The HHS Office of the National Coordinator for Health Information Technology (ONC) recently published a contracting Guide to assist healthcare providers when entering into electronic health record (EHR) contracts with EHR vendors. Issued in response to provider complaints that EHR contracts often contain hidden fees and restrictions that prevent sharing of patient health records with other providers, the Guide seeks to restore balanced bargaining between providers and their EHR vendors in their contract negotiations.
The 56-page Guide begins by explaining the steps providers should take before selecting an EHR vendor. It highlights the pros and cons of the two principal types of EHR models: the provider-hosted EHR in which EHR software is licensed to a healthcare provider, and the cloud-based EHR. According to ONC, when selecting an EHR vendor, providers should first prepare a list of key issues and technical and operational requirements that will enable them to prioritize and focus on key terms during the due diligence phase and contract negotiations.
ONC strongly encourages that providers consult with both a technical adviser and legal counsel when evaluating an EHR vendor contract to minimize problems during the contract period, anticipate future needs and assess available options. Providers also should conduct parallel negotiations with more than one EHR vendor and consider retaining a different vendor if their preferred vendor refuses to compromise on key issues. The Guide also discusses the importance of selecting ONC-certified EHR technology, a listing of which is available on a searchable website at http://chpl.healthit.gov.
Emphasizing the importance of providers and EHR vendors sharing responsibility with providers for ensuring secure implementation and use of the EHR system in accordance with HIPAA, the Guide encourages providers to consider requiring EHR vendors to:
- Complete a security assessment questionnaire,
- Obtain an independent security audit conducted by a third party and share the results with the provider annually or more frequently in the event of a security breach,
- Comply with the provider’s information security program, and
- Employ encryption methodology and secure data destruction.
The bulk of the Guide highlights the covenants and warranties that an EHR contract should include. The ONC also focuses on the importance of the vendor’s service and performance obligations as specified in the EHR contract. Risk allocation is another key area in the Guide and the ONC encourages providers to allocate each risk to the party with the most control over the factors giving rise to that risk.
Below is a summary of some of the key terms the Guide recommends for inclusion in EHR contracts.