClickCare took action with no documented security threats or system performance issued. Instead, the court found PointClickCare did not provide sufficient evidence to support these concerns and that the measures were more likely taken to harm Real Time’s business rather than addressing genuine security or performance concerns.

The Fourth Circuit also disagreed with PointClickCare’s reliance on the Manner Exception. Under the Manner Exception, an actor is required to fulfill a requestor’s request for electronic health information in any manner requested, unless technically unable to fulfill the request or if the actor cannot reach agreeable terms with the requestor in which case, the actor must fulfill the request in an alternate manner. After access was blocked via the unsolvable CAPTCHAs, Real Time had presented a data export proposal and also sought the data it required to perform its analytics via API, however, PointClickCare failed to negotiate terms with Real Time and the draft agreement was ultimately simply abandoned.

The Fourth Circuit noted that PointClickCare could not provide any reason why it had failed to enter into an agreement with Real Time. It reasoned that, under the Manner Exception, “cannot enter into agreeable terms” equated with at least some reasonable efforts and reasons why the parties could not reach agreeable terms.  Further, it rejected PointClickCare’s interpretation that it had satisfied its obligation to provide the data in an alternate manner, stating that PointClickCare only offered to provide a fraction of the data Real Time had requested. Instead, the court found that PointClickCare needed to treat Real Time’s requests for data separately and provide all of the requested data in an alternate manner.

3.  State Unfair Competition Claims.

Lastly, the Fourth Circuit concluded that Real Time was likely to succeed on the merits of the unfair competition claim it had brought against PointClickCare, among others, under Maryland law. Even though the Cures Act establishes no private right of action for information blocking, the Fourth Circuit allowed PointClickCare’s alleged information blocking to serve as the basis for Real Time’s unfair competition state law claim. First, it noted that plaintiffs are not barred from using violations of federal statutes as evidence to support a state law claim, even if the federal statute does not contain a private right of action.  Maryland’s unfair competition laws were case-specific and designed to prevent damage to the business of another, including by unfair means which the court stated could be demonstrated by a violation of the Cures Act.   Further, the court emphasized that Maryland law did not even require an unlawful act to support an unfair competition claim.

Implications for Future Information Blocking Claims

Despite no information blocking enforcement action taken yet by ONC/HHS, this case sets a precedent for future claims using alleged information blocking as the basis for state law violations. We’ve seen this happen with HIPAA, which likewise does not have a private right of action, where courts have allowed use of HIPAA to establish a standard of care and serve as a basis for state invasion of privacy and other claims. However, only time will tell how likely future claims may be, as any such information blocking allegations would require an underlying state law claim.

Further, although the information blocking provisions under the Cures Act do not place any specific documentation obligations on actors, actors must be able to demonstrate compliance if they are relying upon available exceptions as a defense to information blocking.  PointClickCare was unable to support the basis for its reliance upon the Manner, Health IT and Security Exceptions and other actions taken allegedly in the name of security and system performance, nor could it demonstrate that the actions it took against Real Time were tailored, consistent and non-discriminatory. Once Real Time had shown PointClickCare to have engaged in facial information blocking, the court placed the burden squarely upon PointClickCare as the actor to demonstrate that an exception under the Cures Act applied, rather than on Real Time to demonstrate an exception did not apply.

Therefore, documentation will be critical for actors to demonstrate their actions did not result in information blocking or, even if it did, that an exception applied and was adhered to 100%.  For additional considerations that actors should be evaluating and assessing in relation to their information blocking compliance, visit my prior post here or Helen’s checklist here.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives