The Fourth Circuit of Appeals recently ruled that violations of the 21st Century Cures Act’s prohibition against information blocking may form the basis for tort claims under state laws, specifically in this case, Maryland’s unfair competition laws. Here, an applications developer, Real Time, was allegedly blocked from accessing PointClickCare’s electronic medical record system visa-vi a system of unsolvable CAPTCHAs. The decision held that this action likely constituted information blocking and that Real Time was likely to prevail on the merits of the case, and so, it held in place an order prohibiting Real Time from using such CAPTCHAs prior to the final resolution of this case in the District Court.
This provides third party application developers with a new legal avenue and roadmap to pursue data access should complaints with the Department of Health and Human Services not advance. This decision, is in short, tailor-made for those AI, SaaS, and other software solutions who find themselves unable to compete in the marketplace due to a dearth of electronic medical records (“EMR”) integrations. It specifically looks at how information blocking hindered Real Time’s ability to compete, and further found that the passage of the prohibition did not preempt any preexisting state law. So long as a vendor can find a suitable state law or tort to attach to, those vendors sue for damages and – as this case demonstrates, even a restraining order to force data access prior to the resolution of the case. A separate case federal case in the Northern District of California, Intus Care Inc. v. RTZ Assocs., Inc, is founded on a similar California tort of “intentional interference with prospective economic advantage under California law.”
EMR vendors will not be happy about the outcome of this case. There are several things to worry about, even as an honest actor. First, to what extent are legitimate security and systems maintenance actions going to constitute information blocking in fifty separate jurisdictions? This removes HHS as the primary adjudicator of information blocking in healthcare, and extends that power to courts around the country. For the sake of having uniform practices, processes, and systems, this is a major headache. I foresee a lot of fifty-state surveys on the horizon.
Healthcare providers are also subject to the prohibition against information blocking. This is specifically relevant if you are a health system. A lot of times the EMR FHIR hooks won’t be enough. Each EMR implementation – especially in a health system and hospital setting – is custom and case-by-case. They all have different configurations and data mapping. They all also have different systems. The EMR is integrating generally across a variety of platforms that contains pieces of the patient’s overall health data. If you are an application developer, you can get to the EMR developer for some of the technical hooks and implementation guides, but you cannot get access to specific systems and EHI without providers authorizing access to their environments. Given the scale and consolidation in the healthcare space, providers will also have a target on their backs as a result of this decision.
As a next step, I recommend that vendors look at their information blocking compliance policies, and specifically look towards the security exception, health IT performance exception, and manner exception to information blocking through the lens of this new decision. You should also take data access requests from third party application vendors, specifically those with the funding to litigate, very seriously and as potential civil claims – not just compliance issues.
Here is a copy of the Fourth Circuit decision at Casetext:
https://casetext.com/case/real-time-med-sys-v-pointclickcare-techs
Here is a copy of the ongoing District Court litigation around the same matter in California:
https://casetext.com/case/intus-care-inc-v-rtz-assocs
Here is a copy of the Amicus Brief submitted by the Electronic Health Record Association and American Hospital Association:
eHealth Law Blog 