By Alan Friel, BakerHostetler
The emergence of mega-suite vendors, more use of the cloud, increases in data breach frequency and cost and big data privacy impacts make healthcare IT vendor arrangements more complex, and solid agreements between healthcare organizations and HIT vendors more important than ever.
Addressing key legal and business issues during the RFP and contracting process reduces risks and helps minimize expensive change orders.
Here are nine tips for doing so:
- Develop and follow a roadmap: A strategic HIT roadmap will help in managing electronic health records, revenue cycle management, patient access and care tools, analytics and reporting systems and data processing and storage over time.
- Use the RFP process wisely: While time consuming, the RFP process is an opportunity to pre-establish desired deliverables, including material legal term expectations, as well as to undertake due diligence on the vendor.
- Detail fees, services, deliverables and dependencies: The scope of the services; deliverables specifications; interoperability, scalability and interface requirements; testing, implementation and training terms; and permitted dependencies that limit the vendor's responsibilities, need to be carefully articulated. The definition of key elements (e.g., authorized users, facilities, supported equipment, etc.) are crucial. The fees for the various services and deliverables should be clearly established.
- Build flexibility into licenses and consider ownership of new IP: The license should be as broad as possible, and should be applicable to affiliates and assignable in a change of control. If custom software is being developed, articulate who owns it and what the non-owner can do with the new intellectual property. Consider take over rights with software code and developer manuals held with a commercial software escrow.
- Plan for changes, transitions and termination: Obtain termination rights for material breaches, chronic service failures, undesired vendor changes and changes in your circumstances (e.g., merger) and legal obligations. Try for a termination for convenience right, even if it includes a reasonable kill fee. Provide for an orderly exit process on termination, including transition support and data delivery or destruction, and establish the cost thereof.
- Address data: HIT programs generate and/or process, store and transfer data. Agreements need to establish who owns what data as between the parties and who can use what data for what purposes. This has regulatory data privacy, security and breach response implications, including under HIPAA/HITECH. Specify what data is to be available, and on what basis, which may require consultation with the HCO's clinicians. Information governance obligations should be specified, including data segregation, residency and redundancy.
- Obtain guarantees and warranties and provide for maintenance and service levels: Establish minimum service levels, other than during established regularly scheduled maintenance, and provide for remediation and credits. Following a typically limited warranty period, a maintenance contract may be required. Beware of exclusions to maintenance obligations.
- Negotiate the liability, insurance, remedies and indemnity terms: Contracts need to clarify which party is responsible under what circumstances for what liability and harm. This can get nuanced depending on what each party is contributing and doing. Remedies limited to fees paid to the vendor offer inadequate protection for data protection, compliance with law and intellectual property infringement risks, for failure to fulfill confidentiality obligations and for patient harm or death arising out of failure of the vendor to meet a defined standard and/or certain defined obligations. Some intellectual property infringement and errors and omissions risk, and increasingly data privacy and security incident risk, maybe insured by vendors, and agreements can require certain specified types and levels of coverage and be added as an additional insured.
- Establish oversight: Oversight may be established by reporting, audit rights and self-assessment and certification.
Taking these considerations into account will help HCOs codify its expectations and the parties' respective obligations. Thereafter, IT vendor management should be employed to ensure that vendors perform and comply and that changes in the vendor's or the HCO's business or legal obligations are evaluated and mitigated as necessary. A strong and flexible agreement will make doing so easier.
Alan Friel is a privacy attorney with BakerHostetler who focuses his practice on intellectual property transactions, regulatory schemes and privacy and consumer protection law. He is a thought leader regarding convergence legal issues--the property, liability, and regulatory implications at the evolving intersections between media, marketing, technology, distribution, commerce, big data and communication brought about by the ongoing digital revolution.