Providers: Treat your EHRs like cupcakes

If you've ever baked a cupcake you know that, after painstakingly icing and decorating them, the last thing you want is for them to get crushed before you have a chance to eat them.

Which is why I found myself in the supermarket at 9:30 p.m. one recent weeknight helping my 17-year-old buy an aluminum container with a fitted cover so she could safely deliver cupcakes to her boyfriend.

So it is with electronic health record systems. You should take whatever precautions you can up front to protect them (and you) from problems later. That's why providers must carefully review vendor EHR contracts and negotiate changes before they're signed and the icing is on the cake, so to speak.

We've already seen that these contracts are becoming less provider-friendly and that they often don't specify or provide disaster recovery and other data rights.

Another way that EHRs can fail providers is noncompliance with the Health Insurance Portability and Accountability Act (HIPAA), leaving providers at risk of violating HIPAA from the moment they buy the EHR system, Randi Kopf, a nurse attorney in Rockville, Md., who specializes in health IT, told FierceEMR in an interview.

According to Kopf, some of the HIPAA problems you can run into include:

  • The vendor falsely advertises that it and its EHR are HIPAA-compliant when they're not.
  • The vendor won't commit in its contract that the product complies with HIPAA's security and privacy standards.
  • The vendor contract specifically requires the provider to agree that the vendor can sell patient data to third parties without patient authorization, a HIPAA no-no.
  • The vendor can't or won't let the provider segregate its patient data from the "cloud," making it impossible for the provider to respond to patient accounting for disclosures requests, a HIPAA requirement (and one noted by AmMedNews in its article).
  • The vendor tells the provider all that's necessary to meet meaningful use core measure 15 (the one requiring a risk analysis of your technology) is to install the EHR software. In actuality, in order to meet the measurement, as well as to comply with HIPAA's security rule, the provider needs to conduct an actual risk analysis. The EHR doesn't do that for you.
  • The vendor is a business associate of the provider, but the vendor contract doesn't include the provisions required of a business associate--such as notifying the practice if the business associate suffers a breach of the practice's patient information.
  • The vendor contract doesn't require the vendor to take responsibility for its own negligence, such as failure to enable the system's firewalls when installing the system, leaving the system vulnerable to security breaches.

The good news: Many vendors will modify their contracts--if a provider asks them to. Some vendors just aren't familiar with the terrain and aren't aware of the legal requirements or haven't been asked to make these changes before, notes Kopf. If the vendor refuses to change its own form contract, have the vendor sign an addendum, she suggests.

Protect yourself and your precious cargo before you're stuck. Create as safe a "container" as you can before you have to deliver those cupcakes or use that EHR system. If you use a flimsy paper plate-style contract, you're just taking unnecessary risks. - Marla