On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Below, we give a high-level overview of the case background and Cures Act requirements, as well as key takeaways for any organization potentially subject to the Cures Act.

What Happened?

Real Time Medical Systems (“Real Time”), a health care and analytics company, alleges that EHR provider PointClickCare (“PCC”) blocked access to patient’s electronic health information (“EHI”) data in violation of the Cures Act. These allegations also pled state law claims involving breach of contract, tortious interference with business, and unfair competition (the unfair competition claim relies on the Cures Act violation as evidence that PCC’s practices were “unfair and wrongful”).

The factual background spans a decade-long, mostly indirect relationship between Real Time and PCC. While Real Time and PCC did not contract directly with each other, they had mutual customers in the care facilities they each served, and Real Time could access EHI through its customer’s PCC accounts. Real Time has regularly used bots for this purpose since 2014, primarily by pulling custom reports (comprised of point-of-care data and other customer-designated information) as well as more standardized EHR data. Real Time’s bot use was permitted under PCC’s standard agreement with customers provided the customer ensure such bots do not adversely impact PCC’s system performance. PCC supposedly never enforced the system performance provision against its customers. PCC also allegedly knew about Real Time’s bot usage but failed to raise the issue with Real Time, against PCC internal policy and despite several opportunities.

In 2021, PCC expanded its business to enter into direct competition with Real Time. Soon after the expansion, PCC implemented CAPTCHAs in its EHR system to deter bot access for users on a “watch list,” with the CAPTCHA being revised over time to be increasingly difficult even for humans. By late 2023, over half of Real Time’s and PCC’s mutual customers were locked out of PCC’s EHR system, and Real Time accounts constituted at least one quarter of all “watched” users. While PCC justified its escalations based on “numerous incidents and issues” related to performance and security, the company provided extremely limited evidence to this effect and did not reference any specific incidents.

Cures Act Requirements

The Cures Act—generally enforced by the U.S. Department of Health and Human Services—prohibits information blocking, defined as any practice “likely to interfere with, prevent, or materially discourage access, exchange, or use of [EHI]” and “conducted by a health information technology developer, exchange, or network, such… knows, or should know that such practice is likely to” have such effects. There are limited exceptions that may permit an EHR provider to partially block access to EHI by granting access through a different manner than requested, or by denying the request to the extent that granting access would impact the EHR provider’s system performance or security.

The Fourth Circuit concluded that each of these exceptions were unavailable: PCC evidenced bad faith in its negotiations to grant Real Time’s access to the requested EHI and did not provide an alternate manner of access and lacked evidence of any performance or security impacts that would justify the degree to which it blocked Real Time’s access. On the latter point, the court emphasized Real Time’s unblemished cybersecurity record and lack of complaints regarding its bot use on other EHR providers’ systems.

Takeaways

The full decision is worth reading for those interested in a detailed breakdown of the key exceptions to the information blocking prohibition, possible Cures Act preemption of state claims, and types of security documentation the court found significant. Entities subject to the Cures Act should consider the following two takeaways:

Carefully document your company’s justification for relying on the prohibition’s exceptions, including specific performance issues and security incidents.

Be aware that blocking access to EHI for an unusually adverse requestor, such as a marketplace competitor, will be scrutinized closely by the courts and may be used as a basis for state law claims. The court’s discussion of the Cures Act claim arguably implies PCC’s conduct was colored by an ongoing anticompetitive motive, even as motive is not an explicit factor in the information blocking exceptions.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 