For example, the guide says EHR vendors often try to shift liability to providers for problems caused by their systems through indemnification and “hold harmless” language in their standard contracts, even if the harm was caused by a “bug” in the vendor's software. “You may want to negotiate with the EHR technology developer a mutual approach to indemnification that makes each party responsible for its own acts and omissions,” the guide authors said.
The report authors warn they are not providing legal advice, however, and recommend as “best practice” to consult with an experienced lawyer for legal advice. Still, the report attempts to explain “a few key EHR contract terms” providers need to know going into contract talks with vendors of health information technology systems. It notes that most vendors offer a standard contract. Some will negotiate contract terms, and some won't.
If a provider works with a vendor that will amend its agreements, a provider's ability to negotiate those more favorable changes will depend in part on how much they know and understand about alternative contract terms, the guidance said.
Liability for privacy and security breaches are another area of concern. Under modifications to the privacy and security rules of the Health Insurance Portability and Accountability Act that were passed under the American Recovery and Reinvestment Act of 2009, so-called business associates of HIPAA-covered entities share the same legal liability as covered entities for privacy and security violations, including civil and criminal penalties.
While it is thus far uncommon practice, the new rule “may cause some EHR technology developers to request indemnification for damages under HIPAA or state privacy laws.” Again, the authors said, “you may find mutual indemnification more appropriate.”
Other topics covered in the guidance are warranties and disclaimers, limits of liability, dispute resolution mechanisms, what happens were the contract ends and disputes over intellectual property rights.
“Unfortunately, it is common for the holder of a patent with infringement claims against an EHR technology developer to approach the (vendor's) customers with a demand to 'cease and desist,' ” the authors said. One remedy for providers is if the developer agrees to defend and indemnify its customers from such third-party claims.
The guide is one of several developed by Westat as part of a $3.7 million contract “to consider and address the undesirable and potentially harmful unintended consequences of activities supported by ONC.”
Follow Joseph Conn on Twitter: @MHJConn