Selecting EHR Vendors: An ounce of prevention is worth a pound of cure

Management of electronic health records (EHR) is a complicated yet necessary task in the modern practice of medicine. To reduce the administrative burden of managing EHR records, many physicians and other healthcare practitioners look to vendors that promise various user and cost efficiencies that no medical practice would decline. Unfortunately, many relationships with EHR vendors begin without careful review of the “fine print” of the vendor’s agreement, creating a myriad of additional problems in addition to the complications already presented by EHR. As a result, a little advanced preparation and analysis of an EHR proposal can help prevent that relationship from becoming bitter.

Here are a few things to consider before signing on that dotted line:

  • Interface between the new EHR system and other software the practice is using. First and foremost, will your practice management system (PMS) properly interface with the new EHR system, or will it be necessary to upgrade or purchase additional software to achieve functionality? Most EHR vendor agreements require the practice to pay for such upgrades, which may cause the overall cost of the proposed EHR system to be significantly more than advertised.
  • Training you and your staff to use the new system. If the EHR system will interface with your PMS, will it “interface” with your current staff? Not every program is user-friendly, and functionality can be lost if users do not know how to utilize it. Make sure to ask what training the vendor will provide without additional or exorbitant cost, keeping in mind what training timeframe works for your practice. Where possible, also try to negotiate hard deadlines and cost caps.
  • Responsibility for ensuring HIPAA compliance. HIPAA imposes privacy and security obligations on healthcare providers. These security obligations include technical safeguards that many physicians assume are being taken care of by EHR vendors. This may not be the case. In reality, most vendor agreements expressly provide that you as the physician have the sole responsibility for HIPAA compliance.
  • Data breach. The next question to ask is what happens if there is a data breach? Even if an EHR vendor takes some responsibility for HIPAA compliance, that does not answer the question of what the vendor will do in the event of a data breach. Indemnity and defense obligations should be discussed that require the vendor to pay for breach notices required by law as well as third-party claims for unauthorized disclosure of sensitive information. It is also important to try and make sure that the vendor’s limitations on liability do not apply to these obligations.
  • Data hosting. If the vendor hosts EHR on its servers, what are its requirements to ensure uptime and disaster recovery? If it does not follow those requirements, what is your recourse? Are you required to simply sue, or will the vendor provide a credit? Automatic service credits required under the agreement for failure to meet uptime requirements are becoming more and more common, so do not hesitate to ask for such a provision.
  • Cloud storage. Cloud storage is yet another complication. If you or the EHR vendor use cloud storage, that cloud storage is likely managed by another company. Make sure to review those terms to determine whether they are HIPAA-compliant and whether cloud storage comes at a separate cost.
  • Data migration from one provider to another. If you are thinking about switching from one EHR provider to another, review your current vendor agreement to determine what obligations (if any) your current provider has to help move EHR to a new provider. You should also ask new potential vendors what they are willing to do to help with EHR migration. There is no standard EHR record format so there is no guarantee one vendor’s particular files will work with a new vendor, and you want to avoid being forced to review paper or PDF files.
  • Product warranties and your recourse. Most EHR vendor agreement provide a limited warranty that the product will operate as promised in “documentation” for a limited period of time. Typically, the initial draft of the vendor agreement limits your remedies to breaches of these warranties, and some agreements also require that you make a claim of breach in a limited period of time or the claim is waived. These limitations are in addition to the overall limitations on monetary liability that are standard in EHR vendor and other commercial agreements. These very customary restrictions can make your ability to seek recourse difficult if the vendor does not perform as promised. Make sure to take time to negotiate these meaningful terms before the agreement is signed.
  • Term and termination. Last, but certainly not least, consider how long you want to be “wed” to any particular vendor and use the length of the marriage to your advantage. By agreeing to a longer initial term, you may be able to negotiate other terms (such as data migration or fewer limitations on liability) that the vendor would otherwise provide. However, pay attention to the requirements to terminate for breach and keep in mind how difficult it may be to extricate yourself if you find the EHR system is not optimal for your practice.

These are just a few important considerations to keep in mind when shopping for a new EHR vendor or renegotiating a prior EHR vendor agreement. The American Medical Association also has some practical guidance for selecting the vendor of EHR or PMS software on its website, and KLAS Research rates EHR systems. We at McAfee & Taft are also happy to review the terms of an EHR agreement and walk you through some of the potential landmines. It is critical to have that discussion and contemplate these issues before entering into a binding agreement. In our experience, prevention of a problem is much less expensive than a cure.