Healthcare providers (Providers) rely on third party vendors for providing Electronic Health Record (EHR) software services. Due to the amount of protected health information Providers store in these software services, and the reliance providers place on these software services in running their practice, it is critical that providers carefully review their agreement with the EHR software vendor. This article highlights key terms for Providers to review and negotiate.
Protection and Storage of Protected Health Information (PHI)
Providers must ensure the EHR software vendor adequately protects and stores the PHI of the Provider’s patients. Not only should Providers ensure that the PHI is stored in the United States, they should also ensure that all processing of the PHI is performed in the United States. Further, the Provider must ensure that access to the PHI is limited to those employees of the EHR vendor that that have a need to access such information.
Providers must also carefully review the security measures the EHR vendor has in place to maintain the confidentiality of PHI. These security measures not only include the administrative, physical, and technical safeguards that are required under HIPAA Security Rule, but also include the disaster recovery and breach notification plans the EHR vendor has in place. A disaster recovery plan ensures that the EHR vendor has procedures and mechanisms in place for bringing the EHR software services back online in the event of a system wide event. The breach notification plan ensures that the EHR vendor has procedures and mechanisms in place to identify and contain any breach of PHI and to timely notify the Provider and any affected individuals.
Healthcare providers must carefully review and negotiate termination provisions of EHR software agreements. Providers must ensure that they will still have access to patient data after termination of the agreement. Further, Providers should negotiate for assistance during a transition period after termination of the agreement to ensure the Provider can transfer their patient’s data to another vendor. A failure by the Provider to thoughtfully negotiate termination provisions may result in the Provider losing patient data or forcing the Provider to continue the relationship with the EHR vendor because terminating the relationship would cause significant problems in the operation of the Provider’s practice.
Indemnification terms are designed to transfer certain risks to the party that is in the best position to control them. Providers must ensure that their EHR vendor agreement contains sufficient indemnification provisions to protect the Provider. For example, the Provider must ensure that the EHR vendor agrees to indemnify the Provider for any claims or damage arising from any breach of PHI or other confidential information of the Provider, any virus, malware, or harmful code that is introduced into the EHR software services, any corruption of the PHI or other data of the Provider, and any violation of law by the EHR vendor.
For additional information, please contact Kristin Biedinger.