EMR vendors that are providing cloud-based products and services to long-term care providers are required by law to maintain the confidentiality, integrity and availability of protected health information. Unfortunately, there continue to be situations where EMR vendors are holding data hostage to discourage providers from switching to a different vendor.*
Long-term care providers I work with have told me about instances where vendors have taken steps to disrupt the availability of data by purposefully slowing data transfers to third parties or delivering data in an unusable format unless the provider pays a substantial fee. These actions not only appear to violate HIPAA, but also have the potential to seriously harm providers’ businesses and disrupt patient care.
If you are working for a long-term care provider and want to do more to protect your organization from data disputes with EMR vendors, here are a few steps worth considering.
Before you begin the process of negotiating contracts with an EMR vendor, get appropriate legal counsel, either inside your organization or, if necessary, outside. The lawyer who you choose to work with should have two capabilities: A familiarity with commercial contracts between software vendors and healthcare providers, and good command of the law that surrounds HIPAA requirements for data portability.
Even though legal counsel can be costly, it’s risky to go through EMR contract negotiations without it. While many vendor contracts are fair and reasonable, the costs of agreeing to a bad contract can dwarf any legal fees you incur. Among other things, bad clauses related to your access to data upon termination can lead to paying substantial extra fees or incurring the risk of business interruption.
Once you have counsel, work with them to include language in your contract that specifies what will happen to PHI if the agreement is terminated. This termination clause should stipulate that the EMR vendor will either provide the PHI data in a usable format without charge or at a modest fee that’s specified in the contract, or destroy it.
Since many long-term care providers wish to retrieve PHI after terminating an EMR vendor agreement, it’s critical to discuss with your legal counsel, with input from IT personnel, how you can assure that data will be in a usable format. For example, mandating that data be provided in a .csv file or other common format can help avoid problems later. If there is a stipulation in the contract that you must pay for the data transfer, make sure that the fee is both modest and specified. Most vendors should be willing to do this for you for free, but a fee of $1000 or less for data transfer is generally considered to be reasonable.
You will end up with compromise in some areas with any contract, but the rights to PHI data is one area where you should stand firm. There is no legitimate basis for an EMR vendor to say they won’t make your PHI data available to you in a usable format for a reasonable fee.
If you are currently working with an EMR vendor and are happy with the service being provided, you may still want to review the contract’s provisions regarding data transfer upon termination. Addressing any vague or confusing language is often much easier in the context of a healthy vendor relationship than it is upon termination.
If you are currently trying to end a relationship with your EMR vendor, and the vendor is threatening to charge a large fee in order to return your PHI in a readable format, you have a couple of options.
First, you can complain to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). Details on the information required for a complaint are available through the HHS.gov site, and you can file your complaint through the OCR portal.
You can also work with legal counsel to send a letter to the vendor. The letter’s specific contents would differ depending on the contract, but it’s worth noting that HIPAA states that business associates (such as EMR vendors) must maintain the availability of all PHI maintained on behalf of a covered entity (such as long-term care providers). Maintaining availability means ensuring that the PHI is accessible and usable upon demand by the covered entity. Neither providing data in a scrambled format nor charging a substantial additional fee for data access seem consistent with HIPAA’s requirement that data be “accessible and usable upon demand.”
The issue of long-term care providers protecting their PHI data from being held hostage may seem like a strange one for me, a CEO of an EMR vendor, to raise. However, in an age where long-term care providers are increasingly relying on EMR systems to run their businesses, I believe it’s crucial for our industry to be transparent about the availability of PHI. I believe that shining a light on this issue will allow us to build the trust that’s necessary for healthy relationships between EMR vendors and long-term care providers.
Josh Pickus is the CEO of Optima Healthcare Solutions
*Disclaimer: This guest commentary is based on my opinion, and should not be relied on for legal advice. Please contact legal counsel for legal advice.