A group of health clinics representing dozens of health care providers recently decided to migrate to an electronic health record (EHR) solution. The clinics selected a system that others in the area had recently adopted and negotiated a software license and hosting agreement with the vendor. When the negotiations were completed they asked us to take a look at the contract. The result was a little startling.

The benefits of EHR technology are manifest: less chart pulling, improved billing, reduced costs, remote access to records for point-of-care decision support, improved communication between health care providers (such as the primary care physician and the pharmacist), easier compliance with regulations, improved disaster recovery capabilities (it's easier to backup a database than copy voluminous paper charts), etc. It also doesn't hurt that the US government has committed - in the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009 - to spend more than $19 billion through 2014 to encourage adoption of EHR solutions. Needless to say, the rush is on to secure this technology.

It is a common scenario for health IT professionals to involve their legal counsel at the eleventh hour or not at all in EHR procurement, in most cases because they become so focused on the technical and operational aspects of the procurement that they do not appreciate the risks inherent in contract provisions that look like typical "boilerplate." The rush to finalize an EHR procurement effort can overshadow the need to assess the potential future hidden costs of onerous contract provisions that, for example, limit the vendor's liability and impose undue obligations on the customer. The EHR vendors have the benefit of years of experience in negotiating procurements, which gives them real bargaining leverage in contract negotiations. Many IT professionals have learned to their chagrin that addressing these provisions at the end of negotiations leaves them with little leverage and a "take it or leave it" response from the vendor, because the vendor recognizes that it's too late for the customer to start over with another vendor.

In the case of the group of health care clinics, the negotiation team called and asked us to identify any "deal breakers" in the contract documents. After reviewing the documents, we pointed out several legal landmines and areas of risk:

  • No Business Associate Addendum (BAA). Health care providers are required to have a business associate addendum in place with EHR vendors (which are typically deemed to be "business associates" under HIPAA). The vendor for this deal did not provide a BAA, and the physicians were not aware of the need for one.
  • No IP indemnity. The vendor offered to "defend" the health clinics against claims IP infringement claims, but not to "indemnify" them against any damages - leaving the clinics potentially exposed for damages for infringement.
  • Unlimited liability. The contract limited the vendor's liability for damages, but left the health clinics exposed to unlimited liability.
  • No internal control audits. The health clinics did not have a contractual right to receive internal control audit reports (e.g., SAS 70 or SSAE 16) each year for the hosting facility. Instead, the vendor offered to informally provide the reports outside the contract - leaving the clinics subject to the vendor's goodwill for these reports.
  • Overbroad vendor termination rights. The vendor could terminate the contract if the clinics committed any breach (even if not material) or if they breached any other contract with the vendor (a "cross default" provision) - giving the vendor undue leverage to shut off a service that will be mission-critical for the clinics.

We also identified numerous business terms that were not consistent with the current market for this type of contract. These included missing indemnities, vague service levels with numerous carve-outs, and the vendor's right to cancel software maintenance after the first year.

The client took our feedback, approached the vendor to resolve the major areas of concern, and signed off on an updated contract. To a certain extent, the clinics seem to be trusting the vendor to "do the right thing" to keep the customer happy - but what happens if the vendor is acquired by another entity? (There has been a lot of consolidation among EHR vendors in the past few years, and this trend will likely continue.) Hopefully the terms of this EHR contract won't end up giving the health clinics indigestion.