PointClickCare on Monday asked a federal appeals court to overturn what it calls a “dangerous and unprecedented” injunction that is preventing the massive electronic health records firm from blocking bots from its platform.
How the case unfolds could shape the way private healthcare vendors must treat and share patient data that is housed with one company but needed by another to service a provider.
The filing in the Fourth Circuit follows a lower court’s Sept. 29 decision supporting Real Time Medical System’s effort to access records as it conducts analytics work on behalf of its skilled nursing clients. RTMS had claimed PCC blocked its ability to search patient records as a competitive maneuver, and US District Court Judge Paula Xinis agreed, writing that the EHR provider “has offered no legitimate reason for deploying unsolvable CAPTCHAs.”
But in its filing Monday and in an interview with McKnight’s Long-Term Care News last week, PCC said it only deployed the CAPTCHAs — coded symbols users must be able to interpret to gain access to data — after it became clear that RTMS was using automated bots.
“We have a bar on bots,” a PCC spokesman said. “We prohibit bots because bots have a security risk. They have performance risks. It’s how cyber criminals get in. Somebody in Belarus isn’t going to be clicking on individual files. They’re going to do mass exfiltration of data through a bot.”
The spokesman, who spoke on condition that he not be named, noted that in this case, RTMS clients had reported slow or blocked access to their own data on the PCC platform because of the competing bot activity.
“We are very careful and we are very active about making sure that our customers, especially those in the facilities — the registered nurses, the administrators — they continue to get access,” the spokesman told McKnight’s.
Data interoperability regulations allow companies to block access to others for IT performance or security reasons, and PCC’s appeal argues the company’s protocols are “reasonable and necessary” so as not to constitute information blocking. It argues that the District Court made legal errors in finding otherwise, and that “the legally defective injunction must be set aside.”
PCC also explicitly bans the use of bots in its contracts with facilities, which it said RTMS must comply with when accessing data on behalf of shared clients. The PCC spokesman said the company had toughened data security tools for RTMS only after detecting bot-like activity from log-ins linked to the smaller company. It deployed several other, less difficult obstacles before triggering the “unsolvable” CAPTCHAs that Xinis prohibited.
A spokesman for Real Time told McKnight’s Monday night that the company stands ready to argue its case at the appellate level.
“PCC’s appeal merely repeats the same fictions that the District Court found to be unpersuasive after a multi-day evidentiary hearing,” he added. “Its accusation that Real Time’s systems present a security risk is simply false and is merely an attempt to distract from the fact that PCC only began blocking Real Time’s access in 2020, the same time it began developing and marketing products to compete with us.”
Battle over bots and contracts
The PCC spokesman told McKnight’s the company had tried negotiating with RTMS and offered alternative access through eight other secure mechanisms for a fee. He added that RTMS is the only vendor-user among 1,900 that does not either have a contract with PCC or access the larger firm’s data manually.
“Despite being able to access all the data it needs with human users, RTMS demands nonstandard, unlimited bot access to PointClickCare’s system and wants to continue paying PointClickCare nothing, or at most, less than PointClickCare asks (and less than its Marketplace-program partners pay for safe and secure integrated access),” PCC’s legal team argued in its 82-page appeal filed late Monday. “The Cures Act does not require PointClickCare to develop a ‘one-off, unique, custom solution’ for RTMS on those terms.”
Xinis, however, in her ruling granting a temporary injunction, decided that the CAPTCHAs were indeed a violation of the 21st Century Cures Act. The majority of the case remains with Xinis in the US District Court for Maryland; PCC is appealing the granting of the preliminary injunction so it can reinstate security tools while the broader case winds its way through the courts.
“It’s not just for us,” the PCC spokesman said. “Any other EHR platform is going to have this same problem. It’s unfortunate that we are the first and nobody else has really litigated the Cures Act restrictions and obligations. But it’s important for the industry. … Bots are a huge issue.”
PointClickCare is one of the largest healthcare technology providers in the US, with 27,000 longâ€term and postâ€acute care clients. At one time, it was reported to hold at least 70% of the skilled nursing EHR market.
The smaller, Maryland-based RTMS uses EHR data to identify areas where nursing homes can improve outcomes, such as by detecting early signs of infectious disease, automating antibiotic surveillance, reducing hospital readmissions and coordinating care.
