Ordinarily, the feds don’t go out of their way to take sides.
But in the past few weeks, the government has moved into the providers’ corner when it comes to electronic health record vendors and HIPAA.
First, the Office of the National Coordinator for Health IT released an updated guide for providers to use when negotiating EHR vendor contracts. The document covers a lot of ground, such as system performance, intellectual property rights and dispute resolution.
And the guide specifically notes that EHR vendors are providers’ business associates, subject to HIPAA. To that end, ONC said there must be a business associate agreement in place that adequately protects the provider’s patient data, known as electronic protected health information (PHI). The guide also points out that some vendors will block the provider’s access to its own data in the event of a payment dispute, and that providers must ensure in their contracts that they retain that access.
Then, the Health and Human Services Department's Office for Civil Rights weighed in, not once but twice, corroborating ONC.
Initially, it issued a response to a frequently asked question, stating that a business associate cannot block or terminate a covered entity’s access to its data. It cited the specific example that EHR vendors cannot use a “kill switch” or other mechanism to block a provider’s access to data during a payment dispute.
And last week, OCR issued guidance clarifying that cloud service providers indeed are business associates subject to HIPAA, saying there must be a business associate agreement in place.
I’m not sure why ONC and OCR are delving into this issue now, or why they’re apparently doing it separately. But clearly, there must be a need for them to do so.
So how do EHR vendor business associate agreements stack up? Do they meet the recommendations of ONC and OCR? I took at quick look at three different vendor agreements to find out, all readily available on the internet: Practice Fusion, athenahealth/epocrates and eClinicalWorks.
All three BAAs used the pro forma language required by HIPAA regarding use, disclosure and safeguarding of a provider’s information. That’s a step in the right direction, certainly.
But unsurprisingly, they’re still skewed in favor of the vendor. For instance, all three agreements state that upon termination, the business associate would return or destroy the PHI it has in its possession, per HIPAA rules.
But all of these agreements are silent regarding whether providers would have continued access to the PHI in the event of a payment dispute, which both ONC and OCR expressed concern about. That means that the contracts don’t prohibit the vendor from blocking that access.
Moreover, the contracts also are biased in favor of the vendor in at least two ways that can be very detrimental to the provider.
First, while all three agreements stated that the business associate would report a breach or security incident to the provider, as required, by HIPAA, the contracts don’t require the vendors to do so very promptly. Epocrates will report it “as soon as practicable,” and eClinicalWorks will report it “within 10 days” of the breach or incident. Practice Fusion doesn’t give itself a deadline.
But the provider has only 60 days from discovery of the breach to determine if the data was compromised and whether it has to report the breach. That’s not a lot of time to begin with. If the vendor gets to take its time before reporting, the provider may not report the breach within the 60-day deadline. Then the provider must deal, not only with the breach, but also with a HIPAA violation for late reporting. Ouch.
What's more, none of the three contracts require the vendor to protect the provider, via indemnification or otherwise, for costs incurred due to the breach--even if the breach was solely the fault of the business associate vendor. That can end up being a lot of money.
Providers, let the government be your wingman here. Use the ONC and OCR tools to level the contract playing field. A vendor’s acknowledgment that it is a business associate does not mean that its agreement is fair. - Marla (@MarlaHirsch and @FierceHealthIT)