With lawsuits and data breaches a constant threat, providers need to comply with regulations while staying safe from liability.
As legislation like the Health Information Technology for Economic and Clinical Health (HITECH) Act encourages (or requires) healthcare systems to adopt electronic medical records (EMRs), providers are faced with a series of potential pitfalls. And in light of high-profile data breaches and recent lawsuits over mishandled healthcare data, it is essential that health systems do everything they can to both comply with regulations and stay safe from liability.
“The legal landscape has changed on a myriad of levels,” attorney Kevin Wood told Healthcare Analytics News™ in a recent interview. Wood specializes in healthcare as a partner for Texas-based law firm Strasburger & Price. Vital to both safety and compliance, he said, is a well-written contract between a provider and its EMR vendor.
To start, a good contract must assign liability and offer protections in case of a data breach. Whether data is stolen by bad actors or just mishandled by either the health system or EMR vendor, Wood said that both patients and governmental agencies that issue payments will often blame the hospital first.
“5 years ago, very few people had cyber liability insurance coverage. Today, that’s a consideration folks have to have,” he said. Providers will want their vendors to have that coverage in the event of a breach, particularly if the breach was the vendor’s fault. While data breach insurance deals are growing from $1 million or so when they first appeared to over $10 million in some cases today, even that may not be enough.
Rapid changes in technology also need to be addressed by any contract. It is becoming increasingly common for healthcare providers and EMR vendors to store troves of patient data in external servers or on the cloud, but for security, liability, and value purposes, “You have to make sure that the contract is very clear that the hospital owns that data,” Wood said.
Hospitals also should use contracts to ensure ongoing training and support from their EMR partner. “Systems don’t last forever. An EMR purchased today may not even be supported 5 to 7 years from now,” he said. Even 5 years is “eons” in today’s technology landscape, according to Wood, and the clinicians tasked with using the system should be guaranteed ongoing training to stay abreast of updates and best practices.
And providers should structure their contracts so final payment is not granted until the EMR system is successfully integrated into their workflow. “A lot of times what happens with software vendors like this is a 1-sided contract. [Healthcare providers] are going to have a lot of pressure to pay almost all or all up front, and you’ve got to wind back from that. You want them some incentive to get that payment,” Wood said. Such provisions give the healthcare provider leverage in case of unexpected delays in implementation.
The attorney also recommends health systems strive for documentation that is “crystal clear on response times.” In case the system goes down, wording like “best efforts” and “timely manner” won’t cut it.
“There are things they need to respond to immediately, there are certain things they need to respond within 24 hours, there are certain things that could take 2 to 5 business days,” he said. “Be very clear in the discussions, lift out the things that are urgent, emergent, or day-to-day operations.”
It’s on the healthcare provider and their EMR partner, Wood said, to determine the amount of flexibility that a contract can have. Specificity is important for ensuring both sides get what they need from the relationship, but in a rapidly-evolving space like healthcare technology, too much of it may lead to constant amendments.
Most important, according to Wood, is patience. He spoke of a client hospital that recently spent 4 months negotiating a contract with their EMR vendor­—and that was a renewal. Were they migrating to a new EMR system, he would expect the process to be even longer.
“It’s more of a marathon than a sprint, and you have to keep that in mind. Today’s business world is very ‘we want it now,’ or perhaps you just have a broken EMR system and you want something new. You’ll still have to be very mindful of the details,” Wood said.
Cybersecurity panel: Hospitals threatened by attacks aimed at vendors
November 4th 2024Chief Healthcare Executive presents another installment from our conversation on cybersecurity, with experts from the American Hospital Association, HIMSS and Providence. They talk about breaches tied to business partners.
Cybersecurity panel: The scope of recent ransomware attacks in healthcare
October 28th 2024Chief Healthcare Executive hosted a discussion on cybersecurity with leading experts from the American Hospital Association, HIMSS and the Providence health system. They talked about the growing problem of cyberattacks.