10 essential provisions to include in EHR contracts
As more healthcare organizations are considering potential changes in electronic health records systems, providers need to take a fresh look at the contracts they’re signing. Providers need to insert more protections in their legal documents as they make decisions to change vendors; in addition, the importance of contractual language became more apparent this past year in light of events surrounding the federal government’s $155 million settlement with eClinicalWorks over allegations made in a False Claims Act lawsuit, says Corinne Smith, healthcare attorney with Strasburger & Price, LLP.
As providers look to assess contracts with EHR vendors, here are some key provisions that contracts should contain to improve organizations’ legal protection.
1. Ensure EHR certification is current
The protection afforded by the certification of a vendor’s products is crucial. Providers should make certain that a vendor’s products are certified, and contracts should specify their options if, in a worst-case scenario, a product is decertified or called into question by the federal government.
2. Require continued certification
In contracts, “I put in that the vendor is required to meet and maintain the product to continue to meet standards,” says Smith, who’s worked for Seton Healthcare Family and UT Health Science Center San Antonio with complex healthcare transactions and contracting. “I’m often surprised at how few contracts have ONC certification stipulations in them. Similarly, there needs to be an obligation in the contract requiring the vendor to update software to meet regulatory changes.”
3. Establish a business associate relationship
EHR vendors often work with live patient data, so ensuring compliance with HIPAA requirements is essential, Smith says. “A vendor needs to be a business associate for HIPAA purposes, and the contract needs to have a business associate agreement attached to it.” Essential provisions for HIPAA need to spell out who will pay the costs related to a breach related to vendor activities, and how the hospital will be indemnified, specifically cyber liability. “General liability doesn’t generally cover cyber liability,” Smith notes.
4. Ensure auditing of system access
Some health organizations are beginning to add language that enables them to audit the vendor’s security logs to determine who has had access to the provider’s live system and data. “It’s hard to have good assurance about privacy and security of data if you don’t have that kind of audit written into the contract,” Smith asserts.
5. Specify what services are included in the contract
As EHRs become more complex, it’s important to know what’s included in the contract and what’s not. That seems basic, but product demos may include third-party software as part of the show; then, when providers begin to install, they may be surprised that they’re not getting everything they saw in demonstrations. “A vendor may be using a third-party vendor for a dictionary, or an interface for certain software may be an extra cost,” Smith says. “Make sure there is no hidden cost—you’re entering a several million dollar contract, so make sure you’re not nickle-and-dimed.”
6. Ensure all punch list items are finished
EHR installations are complex, and often, many granular tasks need to be completed before a vendor is completely finished and receives the final payment. A significant payment for the final installment should be negotiated and contractually withheld until the punch list has been finished to the satisfaction of the provider, Smith says.
7. Require access to software code
Agreements with HIT vendors should also look ahead to the possibility that an EHR system change might happen in the future. In that case, it will be important for a provider to have access to the code for the vendor’s product; that will be important for a provider organization to have access to data from the old system and effectively transition it to another system.
8. Ensure support in the case of a transition
“A contract should ensure that an EHR company will work with a provider on a transition to a new system and cooperate in the conversion,” Smith says.
9. Specify support requirements and ensure flexibility
Support agreements with an EHR vendor also can be complex, in terms of what is required in terms of service and its cost. “Support agreements can be very lengthy, and providers need to have a good ‘out’ provision, so you don’t have to buy support from the vendor,” Smith says.
10. Enable an exit strategy in cases of fraud
Contracts should include provisions that allow termination in the case of fraud. Surprisingly, most provider contracts with HIT vendors don’t have this kind of provision, Smith says. Sometimes, the definition of fraud is difficult to find—for example, is it fraud when a marketing staff promises a product can do something, but then a provider finds out it can’t, or can only do so for an extra expense. “Include any correspondence or sales presentations as exhibits to the contract,” Smith advises.