It's well established that vendor electronic health record and related contracts heavily favor the vendor to the detriment of the provider. Many of them limit the vendor's liability, require that the EHR software be taken "as-is," prohibit class-action lawsuits or require arbitration.
"They all limit their liabilities ... and [allow] the vendor much legal leeway," Carl Bergman, a consultant who serves as managing partner of EHRselector.com, a free service that enables providers to compare different ambulatory EHR products, tells FierceEMR.
They're also hard to find, making review and comparison virtually impossible.
But some EHR and related contracts contain terms that are a bit unique--and are accessible online (many thanks to Bergman for locating most of them). Here are a few that warrant a second look.
We expect you to be clairvoyant: Cerner's Web portal agreement, section 6, Use of Communication Services says "You will not … Upload files that contain viruses, worms, corrupted files, or any other similar software, programs or malicious content that may damage the operation of systems hosting Cerner Web Sites or another's computer."
Seems a bit harsh, since most users don't upload malware on purpose.
We're going to take advantage of you: Cerner's Web portal agreement, section 7, Unsolicited Idea Submission Policy specifically warns users not to submit unsolicited ideas, "including ideas for new advertising campaigns, new promotions, new or improved solutions, products or technologies, solution or product enhancements, processes, marketing plans or new solution or product names. Please do not submit any unsolicited ideas, samples, demos or other works."
But if you ignore the warning and submit something anyway, "Then regardless of what message accompanies the submission, the following terms shall apply to your submissions. You agree that: (1) your submissions and their contents will automatically become both the legal and equitable property of Cerner, without any compensation to you; (2) Cerner may use or redistribute the submissions and their contents for any purpose and in any way without limitation; (3) there is no obligation for Cerner to review the submission; (4) there is no obligation to keep any submissions confidential; and (5) you hereby agree to waive absolutely any and all moral rights arising from your submissions and their contents so far as is lawfully possible and any broadly equivalent rights you may have in respect of your submissions and their contents in any territory of the world." [Emphasis supplied]
We're a little paranoid: Allscripts' application store agreement includes the following language: "You represent and warrant to Allscripts that you are not and do not work for a competitor of Allscripts (other than an ADP Partner)."
Allscripts' paranoia is also global. "You represent that you are not located in, under the control of, or a national or resident of or otherwise accessing this website from Cuba, Iraq, Libya, North Korea, Iran, Syria, or any country to which the U.S. has embargoed goods," the agreement reads.
You're giving up control of your patient records: Practice Fusion's EHR agreement states that if a physician consents to grant access to patients to his or her records, the patient can directly edit the records (section 4.4). However, there is no obligation to inform the physician if and when a patient has done so, which can compromise the records without the physician's knowledge.
Upon termination of the agreement, Practice Fusion will return/destroy patient records if "feasible" but it can continue to share it with others, such as pharmacies and patients (section 9.10). That means that the physician is no longer in control of his data even after the relationship with Practice Fusion is over.
We're creating a HIPAA nightmare: Practice Fusion's agreement also allows the company to aggregate all physicians' data (section 4.1.10). So if there's a breach, the patient data compromised is intermingled with that of others; it may be impossible to determine which covered entity is obligated to investigate, mitigate and report the breach.
This is why many health information exchange (HIE) contracts require the HIE to take over this obligation on behalf of the providers (which CMS recommends in its commentary to the HIPAA omnibus rule). But Practice Fusion's business associate agreement still requires the providers to retain the notification burden. There's also no deadline for the vendor to notify providers after discovering a breach.