Ober|Kaler

Considerations in Contracting to Purchase or License an Electronic Health Records System

Share

July 1, 2011

By: James B. Wieland and Joshua J. Freemire

Health Law Resource Center

Reproduced with permission from the Health Law Resource Center, Copyright 2011 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com.

The following checklist provides guidance for medical providers regarding contracts to purchase or license an Electronic Health Records system and provides specific considerations for an Electronic Health Record that is intended to qualify for the incentives provided for in the Health Information Technology for Economic and Clinical Health (HITECH) Act for "meaningful use" of Electronic Health Records. [See final rule on meaningful use of EHRs, 75 Fed. Reg. 44313 (July 28, 2010).]

An Electronic Health Record ("EHR") is a software program that can make a patient’s health information available when and where it is needed. It has the capability to bring a patient’s total health information together in one place, and always be current – clinicians need not worry about not knowing the drugs or treatments prescribed by another provider, so care is better coordinated. EHRs don’t just "contain" or transmit information, they also compute with it – for example, a qualified EHR (an EHR which may be used to qualify for provider incentives) will not merely contain a record of a patient’s medications or allergies; it will also automatically check for problems whenever a new medication is prescribed and alert the clinician to potential conflicts. EHRs can improve safety through their capacity to instantly analyze all of a patient’s information and automatically identify potential safety issues—providing "clinical decision support" capability to assist clinicians. An EHR can also serve as a patient’s and a provider’s "legal" medical record – the official documentation of the patient’s medical care.

In short, EHRs offer medical providers and their patients substantial benefits, but also pose unique questions with regard to purchase or licensing agreements.

Medical Provider’s Checklist

Medical providers who are considering an arrangement to purchase or license Electronic Health Records software should engage in the following analysis before executing an agreement to purchase or license a vendor’s product.

  • Consider HIPAA implications of the various EHR contract models. In general, any vendor of any type of EHR will be a business associate of the covered entity that purchases or licenses the EHR. The only exception would be an EHR license in which the software was housed on the servers of the covered entity that purchased or licensed it and is never accessed by the vendor for maintenance or upgrades. Such arrangements are virtually nonexistent in today’s world.

    At its most basic, EHR software is housed on the servers of the covered entity, but the vendor will have access (usually through protected network access) for maintenance or upgrading of the software. In this situation, the vendor will have sufficient access to the Protected Health Information (PHI) stored in the software (the actual electronic medical records) to make it necessary that the vendor execute a business associate agreement (BAA) with the covered entity.

    More commonly, the EHR and the electronic medical records it contains are remotely hosted, in an arrangement traditionally referred to as an Application Service Provider (ASP) model. Here the vendor houses the software and maintains the electronic medical records on its own servers and the licensee accesses the software and the records it contains securely through the internet or another form of connectivity. Increasingly, under so-called Software as a Service and Cloud Computing Arrangements, variations on the longstanding ASP model, the vendor offers lower pricing to the licensee by making the EHR available "on demand" and the actual information constituting the electronic medical record is stored on a "space as needed" basis across a variety of servers owned or controlled by the vendor.

  • Analyze the degree of risk. While all of the arrangements discussed above require a BAA between the EHR vendor and the medical provider, BAAs should be negotiated with regard to the degree of risk to the provider in the arrangement, with the self-hosted arrangement being the least risky and the cloud computing being the riskiest. In short, the greater control the vendor has (rather than the covered entity provider), the greater the risk that actions or inaction on the part of the vendor could result in HIPAA compliance problems for which the provider would be ultimately responsible. The greater the risk that vendor action or inaction could result in a HIPAA violation, the more closely the provider needs to consider the following:
    • How robust are the vendor’s security measures?

      Comment: HIPAA requires business associates to maintain the same physical, administrative, and electronic security measures to protect PHI in the business associate’s possession as a covered entity. However, if the vendor has actual custody of the electronic health records, as in an Application Service Provider model, the provider must exercise greater due diligence than would be required if the vendor simply accessed the medical provider’s servers periodically for maintenance and upgrading.

    • Are there detailed procedures in place in the event there is a breach of the security of unsecured PHI in the hands of the vendor?

      Comment: A provider should not enter into an arrangement with a vendor that does not encrypt PHI in the vendor’s custody, particularly with a vendor who actually stores the PHI on the its own servers. However, breaches of unsecured PHI can still occur, as with unsecured PHI stored in a laptop or portable media of a member of the vendor’s workforce or through negligent or intentional conduct of a member of the vendor’s workforce. While a HIPAA compliant BAA need only provide that the vendor will notify the provider within 60 days of when the vendor knew or should have known of the breach (unless the vendor is deemed to be an agent of the provider under federal common law, in which case the vendor’s knowledge is imputed to the medical provider), notice should be provided at the earliest opportunity, in order to allow ample time to investigate the breach and make required determinations as to notice to individuals whose PHI was subject to the breach.

    • Beyond providing the basic "who, what and where" required by HIPAA, the vendor should be required to cooperate with the medical provider’s due diligence investigation. The provider should consider who will be responsible for the costs of providing notice to individuals and agencies, which can be quite expensive in the case of a breach involving a large number of individuals’ PHI. Ultimately, the provider should be concerned with the insurance and the underlying financial resources of the vendor, in the event an indemnification clause provides for the vendor to assume responsibility for financial damage to the medical provider caused by a breach.
    • Most EHR license agreements contain clauses limiting the vendor’s financial responsibilities for breach of the agreement. The provider should consider exempting violations of the HIPAA business associate agreement from these limitations, especially if the violations are the result of negligence or willful misconduct by the vendor.
  • Establish responsibility for EHR regulatory compliance. EHRs are subject to the same laws that govern paper patient records in most states, as well as the federal requirements of HIPAA. Providers should consider who will be responsible for monitoring changes in these laws and for the costs of providing changes to the EHRs necessary for providers to maintain compliance with the laws.
    • In general, the vendor should be expected to bear primary responsibility for monitoring changes in federal law and for either bearing the costs of those changes or for fairly allocating those costs across all licensees.
    • In the case of changes required by state medical records or similar laws, the issues are more difficult. It is reasonable, however, for the agreement to impose some responsibility on the vendor to monitor such changes and also to respond to notices of those changes from licensees. Costs of compliance should be fairly allocated among all similarly situated licensees, in a verifiable manner.

      Comment: Bear in mind that state laws often follow a pattern or model law that is enacted in similar or identical form in a variety of states, enabling greater cost sharing among contracting medical providers.

    • The vendor should be obligated in all cases to make required changes available, considering testing and implementation requirements, on a schedule that permits timely compliance with regulatory changes.
  • Provide for orderly transfer of information upon termination. Most EHR contracts, unless title to the software is conveyed to the licensee, require the licensee to discontinue use of the EHR and, if applicable, return or destroy all but an archive copy upon, or shortly after, termination of the agreement. In the case of an EHR contract, such a clause could seriously impair medical care by the licensee medical provider by, at the very least, impairing access to medical records stored on the EHR. A contract for EHR should contain provisions that reflect this.
    • The vendor should be required to cooperate with an orderly transfer of all information, in an industry standard or other agreed format, to the provider’s system or to the system of a successor vendor.

      Comment: The baseline industry standard is "ASCII, comma delimited," which is basically the electronic equivalent of a paper document and is thus readily exportable to other systems.

    • To the extent that such cooperation requires more than nominal effort on the vendor’s behalf, such as development of custom interfaces or translation programs, the provider should expect to pay the vendor’s fees, usually charges on the basis of the vendor’s published fee schedule. These fees should be negotiated and agreed in advance.
    • The provider should be able to continue to use the EHR, while continuing to pay appropriate fees, until such a transfer is complete and the successor system is up and running.

      Comment: Many vendors will impose some absolute time limit on this, such as a twelve month period after termination, and will not agree to provide upgrades (as opposed to maintenance required to keep the EHR functional) during the transition period.

    • Under no circumstances should the vendor be permitted to insert disabling code or otherwise turn off the EHR without the provider’s consent.
  • Decide upon uptime guarantees and disaster recovery. Depending on the data hosting arrangement and the agreed responsibility for EHR maintenance, the vendor will have a greater or lesser degree of responsibility for guaranteeing that the EHR will function, subject to downtime for scheduled maintenance. In addition, in most arrangements, the vendor will have obligations as to some minimum period of time to respond to reports of problems or malfunctions of the EHR, including complete unavailability of the EHR due to a natural or man made disaster.
    • The provider should recognize that the greater the uptime commitment and the shorter the time to restore the EHR following a problem, including complete unavailability due to a natural or man-caused disaster, the higher the fees the medical provider will have to pay.

      Comment: The mechanics vary, depending on whether the EHR is hosted on the medical provider’s server or hosted remotely by the vendor. In either event, however, given the importance of uninterrupted access to the EHR for purposes of patient care, careful balancing of cost versus availability is needed. The best, and most expensive, solution to a serious incident is to have duplicate servers running at two geographically separate locations. If one server goes down, the EHR system can immediately and seamlessly switch to the second, "mirror" server.

    • If the vendor provides help desk support for the medical provider, the provider should also negotiate guaranteed response times to reports of problems, should also be negotiated with keeping in mind the importance of access to medical records in mind. There should be a procedure for classifying the nature of a reported problem, from a minor issue up to unavailability of the EHR, with vendor response times specified for each and with procedures to escalate vendor resources in the event a problem is not remedied in a timely fashion.
  • Consider vendor recommendations for hardware configuration. Vendors of EHR will often have requirements and recommendations for hardware to be acquired by the medical provider. The provider should ensure that the license agreement contains a vendor warranty that such requirements and recommendations are appropriate for implementation and will allow the EHR to perform properly.

    Comment: This is particularly important with EHR, given the need to interface with multiple sources of input and multiple users.

  • Ensure compliance with the provider’s security and access policies. To the extent the EHR is hosted by the medical provider, the vendor will require remote access to the EHR and possibly physical access. The contract should provide that the vendor:
    • agrees to comply with the provider’s security and access procedures, and
    • will provide the provider with advance notice of any such access, even if it is remote.
  • Negotiate licensed volume. Some EHR licenses are priced based on the number of authorized users. Providers should consider and, if possible, pre-negotiate rate changes in the event the number of authorized users increases or decreases.

    Comment: Measurement of the number of authorized users should be an average over time, in order to avoid triggering an increase in fees for a short-term increase in the number of authorized users.

  • Designate vendor’s implementation team. Implementation of an EHR is a sensitive process that involves dealing with various levels of medical provider personnel over time. The best EHR system may not be successfully implemented if there is no user "buy-in." For this reason the provider should be sure the vendor designates at least one high level contact who is reasonably acceptable to the provider as the project leader and point of contact, and commit to using best efforts to keep the same person in place throughout the implementation process and, if necessary, to provide an equally acceptable successor.
  • Provide for training of medical provider’s team. Given the number of users of a typical EHR system, the provider should make certain that the vendor commits to appropriate obligations to train the provider’s project team and end users. The agreement should give the provider a clear understanding of:
    • the costs of training;
    • whether end user training will be for all end users of the system or will be a "train the trainer" approach; and
    • in the event training is at the vendor’s site, the costs and time commitments involved.
  • Consider appropriate warranties. In addition to usual warranties, such as performance in accordance with specifications discussed in the general technology contracting checklist, providers should consider additional warranties, such as:
    • A warranty that the EHR will support the medical provider’s qualification for Meaningful Use (see next section).
    • A warranty that the EHR will support compliance by the provider with HIPAA and state confidentiality of medical records laws.

      Comment: Vendors cannot guarantee such compliance, of course, since that depends on how the EHR is used by the medical provider. However, the EHR should have the various functionalities that are consistent with compliance by the provider.

    • Especially for those providers that file cost reports for federal programs, consider the need for a warranty that the vendor and the vendor’s personnel are not debarred/excluded from federal programs.
  • Avoid change orders. Because acquisition and implementation of an EHR is a complicated process, providers should make every effort to assess their immediate and anticipated needs prior to entering into negotiations. Once the ink is dry on the contract, any modifications will require a "change order," typically an expensive way to correct for a lack of proper planning.

Establishing Meaningful Use

The Medicare and Medicaid Electronic Health Record (EHR) Incentive Program offers eligible hospitals (EHs) and eligible professionals (EPs) substantial incentive payments for the Meaningful Use of certified EHR technology. A failure to meet the program’s detailed requirements, however, through the use of EHR technology that has received proper certification, may mean that an EP or EH has made a substantial investment in technology that will fail to qualify for incentive payments. EPs and EHs can substantially limit their investment risk by ensuring that the agreements that they execute with EHR vendors provide proper assurances of certification, continuation of necessary upgrades or patches, any required modifications, support and training, and a warranty that the purchased EHR system, when properly configured and implemented, will support the EH’s or EP’s attestation of Meaningful Use and application for incentive funds.

  • Include a description of intended functionality. The EHR Incentive Program requires that applicants make use of "certified EHR technology." That definition, however, includes both "complete" EHR systems (which provide all functionalities applicable to a provider type and service environment) and Modules (which provide one or more, but not all, specific functionalities necessary to provide a "complete" EHR technology). Depending on a provider’s existing technological infrastructure, it may be possible (and financially advantageous) to purchase only the Module(s) necessary to build a complete system. Similarly, providers purchasing an EHR technology should ensure that the licensing or purchase agreement specifically states whether the system purchased is intended as a Module or complete EHR, and, if a Module, which Meaningful Use functionalities it is intended to support. Accordingly, providers should ask the following questions:
    • Does the agreement specify whether the licensed technology is intended to function as a Module or a Complete EHR? (See 75 Fed. Reg. 44590 (July 28, 2010), the final rule on certification criteria, for a more in-depth discussion of the difference between Modules and Complete EHRs).
    • If the technology is intended to serve as a Complete EHR, is the EHR capable of supporting each of the functionalities sufficient to meet "all applicable certification criteria adopted by the Secretary"?

      Comment: For more on applicable certification criteria, see the Frequently Asked Questions on the website of the Office of the National Coordinator for Health Information Technology (the "ONC")), available at http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__home/1204.

    • If a Module, does the agreement specify the functionalities and associated meaningful use requirements that the technology is intended to support?
  • Establish certification procedures. Providers will only be considered to have met a particular Meaningful Use objective or requirement where they have done so through the use of "certified EHR technology." CCHIT and similar certifications, though useful and a sign of a sophisticated product, do not demonstrate "certification" as that term is used in the applicable Incentive Program regulations. Rather, providers should ensure that the technology has been (or soon will be) certified by a body authorized to provide certification by the ONC. Accordingly, providers should ask the following:
    • Has the technology already received certification for its intended use (either as a Module or a Complete EHR)?

      Comment: The ONC maintains on its website, currently at http://onc-chpl.force.com/ehrcert, a list of technologies that have already received certification and the parameters of the certification granted.

    • If the technology is intended as a Module, has it received certification in all areas for which the provider intends to rely on it?
    • If the technology is not yet certified, does the vendor have plans to seek or receive certification soon? Will the vendor include a warranty that certification will be received? (See also section below addressing vendor representations and warranties.)
  • Address upgrades and modification. Meaningful Use is not yet wholly defined. Providers will be required to meet at least three sets of objectives and measures (Phases 1, 2, and 3). As of April 2011, only Phase 1 measures had been finalized. Draft suggestions for Phase 2 objectives and measures included additional, entirely new requirements. Providers will want to ensure, to the fullest extent possible, that the technology they purchase will continue to receive vendor updates, modifications, patches, and the like to the extent necessary to ensure that it continues to perform as expected. The following questions are not intended to address issues of routine support and training (addressed below), but rather, to ensure that the licensed or purchased technology will be adapted as necessary to continue to meet a provider’s needs.
    • To what extent will the vendor modify the technology to meet changed Meaningful Use requirements?
    • Are there any charges associated with upgrades or modifications required by a change of law? If so, at what rate?
    • May the provider terminate the agreement early in the event that changes to the Incentive Program requirements (or other law) render the use of the technology unnecessary?
    • To what extent will the vendor support modifications necessary to ensure the purchased technology is able to continue to function in an environment that has been altered to meet Phase 2 and Phase 3 requirements?
  • Set parameters for support and training. Meaningfully using certified technology first requires that providers use the technology. Especially where providers are transitioning staff and others to an EHR for the first time, successfully using EHR technology will require a strong support and training structure. Providers, especially smaller providers without their own IT infrastructure, should be especially concerned with the training and support that a vendor will provide, how long it will be available, and any charges that will be associated. Accordingly, providers should ask:
    • Will the vendor provide training? How much and for how long?
    • Will the vendor provide technical support numbers or on-site technical support?
    • Will the vendor remain onsite to ensure the technology is properly installed and is operating as intended?
    • Is the vendor willing to train the purchaser’s IT staff, so that they are capable of providing routine support?
    • What will the turn-around time be on support requests? Is the vendor willing to guarantee a certain time frame for responses to support requests?
    • If there will be fees charged for support and/or training, what is the fee structure?
  • Address compatibility. Any EHR technology that is purchased to function as a module within a broader EHR system will need to interface with the pre-existing EHR infrastructure. Accordingly, providers should determine the following:
    • Will the vendor provide any support or modifications necessary to ensure proper compatibility with existing systems?
    • Will the vendor return, as necessary, to perform any modifications or patches necessary needed to ensure continued compatibility?
    • To the extent the vendor is willing to provide continued compatibility support, how long will this support be provided?
    • Will there be any charges associated, and, if so, following what structure?
  • Ensure sufficient vendor representations and warranties. The provider should ensure that the EHR vendor provides sufficient warranties, especially concerning certification and Meaningful Use utility, that they can be assured of the continuing value of the technology. Accordingly, in the agreement:
    • Vendors must represent and warrant that the technology is theirs to sell or license.
    • Vendors should represent and warrant that the technology is free of known, material defects or failures and will perform the functionalities specifically identified in the agreement when properly installed and implemented.
    • The vendor must warranty that certification, for each and every identified functionality if a Module, or as a Complete EHR, as applicable, will be maintained for the entire term of the agreement and any renewal terms. Providers may consider, especially with regard to Module technology, language stating that the certification for the technology will be maintained for all functionalities that are currently certified.
    • Providers should request language warranting that the technology, when properly installed and implemented, will support the providers’ Meaningful Use attestation. At a minimum, the vendor should warrant that the technology, if properly installed and implemented, will not impede a provider’s ability to claim Incentive Program funds.
    • Vendors who will install and/or implement EHR technologies on the purchaser’s behalf should be asked to provide warranties regarding its their proper, functional, and complete installation.
    • If the technology is not yet certified, the vendor must represent that the certification effort is underway, and warrant that certification will be received within sufficient time for the provider to implement the system and demonstrate a sufficient period of Meaningful Use.
  • Provide for indemnification. Vendors should indemnify providers against:
    • claims, costs, or penalties arising from defects in the technology – for instance, a failure to properly identify drug-drug or drug-allergy interactions, where such a capability has been specifically identified as required in the agreement.
    • any claim that the technology was not the vendor’s to sell or license (e.g., any patent or trademark claims).
  • Address treatment of damages. Damages should not be limited to the purchase price or licensing fees paid. Rather, where a vendor’s breach results in a provider’s inability to qualify for Incentive Program funds, that lost revenue should be included.

    Comment: This is especially true where, due to time constraints, the provider was not able to replace or repair the technology to the extent necessary to meet Incentive Program deadlines.

    • Vendor’s damages should be limited to any unpaid licensing fees or the technology purchase price.

 

© 2013 Ober|Kaler All Rights Reserved.