Providers: Read the fine print in your EHR contracts

Editor's Note: This post has been updated to include Practice Fusion's official response, sent via email to FierceEMR.

We all have a tendency to skip over the fine print sometimes; the car rental agreement, the parking garage receipt, etc. I've seen firsthand plenty of patients who don't bother to read their HIPAA Notices of Privacy Practices.

So it's particularly interesting to read that physicians are upset that electronic health record vendor Practice Fusion launched a feature in its EHR software to send emails to patients asking them to rate their doctors. According to a recent blog posted by John Lynn, founder of the blog network, more than 9 million emails have been sent to patients and the vendor has received about 1.8 million reviews. 

The problem is that the emails look like they were sent by the physicians themselves, and many of them were unaware that this activity was occurring. Lynn notes that many physicians feel that Practice Fusion violated their trust. 

Practice Fusion responded to Lynn's post, apologizing for the confusion but stating that its practices are not a violation of HIPAA. The company also stated that it provided physicians notice about the emails.

Practice Fusion VP of Marketing Communications Emily Peters also sent an official reponse on behalf of the company in an email to FierceEMR, which said:

"Practice Fusion's goal is to create transparency in healthcare without compromise. It is critical that patients seeing any doctor on our platform understand the quality of their doctor. And, therefore, doctors using our free online scheduling application are required to make their reviews available to the public. Practice Fusion offers the only service on the market that validates a patient review was based on an actual visit.

"Our customers were kept informed about the feedback program for a full year before launch through multiple communication channels.  No PHI is ever shared in these communications."

I don't know whether Practice Fusion will see its business impacted by the negative publicity it's now receiving. According to the comments to Lynn's post, the vendor has also removed negative comments about the emails from its own website forum, and is being accused of populating Lynn's blog with emails against Lynn. There already has been talk that many providers will be switching EHR vendors this year. Without knowing more, I also don't know whether the email activity is truly HIPAA compliant.

And physicians certainly have enough on their plates between treating patients and running their practices, so I can see where they may have glossed over a vendor notice about the implementation of a new EHR feature.

The real issue, though, is whether the physicians ever gave Practice Fusion permission to engage in this kind of activity. According to the comments to Lynn's post, Practice Fusion's user agreement does allow it to send emails to patients, although I have not had a chance to corroborate whether the vendor contract actually permits as much.

This is one of those instances where people really need to read that fine print. You're not only dealing with a vendor relationship; you're dealing with legal terms.

It's one thing if you know that such a provision is in there and you make a decision that you can live with it or take your business elsewhere. As one commenter stated, "For anyone to think that free is free in an EHR has their head stuck in the sand." Another said that the physicians are "getting what they paid for."

But if you don't bother educating yourself about what you're signing, then you're not doing yourself any favors. It's important to trust your EHR vendor, but if you gave it permission to do something in your contract--even if you didn't realize it--you're out of luck.

The Office of the National Coordinator for Health IT does a good job of preparing providers for just such a situation in its new guidebook on evaluating EHR vendor contracts. But it only works if physicians actually read them. - Marla (@MarlaHirsch)