Health IT Contracts Offer Little Protection For BuyersHealth IT Contracts Offer Little Protection For Buyers

As healthcare providers purchase electronic health record software and other health IT to meet meaningful use requirements, they must insist that the legal contracts they sign with vendors will protect their interests.

Last week at the American Health Information Management Association's (AHIMA) 2010 Legal Electronic Health Record (EHR) Conference in Chicago, Steven Fox, a lawyer focusing on health IT issues with law firm Post & Schell, urged healthcare providers to ask themselves key questions when acquiring EHR technology to achieve meaningful use, including: What technology and services should be purchased? What is to be paid for and when? How to assure that requirements will be met? And what happens if the product fails?

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told information after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

Fox, who is chair of Post & Schell's IT group and co-chair of the data protection group with a concentration on health IT, said healthcare providers should remember that meaningful use is an evolving requirement, and that, while we know the requirements for Stage 1, we don't have final rules for Stages 2 and 3.

Under the Centers for Medicare and Medicaid Services (CMS) EHR incentive programs, reimbursements will be issued to eligible hospitals and professionals as they adopt, implement, upgrade, and demonstrate meaningful use of certified EHR technology. The incentive programs, which will begin in 2011, are designed to support providers in this period of health IT transition and encourage the use of EHRs in meaningful ways to help improve the quality, safety, and efficiency of patient health care.

According to Fox, as the timetable for implementing EHRs and demonstrating meaningful use requirements draws near, healthcare providers should be cautious of standard vendor contracts with calendar-based payment terms. Further, payments should be linked to vendors' performance toward achieving meaningful use criteria. Providers should also demand objective milestone payments to retain control of the implementation process.

"We do know there will be new meaningful use requirements for Stage 2 and 3, and it's a moving target. Many vendors are unwilling to agree to future, unknown regulations, saying 'We don't know what we don't know,' but vendors need to remember that providers are paying them a lot of money for support and maintenance to meet those requirements. This is a big area of tension between providers and vendors right now," Fox said.

For those providers adopting software-as-a-service models to outsource their EHRs, Fox recommends that providers restrict vendors from holding data "hostage" and ensure unfettered access to customer data, including protected health information (PHI), on vendors' systems.

He also said providers should insist that vendors routinely back-up data and mandate the return of customer data upon termination of the contract as well as ensure security of data and access to such data if the vendor goes out of business.

With regard to security, Fox said providers need to stress confidentiality of PHI and make clear who owns the data and establish guidelines for the use of data by a vendor. Healthcare providers should also negotiate agreements that include intellectual property issues, obligations of nondisclosure, remedies for breach of patient information, and indemnification obligations.