Not nailing a strong contract with an EHRs vendor can bring on as much frustration as the software itself. Contractual bugs may permit a vendor to lock providers out of an EHR during a payment dispute or avoid being held accountable when things go wrong.
To help providers choose the right EHR and negotiate the best terms with vendors, the Office of the National Coordinator for Health IT recently published an online EHR contract guide.
The guide — which has gotten high marks from provider groups and ONC’s Health IT Policy Committee and Health IT Standards Committee — aims to help providers understand what questions to ask when selecting an EHR and how to convey their specific needs and requirements to potential vendors. It also advises about terms providers should avoid.
Among the topics covered are data blocking techniques, data integrity, security risks, connection fees and other issues that can arise after a system goes live.
Before hammering out a contract, providers need to assess their organization’s needs, have a vision for how EHR will support those needs and research the market for products and services that match them. The ONC guide suggests creating a priority checklist of features and functionalities desired in an EHR.
When it comes time to choose an EHR vendor, beware of standard form contracts, ONC says. These tend to limit the customer’s input regarding terms of the contract and give the vendor an upper hand if problems arise. If a standard contract is used, the guide offers recommendations on replacement terms providers can seek to include.
For example, providers should look for language that bars them from discussing EHR problems or safety concerns with others or that require nondisclosure agreements regarding defects that might later crop up in the vendor’s software.
Another red flag is the inclusion of a “kill switch,” language that allows the vendor to halt service and block patient data during a contract or nonpayment dispute.
Before starting contract negotiations, the ONC guide recommends creating a matrix of initial and fallback positions on each of the key issues the provider wants to include. Providers may also increase negotiating leverage by not naming a specific EHR vendor as the “vendor of choice” and conducting parallel negotiations with two or more vendors.
Another issue addressed in the guide is system security. While a contract may require the vendor to develop patches for security risks identified in the EHR software, it may not specify a timeframe for providing the patch. To avoid such problems, ONC suggests providers include language requiring the vendor to complete a security assessment questionnaire, get an independent security audit of the problem, share the results on an annual basis and comply with the provider’s information security program. Providers should also ensure the vendor uses encryption methodology and complies with federal and state security regulations.
The vendor should not only be able to support the EHR from a HIPAA perspective, says Steven Waldren, director of the American Academy of Family Physician’s Alliance for eHealth Innovation. “If your product has a local cache and it stores data on mobile devices, make sure in the contract that it’s encrypted—what they call encryption at rest,” he says. “That’s the thing I’ve seen on the security front that can sometimes slip through.”
Waldren believes the ONC guide hits most of the high points when it comes to contracting an EHR vendor. What the guide could spend more time on is implementation and training, he says. “When we talk to our physicians about selecting a product, probably the most important thing is implementation."
For that reason, Waldren recommends providers pay a lot of attention to the service-level agreements in contracts, which spell out what kind of support vendors will provide and how quickly. “If it’s not in writing, you can’t expect it,” he says.
The support package should also require the vendor to provide ample ongoing training—not just an initial upfront training, but additional training on advance features once physicians have had a chance to use the system.