Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Negotiate contracts with EHR software vendors now, avoid trouble later

Cloud service providers are complicating the standard EHR vendor contract. As it turns out, providers should be altering these before signing on the dotted line anyway.

Imagine your hospital, struggling to pull out of bankruptcy. Imagine paying Allscripts Healthcare Solutions Inc. $17,000/month to store your electronic health record (EHR) data, when a local vendor could do it for $1,200/month, or 7% of that. But Allscripts won't help get your data there from here, unless you keep paying that $17,000/month.

Does that sound like a scare-tactic nightmare scenario dreamt up by competing EHR software vendors? It isn't. It's exactly the situation in which Saint Vincent Catholic Medical Centers found itself earlier this year, according to a recent report in Crain's Health Pulse (registration required).

The problem facing contracts with EHR software vendors is that, if a health care provider even has to refer to them in the first place, that can signal a relationship shifting away from a collaborative partnership -- which it should always be, said New Hampshire Regional Extension Center project director David Delano. He runs NHREC's meaningful use services and health information exchange (HIE) technical services for critical access hospitals.

The one horror story he's seen personally occurred when a well-known health IT vendor decided to stop supporting its EHR, despite contracts extending that support past when it took the EHR offline. Eventually, Delano said, the vendor ended up paying for much of the database conversion services to get a particular medical facility on to another vendor's system. But settling the matter took years of onerous legal negotiating, stopping just short of a lawsuit.

The pages of that particular contract were "literally worn out," Delano said. "The best contracts are the ones you never have to look at because you sign them, everything is delivered according to a schedule and both parties are happy. The ones you don't like are the ones you find yourself reading."

Because of situations like Saint Vincent's and the EHR vendor who pulled the plug on its EHR, it's clear that not every vendor-provider relationship resembles Shangri-La, either. That's where a little forethought in contract negotiations can come in handy before those legal documents put patient data in an untenable situation.

Cloud-based EHR software vendors changing the contract landscape

A "disentanglement clause" in the EHR contract might possibly have helped Saint Vincent's, said attorney Diana McKenzie, who negotiates health IT contracts in her position as partner and chair of the Information Technology and Outsourcing Practice Group at the Savannah, Ga., law firm of Hunter, Maclean, Exley & Dunn PC.

Such clauses mandate the vendor use standards or commercially reasonable efforts to assist the customer in migrating to another vendor. They're becoming more and more important as cloud services make their way into the EHR marketplace, because cloud storage can add a layer of complication to vendor-provider relationships. While disentanglement clauses are relatively easy to negotiate into a contract, McKenzie said, providers who don't hire legal help versed in software contracts don't always know to get them written into their agreements.

This situation is evolving, however. Through meaningful use rules, the Office of the National Coordinator for Health IT (ONC) is reinforcing tenets laid out in federal and state laws underscoring the notion that patients -- not vendors or health care provider -- owner their health data.

"[ONC] is reiterating what the law in virtually every state of the country says," McKenzie said. Not only do software vendors have to follow state and federal laws relating to health data ownership, she added, but many consumer-protection laws overlap, too.

Worries about potential disentanglement issues, not to mention cloud security and cloud uptime, McKenzie said, should not stop providers from taking a hard look at cloud service providers. These vendors are better at creating secure, climate controlled, disaster-recovery-ready data center environments than whoever's responsible for IT at many physician offices she's seen. Physicians should measure the risks of both physical hosting of EHR systems and the cloud alternatives, she concluded, in making their vendor selection.

Most contracts with cloud EHR software vendors, Delano added, have a service-level agreement (SLA) attached to them. These define how the vendor will make data available and accessible, what happens when the server goes down, and other stipulations explaining the services that will be provided -- and what happens if they're not provided.

Don't just accept the boilerplate during vendor contract negotiations

Delano points out that one potential sticky issue for people uninitiated with the software contract process is the seats-vs.-concurrent-users license model. While buying 100 seats might seem like the way to go, it involves licensing particular people, and wanting new employees to have access involves getting new licenses. Often, the license that allows for a set number of users at a given time works better in the hospital environment.

Boilerplate payment terms are another part of contracts with EHR software vendors that the present buyer's market allow for customers to negotiate, said Andrew Principe, former associate director of clinical computing at the Joslin Clinic in Boston and present vice president of health care solutions for Arcadia Solutions LLC. While the total price might not change, he said, it's sometimes possible to pay for a system over a longer period or to base payment terms on mileposts such as meaningful use attestation.

Principe advised providers to ask a lot of questions, especially of cloud EHR vendors, about secondary uses the vendor might have up their sleeve.

The best contracts are the ones you never have to look at because you sign them, everything is delivered according to a schedule and both parties are happy.

David Delano, project director, New Hampshire Regional Extension Center

"[At Joslin] I was known as somewhat of a bulldog when it came to negotiating where data was stored and how it was used by anybody in the chain of custody," Principe said. "That was because our organization's value proposition was that we understood the diabetic patient better than anyone else. We were willing to pay a premium for hosting vendors that had no usage rights to that information; I never wanted to enter into an agreement where we were getting, essentially lower rates because we were giving away our secret sauce -- a highly concentrated database of people living with diabetes."

That's all changing, too, he said, as the law evolves to more stringently protect patient data as well as their ownership.

Because health care providers need advanced analytics for participating in federal- and private-payer quality reporting initiatives and the accountable care organization (ACO) model, EHR vendor agreements should make it clear that patient data must be available to run reports and possibly attach to a separate enterprise data warehouse, said Heather Budd, chief operating officer at Blackstone Valley Community Health Care, which operates several medical and dental locations in northern Rhode Island, including a federally qualified health center (FQHC).

"The data itself is now powerful, unless you can organize it in a way that is useful," Budd said. "Relying on an EHR vendor to do that is dangerous. They don't understand business the same way that a provider organization does, and they don't have the nimbleness required to keep up with the changing environment, needs and requirements…to report to external entities."

A few more tips for negotiating EHR vendor contracts

In addition to the above tips, McKenzie and Delano said physicians -- or the IT departments that serve them -- should take into consideration these additional facets of vendor contract negotiations.

  • Where will the litigation take place? If it comes down to court or arbitration action, have it written into the contract that it will take place in your state, not the vendor's.
  • Define and quantify what "access to patient data means," and set your expectations.
  • Interfaces -- that is, connections between the new EHR and your existing applications, and to outside entities such as a local HIE -- are commonly overlooked. Make sure the ones you need are written into the contract, and that deadlines are set for their completion. Specs for an interface can even be written into the contract, if there's any doubt.
  • On the same token, manage your own expectations and don't go overboard. Mandating 75 interfaces might be overburdening the vendor, but it might agree just to get the contract signed. That sets everyone up for failure, Delano said.
  • Seek advice about a particular contract. Sources can include IT advisory groups, local consultants, IT-minded professional associations, the local regional extension center (REC) and research think tanks with an IT bent such as Gartner Group. All have best-practices materials that can be helpful. If you seek legal help, find someone with experience with software contracts; those without can unintentionally shift a lot of risk to the customer.
  • Make sure the EHR vendor -- especially if it's a cloud services vendor -- takes responsibility for its subcontractors. For example, if the cloud EHR vendor subcontracts data storage to another vendor, make it clear in the contract that the EHR vendor is responsible for uptime and availability, lest you, the customer, get caught in a "he said, she said" vendor war where no patient data is online.
  • Often overlooked, settling the matter of vendor implementation services (what exactly they will be, and setting firm deadlines for their completion) will help EHR customers have a solid start date for their EHRs going online -- and will hold the vendor accountable for promises salespeople often make.
  • In addition to HITECH's HIPAA data breach notification laws, many state consumer-protection laws cover victims of health data theft. While it might be written into a HIPAA business associate agreement you sign with a cloud EHR vendor, consider making the vendor responsible for credit monitoring services (or insurance to cover it) for patients if they have a breach.

While credit monitoring isn't always mandated by law, McKenzie said, it's becoming much more common for customers to hold vendors liable for what can be significant costs depending on the number of patients involved.

Delano concurred on that last point. "Especially if it's a Software-as-a-Service or cloud model, you want to make sure [vendors] have clear language about their policies, structures and procedures…and who's responsible for any loss in the event of a breach or if there's loss of any patient records."

Let us know what you think about the story; email Don Fluckinger, Features Writer or contact @DonFluckinger on Twitter.

Dig Deeper on Electronic health record (EHR) implementation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.