Integration with electronic health records (EHRs) has proven to be a longstanding headache for healthcare providers and IT vendors alike. Without an ability to exchange medical and financial records, it can be difficult to operate software which support key activities in areas such as population health management, coordination of care, and reimbursement.

There are a variety of approaches to integrate with a health IT system — from directly connecting to the database systems of software to leveraging system interfaces that utilize protocols like FHIR and HL7 messages. Brendan Keeler has written extensively on the various strategies to integrate health IT software, but the focus of this discussion about Real Time Medical Systems, Inc. vs PointClickCare Technologies, Inc. focuses on robotic process automation (RPA).

PointClickCare (abbreviated PCC by many) is a leading provider of EHR software, largely for long-term care (LTC) settings such as skilled nursing facilities (SNFs).

On the other end is Real Time Medical Systems, an analytics firm much smaller than PCC and which relies on RPA to deliver its service to SNFs. In the case heard by Maryland Federal District Court Judge Paula Xinis, Real Time called for an injunction (requirement to stop) on impossible CAPTCHAs which PCC had deployed to prevent Real Time’s bots from operating.

Important Concepts

Understanding this case has some important bits of rapid-fire background knowledge.

Interoperability in healthcare means that different healthcare systems and software can "talk" to each other, sharing data and patient information seamlessly. This is important for providing coordinated care across different providers, hospitals, and clinics, ensuring that healthcare professionals have access to up-to-date and accurate information no matter which system they use.

The Information Blocking Rule is part of the 21st Century Cures Act, aiming to prevent healthcare organizations from purposely restricting access to or sharing electronic health information. It's crucial for promoting competition because if health systems can't block information, patients can more easily switch between providers, and new entrants to the market can offer services without being locked out of important patient data. This rule enforced by the federal government Department of Health and Human Services (HHS) intends to encourage innovation and lower barriers to entry.

Robotic Process Automation (RPA) involves using software robots to automate routine tasks in EHRs, such as data entry, scheduling, or claims processing. It's used in EHR integrations due to the flexibilities it has to emulate manual human data entry as opposed to vendor-sanctioned interfaces and database integrations which may not allow as much granular data access.

Case Events

Initial Business Relation

Real Time’s service offerings for its 1,700 SNF customers (out of an estimated 15k+ nationally) revolve around diagnostic analytics to improve clinical quality of care. The type of read-only data it requires includes “daily food and liquid consumption, temperature, vital signs, and other standard measures that the facility obtains on a regular basis” (source).

Real Time’s CTO Christopher Miller asserted that the company depended on using RPA bots to navigate PCC and extracting this information from generated reports since the company was founded 12 years ago.

The company estimates that it would take 450 people working 24/7 to pull all of its required data from customers manually.

Citing the need to address security and software performance concerns related to non-human access to its platform, PCC has historically employed CAPTCHAs to require human verification. Historically, Real Time would have humans intervene and complete these CAPTCHAs so that the bots could continue pulling data.

PCC is a vendor for almost 80% of Real Time’s customers, many of which are in the state of Maryland, and in late 2020, PCC launched a new analytics offering. Since then it has acquired two of Real Time’s competitors and even won against Real Time’s bid for a multi-million dollar contract with the state of Maryland in 2022.

Weaponized Acquisition Talks

PCC considered an acquisition of Real Time and entered an NDA in early 2023. Real Time shared its proprietary business records including software design and use of RPA.

Notably, despite PCC's loud protestation against “bots” today, PCC never raised with Real Time any concerns about its exclusive reliance on automated software. After Real Time shared with PCC that it maintained the highest level of security certification in the industry, that “was the end of the discussion" regarding the security of Real Time's automated environment.

Later in the year, user accounts used by Real Time bots began to encounter indecipherable CAPTCHAs. See the following examples which were presented as court evidence.

PCC went silent and walked away from continued talks of acquisition.

Real Time attempted to pursue alternative choices. The first approach was to pay for PCC’s APIs and a supplemental data extract to be provided regularly to fulfill Real Time’s data needs. Both companies’ technical teams worked on this solution for around a month and the CAPTCHAs disappeared.

By November, cooperation broke down after Real Time was told that it was no longer going to get the data they required, and the CAPTCHAs reappeared. Here are some fun examples of the torrent of impossible images to decipher.

Real Time attempted to negotiate with PCC to export necessary patient data but was met with onerous terms in PCC's marketplace agreement, which would have severely impacted Real Time's business.

it prohibited Real Time from competing with PCC; allowed PCC to cancel the agreement for convenience at any time; and required Real Time to market its product through PCC. Real Time would also have to pay PCC a substantial per-facility monthly fee to receive only 30% of the data that it needed

After failed renegotiations, Real Time filed suit in January 2024, citing further business disruption caused by indecipherable CAPTCHAs implemented by PCC, which hindered Real Time's ability to serve hundreds of nursing facilities.

Arguments and Decision

Real Time sought a preliminary injunction under which the court would order PCC to stop these indecipherable CAPTCHAs from appearing. These types of injunctions are granted when there’s “a clear showing that the plaintiff is entitled to relief”. Real Time pressed three primary claims:

• that the CAPTCHAs constituted unfair competition concerns

• PCC’s actions were wrongfully interfering with Real Time’s contractual obligation to its customers

• and that PCC was in breach of its contract with EHR customers wherein Real Time is a third-party beneficiary

Citing previous case law, Judge Xinis noted only one of the claims needed to hold in order for an injunction to be deemed appropriate. She ruled that the first two had merit.

Regarding the “tortious interference” with Real Time’s obligations, the court noted that PCC clearly knew of Real Time’s obligations to SNFs and that such indecipherable CAPTCHAs would prevent Real Time from providing its services. PCC’s other defense was that Real Time’s claim didn’t actually demonstrate a full breach of contract, just a hinderance. On that item, Judge Xinis cited Maryland law which notes that hindering contract performance makes a party liable even if such actions do not fully cause a breach of contract.

The court’s assessment of the unfair competition claim is more relevant to the world of healthcare policy. The court ended up ruling that PCC’s actions constituted violations of HHS’ information blocking rule and provided sufficient demonstration that there were no valid reasons for preventing Real Time’s bots from operating other than to deliver a specific negative impact to Real Time’s competitiveness.

HHS has outlined a few exceptions to information blocking, but the court ended up deciding that PCC did not meet the requirements of those exceptions.

• Actors may use the Health IT Performance Exception to say that information blocking is necessary to uphold performance of IT systems. The court disagreed with PCC citing this exception due to a lack of any data to corroborate that Real Time bots caused system outages. The court also noted that the CAPTCHAs were applied longer than necessary to protect performance, and it highlighted that PCC was discriminatory and inconsistent in applying these CAPTCHAs.

• The Security Exception allows blocking to protect electronic health information security. Here, as with performance exception, the court noted that PCC did not employ CAPTCHAs for security consistently across all users. More notable is the following quote:

  • “It also stands to reason that automated software used by a company with the highest security certification remains more secure than if the same company had to employ 450 individuals to perform the same task.”

• The Manner Exception allows blocking information if there are sufficient alternative methods of accessing data. PCC, in the court’s eye, did not provide sufficient evidence to suggest its APIs and other approaches were giving the full extent of data required by Real Time. Further, citing PCC’s firmness on the marketplace agreement, Xinis’ opinion notes “PCC appears more unwilling than unable to reach a mutually agreeable solution”.

This court opinion is rather intense. Here are some other notable quotes from Xinis’ opinion which highlight frustrations shared by many others seeking to achieve interoperability.

At best, the record suggests that on one day, PCC's retrieval system was slow for one facility while Real Time was pulling down reports.

Keeping in mind the size of PCC's own operations one that pushes out prescriptions for over one million patients in a day the Court cannot simply take Fourati's word for it that automated software use akin to, that of Real Time makes a material difference in PCC's performance.

No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist

Real Time would face unpredictable, unplanned widespread business outages akin to that which it has withstood before. PCC, on the other hand, has given the Court no reason to believe that eliminating the use of such unsolvable CAPTCHAs would visit any harm to it.

Law and Interoperability

The legal conflict between Real Time and PCC echoes the broader struggle for interoperability in healthcare, similar to Epic's ongoing battle with Particle Health over data exchange. These cases highlight the tension between protecting proprietary systems and promoting data accessibility, a central issue in the evolving landscape of healthcare IT.

Although Real Time won an initial ruling, the fact that PCC filed for an appeal in August 2024 means this case could be heard again. The appeal centers around the fact that the Information Blocking Rule is a federal regulation wherein Congress did not authorize parties to use state law to enforce violations and that it was state law which was used to pursue the injunction.

Something to note is that demonstrating violation of Information Blocking was simply a standard way to assess unfair competition in health IT — that there are state regulations against unfair competition and the federal regulations provide a framework for the court to make its judgement. Nonetheless, I’m not the lawyers nor the appellate court.

Looking beyond, this case is going to be crucial to keep an eye on. This is a landmark case in that a court ruled that measures against RPA bots were not really meaningfully addressing EHR vendor concerns about performance or security and that they’re instead likely driven by interests around competitiveness.

Many Terms of Service documents for health IT products prohibit screen scrapers, crawlers, and other bots — but if used as a data integration approach, could this be a suitable legal defense to prevent EHR vendors from imposing technical restrictions on bots?