- QualSight LASIK Achieves HIPAA Compliance After Attempted Hack
- HIPAA Compliant Hosting
- Delivering the Future of Healthcare: Maintain Compliance, Improve Efficiency and Continuity of Care...Virtually Anywhere
- Sizing Up Your Cloud Options - Is Now the Time?
- Event Log Management & Compliance Best Practices: For Government & Healthcare Industry Sectors
The HITECH Act assigned Regional Extension Centers (RECs) with the task of disseminating knowledge, skills and best practices related to electronic medical record (EMR) system acquisition, implementation and operation to healthcare providers in need of such guidance.
RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.
With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.
In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.
However, most health IT vendors present their prospective customers with “standard” form agreements that fail to provide sufficient safeguards and warranties to offer any real protection. This affects smaller physician practices in particular, because such practices do not have the resources or the leverage necessary to negotiate with sophisticated health IT vendors.
Furthermore, many providers, including small or solo practices, may enter into remotely hosted, software-as-a-service (commonly known as SaaS) ASP or other so called “cloud computing” arrangements. These type of arrangements may be particularly worrisome, especially when the health IT vendor does not even permit the customer to negotiate the agreement, instead requiring the customer to accept the vendor’s terms and conditions by merely clicking a button or checking a box, as if the EMR software or system component such physician is acquiring is akin to downloading songs on iTunes.
Potential problems with such take-it-or-leave-it “click-through” contracts are numerous. For example, vendors provide minimal warranties with respect to how their software will function, while capping their own liability at a remarkably low amount, leaving the provider-customer on the hook for most direct and all consequential damages relating to software malfunction (which is especially onerous in the clinical field), privacy breaches or even the vendor’s own negligence and breach of contract.
Provisions regarding data ownership, as well as access to and privacy and security of provider-customer’s data (including patients’ protected health information), rarely provide the safeguards necessary to protect the provider-customer from unauthorized access or use of such data, including a possibility of the vendor holding such data hostage.
Most troubling, perhaps, are the indemnification obligations imposed by vendors on provider-customers. It is not uncommon for vendors to require customers to indemnify them for any third party claims brought against the vendor as a result of the vendor-provider relationship, even where the vendor is at fault.
Agreeing to such a provision could be disastrous for providers whose existing contracts with malpractice insurance carriers may exclude such indemnifying arrangements from coverage. In other words, if a physician agrees to indemnify one’s EMR vendor, and incurs damages as a result of this obligation, that physician’s malpractice insurance company may refuse to cover such damages.
RECs have an enormous reach and significant resources, and should therefore play a crucial role in educating healthcare providers about the importance of negotiating health IT contracts, as well as the most important provisions therein.
Aside from the education and outreach efforts, RECs may also consider offering sample or form contractual clauses to providers, or be more creative and pre-negotiate the most significant contract terms on behalf of its providers with the major health IT vendors. All such efforts will ensure a smoother transition to digital records, increase providers’ chances of achieving meaningful use, and protect providers from unnecessary risks and liabilities.
-- Steven J. Fox is a partner and the chairman of, and Vadim Schick is an associate in, the information technology group at Post & Schell, P.C. Fox and Schick focus on negotiating health IT contracts and counseling clients regarding data privacy and security matters.