American College Of Surgeons - Inspiring Quality: Highest Standards, Better Outcomes

Negotiating the EHR Vendor Contract - Part 3

Confidentiality, Privacy, and Security

Another set of hidden dangers relates to confidentiality, privacy, and proprietary rights. Most contracts contain terms protecting the vendor’s trade secrets and restricting access to the software. However, it is rare to find similar protections for the provider. Surgical practices should protect their proprietary interests in their patient and other information, and insist on mutual confidentiality obligations with strict limitations on the vendor’s use of patient information. This is especially important in light of the substantial changes to the existing HIPAA rules as mandated by the HITECH Act and the accompanying regulations. Privacy and security issues are now directly related to a provider’s ability to amend and/or terminate the contract for a vendor’s failure to comply with applicable laws, fair allocation of compliance costs, and requirements for vendors to enter into business associate agreements, where applicable.

Termination and Transition

Vendors should not be able to terminate the contract, except for a very serious breach by the provider. Even if such a breach occurs, the agreement should afford the surgical practice sufficient time to cure the problem and require the vendor to notify multiple executives and representatives of the breaching party.

After termination or expiration of the contract, the vendor should offer the provider at least 6 to 18 months of transition services, including helping the practice or institution to transfer its data to a new vendor. The provider should, of course, pay for such services at negotiated contract rates.

Liability and Indemnification

The limitation of liability clause is often one of the most contentious areas of negotiation. However, failure to adequately address this area may result in the provider’s inability to recover or even claim damages for actual losses suffered as a result of breach of contract or negligence by the vendor. It is essential to “carve out” from the limitation of liability a number of areas, including: breach of confidentiality and privacy: personal injury, death, and property damage; intellectual property infringement; and vendor’s breach resulting in the provider’s failure to achieve meaningful use in a timely manner.

A good contract should also contain strong indemnification provisions and warranties. The indemnification should protect the purchaser from the following: HIPAA and privacy/confidentiality violations by the vendor; third-party claims for bodily harm, injury, or death caused by the vendor’s personnel or software; and claims that the software infringes on third party patents, trademarks, or copyrights or misappropriates trade secrets.

Most troubling, perhaps, are the indemnification obligations some vendors impose on providers. It is not uncommon for vendors to require providers to indemnify them for any third-party claims brought against the vendor as a result of the vendor-provider relationship, even if the vendor is at fault. Agreeing to such a provision could be disastrous for providers whose existing contracts with malpractice insurance carriers may exclude such indemnifying arrangements from coverage. In other words, if a surgeon agrees to indemnify one’s EHR vendor, and incurs damages as a result of this obligation, that surgeon’s malpractice insurance company may refuse to cover such damages.

SaaS/ASP models

Some vendors offer traditional software and equipment products as well as ASP, Remote Hosting and SaaS models of their EHR systems. These subscription-type models pose significant additional risks to providers. One of the biggest disadvantages for surgical practices using these models is that they have no actual access to, or possession of, their data, independent of the vendor. Thus, there is a real concern the vendor could hold such provider’s data hostage (e.g., because of a payment dispute), as well concerns arising if the vendor ceases business operations. Surgeons need to negotiate broad protections and rights to access their data in such deals, including: barring vendors from ever holding provider’s information hostage; mandating regular backups of data; and explicit provisions regarding return of any provider data upon termination of the agreement.

Top 5 Tips

  1. Everything is negotiable, including costs and the small print/large print waivers or warnings; do not hesitate to negotiate caps on liability or indemnification provisions.
  2. Ask an attorney who is familiar with health information technology (HIT) contracts to review the contract (which should be provided initially in a modifiable format by the vendor), including terms and conditions that could result in additional costs or penalties to the provider.
  3. EHR software should satisfy all federal and state regulatory requirements (including privacy and security obligations) and become certified for purposes of achieving meaningful use.
  4. Include all written and verbal agreements in the contract, including any representations, warranties, and software documentation.
  5. Link all payments to vendor’s performance obligations rather than calendar dates (e.g., link payments to completion of implementation milestones, acceptance, or go-live dates, rather than contract signing or a number of months after the effective date of the agreement). 

If you have further questions about the Medicare and Medicaid EHR Incentive Program, please contact Molly Murray at or 202-672-1506.