Legal Issues in the EHR Acquisition RFP Process Gerry Hinkley Co-Chair, Health Care Industry Team Pillsbury Winthrop Shaw Pittman LLP National EHR Acquisition, Implementation and Operations Summit October 3 6, 2010 San Francisco
Legal Issues To Be Covered Procurement Policy Managing conflicts of interest The Standard License, Hosting and Services Agreement Warranties and limitation of liability Termination Data breach liability Source code escrow Issues for pilots Issues for sublicensing Using the vendor to comply with Stark EHR donation requirements Antitrust issues for GPOs 2
Procurement Policy Elements Acknowledgements Procurement requirements imposed by grants, government regulations Required third party approvals Acquisition strategy and business plan Roles and responsibilities Competition requirements Vendor qualification criteria Document retention requirements Conflicts of interest 3
Managing Conflicts of Interest Employees, consultants, members of governing bodies, and subcontractors prevented from using their positions for purposes that are, or give the appearance of being, motivated by a desire for private gain for themselves or others, such as family and business Appropriate procedures for recusal, to prohibit affected personnel from involvement in any procurement in which they have an actual or potential conflict of interest Discipline, up to and including termination, of personnel who violate this prohibition 4
The Standard License, Hosting and Services Agreement In the RFP, include the form of agreement Responders must provide substitute provisions Establish a scale for grading requested changes to the agreement Elements of the agreement to be scored Transfer of risk of loss Ownership of data Business associate compliance Security audits Indemnification Insurance coverages Warranties and limitation of liability Termination and transition Data breach liability Source code escrow 5
Warranties and Limitation of Liability Documentation Warranty EHR software will perform as described in the documentation There can be a difference between what salespeople verbally promise and what is documented in the functional specifications RFP response should be designated as part of documentation Performance Warranty Software, as delivered, will perform to the functional specifications Key is to make certain that functionality is adequately covered by the specifications Include obligation of vendor to comply with state and federal laws and regs, e.g., HIPAA, HITECH, etc. Maintain CCHIT and meaningful use certification Infringement Warranty Assurance against risk that the vendor s software infringes on another vendor s proprietary software Customer s rights to it data need to be maintained Obligation to procure rights to use the software or comparable software must be absolute Not acceptable for vendor to terminate and refund payments 6
Warranties and Limitation of Liability - 2 If software does not function to specifications and the EHR system cannot be repaired by the vendor the customer may have the right to Obtain a refund from the vendor and get damages Have vendor pay for a replacement system Resort to self-help Require vendor to implement a detailed plan to remedy malfunctions The vendor will attempt to limit its liability for breach of warranty to amounts paid under the agreement Customer should quantify the total direct and indirect cost of replacing the system Specify that amount as liquidated damages for breach 7
Termination Vendor may only terminate for nonpayment Customer may terminate for vendor s material breach Transition on termination Customer ceases use of software Immediately, if vendor termination Phased, if customer termination Vendor provides electronic copy of patient data in a format transferable to another system Vendor continues to be obligated as a business associate of customer with respect to patient data that is retained by vendor Vendor must sequester patient data that is retained by vendor 8
Data Breach Liability Determine who the covered entity is and who is acting as a business associate of the covered entity The business associate may itself be a covered entity If the hospital is hosting or providing maintenance, it is the physician s business associate in that capacity Under HITECH, business associates are now directly liable under HIPAA Under proposed rules, business associates subcontractors who handle PHI are business associates themselves Responsibility for managing data breaches -- a covered entity may delegate responsibility for Identifying the existence of a potential breach Making the assessment whether a substantial risk of harm is presented so that a reportable breach has occurred Managing notifications Assisting with mitigation Consider partnering with an insurer and/or a data breach management vendor 9
Issues for Pilots Pilots are often used to De-bug installation and implementation Create physician champions for the technology Train hosting and maintenance personnel Pilot agreement Vendor s, sponsor s and pilot participants responsibilities during the pilot Pre-implementation Installation Training Feedback Championing deployment Pilot timeline Hardware and software to be installed and piloted Compensation to pilot participants Transition to production Pass-through provisions from vendor s license 10
Issues for Sub-licensing EHRs are often deployed via a master license to a sponsor Master licensee may be taking on unfamiliar hosting and maintenance responsibilities Sub-licensee may not have direct access to the master licensor/vendor Key sub-license agreement terms Impact of termination of master license Ownership of data Management of warranties Hosting and maintenance obligations Security breaches Pass-through warranties, limitations on liability 11
Source Code Escrows Protects against vendor s failure, discontinuation of supported application, acquisition by a competitor By agreement, a copy of the source code is kept by a trusted third party Mechanism for storing updates, upgrades and new releases Ensures that the customer will have future access to the source code to continue support through self-help Caveat: if software is antiquated, finding support may not be possible even if you have access to the source code 12
How To Address the EHR Donation Exception Sunset Recipients of DHS referrals can pay up to 85% of the cost of software and certain related services to referrals sources Hospital subsidies cannot continue past December 31, 2013 Options to deal with the sunset if you are designing a program now Transition maintenance and support to physicians Terminate maintenance and support If your program does not address the sunset, work with the vendor and physicians now to effectuate a transition or termination Consider application of the community-wide health information system exception 13
Using the Vendor to Comply with Stark EHR Donation Requirements Physicians must pay at least 15% of the cost of software Hospitals do not want to be creditors of members of their medical staff Physicians may not take seriously an obligation to pay the hospital Vendors are used to being creditors of their customers Create mechanisms to be administered by vendors for Determining physician s share if costs are variable Security deposits (to avoid lapses in service) Billing of physician s share Collection of physician s share Documenting payment 14
Antitrust Issues for GPOs GPO goals Better prices for members Improve quality, reliability, and service for members purchasing activities Improve products and services Steps to avoid antitrust enforcement Market power (35-40% of market is safety zone) Avoid potential for price-fixing collusion among purchasers if goods purchased are substantial part of overhead (> 20% of revenues) Limit member information that is gathered and shared to avoid collusive overflow Emphasize pro-competitive benefits of GPOs in helping members to reduce costs, maintain or expand offerings and charge lower prices Develop antitrust guidelines and training for GPO participants 15
The purpose of this presentation is to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice legal counsel may only be given in response to inquiries regarding particular situations. 16
CONTACT INFORMATION Gerry Hinkley Pillsbury Winthrop Shaw Pittman LLP 50 Fremont Street San Francisco, CA 94105 Direct: (415) 983-1135 gerry.hinkley@pillsburylaw.com 17