In March, the Fourth Circuit ruled in Real Time Medical Systems, Inc. v. PointClickCare Technologies, Inc., a case that centered on the use of technical barriers to restrict access to electronic health information (EHI). In the suit, Real Time, a health data analytics company, accused PointClickCare of blocking access to necessary patient data by intentionally using complex CAPTCHAs and other technical hurdles that prevented the company from collecting data for its services.
The practice of restricting the access, exchange, or use of EHI on an unfair basis is known as “Information Blocking” if perpetrated by a healthcare provider, a health IT developer of certified health IT, or a health information exchange (HIE)/health information network (HIN). These three “actor” types regulated under the ONC Information Blocking Final Rule (IB Rule) are subject to disincentives or civil monetary penalties if found to have violated the IB Rule, depending on the type of actor and whether the actor knowingly acted with intent.
While the legal issues are complex, the implications are clear: organizations can’t use vague justifications or technical obstacles to block legitimate access to health data.
Let’s walk through some common misconceptions—and what this decision actually means for healthcare stakeholders striving to build compliant, interoperable, and trustworthy systems.
Myth #1: “Technical barriers like CAPTCHAs are just good security practice.”
Reality: Unnecessary or overly burdensome technical restrictions can constitute information blocking.
In this case, Real Time alleged that PointClickCare intentionally deployed complex CAPTCHAs and other measures to limit Real Time’s ability to collect data for analytics services. The court agreed that such tactics could likely violate the 21st Century Cures Act if they unreasonably restrict access to EHI.
Takeaway: Security measures must be proportional, necessary, and transparently justified—not used as a blanket mechanism to restrict competition or access.
Myth #2: “Mentioning ‘security’ or ‘performance’ concerns is enough to deny access.”
Reality: Vague concerns are not a valid exception to the rule.
The ruling emphasized that actors regulated under the Information Blocking Rule must provide specific, credible evidence when invoking an exception. Broad or unsupported claims about security or system strain are not sufficient.
Takeaway: Documentation is key. Policies should be clear, consistently applied, and defensible based on objective evidence—not assumptions.
Myth #3: “Automation-based access is inherently risky and can be blocked.”
Reality: Automation alone is not a valid reason to restrict access.
The court made it clear that use of automation by an authorized entity does not justify cutting off access. If an organization has the right to access data, the method of retrieval—manual or automated—shouldn’t be grounds for denial.
Takeaway: Automation is a critical tool in modern healthcare data use and exchange. Blocking based solely on the method of access may raise compliance concerns.
Myth #4: “Health data sharing is stuck. Nothing ever changes.”
Reality: Momentum to share health information is building, and patients will benefit.
The Real Time decision is just one example of progress. From technical standards and APIs to now state enforcement, the system is finally moving toward meaningful, patient-centered data sharing. More providers and vendors are embracing interoperability not just as a compliance requirement, but as a competitive advantage—and patients are gaining easier, faster, and more reliable access to their health data.
Takeaway: Change is happening. These rulings, along with industry collaboration and policy clarity, are helping to make health data sharing a reality—and that’s a win for everyone.
What it means for health data stakeholders
This ruling challenges the idea that EHR vendors can simply cut off access to authorized companies using automation and underscores the need for organizations to proceed with caution when limiting EHI access, especially if the intent behind those limitations could be questioned. As state-level enforcement emerges as a parallel pathway to federal oversight, organizations should expect more exposure and scrutiny.
Four steps to strengthen your approach
- Document every EHI request and your response. Capture the who, what, when, and why of all data sharing decisions.
- Apply policies uniformly. Avoid special treatment for certain partners or competitive concerns. Consistency reduces risk.
- Track metrics. Monitor request volumes, response times, and denial reasons to uncover patterns and improve practices.
- Stay ahead of enforcement trends. Watch developments from HHS OIG and state agencies, and ensure your policies evolve accordingly.
Learn More
Datavant’s guide “Information Blocking: What No One Is Talking About” offers deeper insights into operational challenges and regulatory nuances. We also encourage stakeholders to explore the Information Sharing Workgroup resources from the Sequoia Project’s Interoperability Matters initiative, where Datavant is proud to contribute alongside other healthcare industry leaders.