Legal Issues in the EHR Acquisition RFP Process



Similar documents
Negotiating Standard Terms and Conditions/Best Price Arrangements with EHR Vendors

CURRENT AND FUTURE MEDICAL HOME LEGAL ISSUES

Gerry Hinkley Co-Chair, Health Care Industry Team Pillsbury Winthrop Shaw Pittman LLP

HIT System Procurement Issues and Pitfalls Session 2.03

HIT/EHR Vendor Contracting Checklist

Negotiating EHR Acquisition Contracts

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Rebecca Williams, RN, JD Partner Co-chair Health Information Technology/HIPAA Practice Davis Wright Tremaine LLP

Health Care Data Breach Discovery Strategies for Immediate Response

Building a Culture of Health Care Privacy Compliance

Legal Issues in Electronic Health Records Acquisition, Implementation and Monitoring

Business Associate Considerations for the HIE Under the Omnibus Final Rule

2012 Winston & Strawn LLP

A s a covered entity or business associate, you have

Society of Corporate Compliance and Ethics

PointCentral Subscription Agreement v.9.2

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

XANGATI END USER SOFTWARE LICENSE TERMS AND CONDITIONS

PARTICIPATION AGREEMENT For ELECTRONIC HEALTH RECORD TECHNICAL ASSISTANCE

IMPORTANT ISSUES TO CONSIDER WHEN NEGOTIATING SOFTWARE LICENSES AND AGREEMENTS

QUESTIONS TO ASK IN THE DEVELOPMENT OF A SOFTWARE LICENSE

Preparing for and Responding to an OCR HIPAA Audit

340B Omnibus Guidance Would Significantly Narrow the Pool of Eligible Patients

This License Agreement applies to the Real Vision Software

Business Associates, HITECH & the Omnibus HIPAA Final Rule

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

PocketSuite Terms of Service. Last modified: November 2015

what your business needs to do about the new HIPAA rules

BUSINESS ASSOCIATE AGREEMENT

Kaiser Permanente Affiliate Link Provider Web Site Application

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

HYBRID SOLUTIONS INDEPENDENT SOFTWARE VENDOR AGREEMENT

Adopting Electronic Medical Records: What Do the New Federal Incentives Mean to Your Individual Physician Practice?

The Art of the Deal: Negotiating a Winning EHR Contract

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

BUSINESS ASSOCIATE AGREEMENT

Adding Cloud Solutions to Customer Contracts Robert J. Scott

ZIMPERIUM, INC. END USER LICENSE TERMS

15 questions to ask before signing an electronic medical record or electronic health record agreement

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Commercial Software Licensing

AN ACT CONCERNING ELECTRONIC HEALTH RECORDS AND HEALTH INFORMATION EXCHANGE.

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

How To Deal With Cloud Computing

Contracting Guidelines with EHR Vendors

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

University Healthcare Physicians Compliance and Privacy Policy

Shipman & Goodwin LLP All rights HARTFORD STAMFORD GREENWICH WASHINGTON, DC

BUSINESS ASSOCIATE AGREEMENT

Data Breach, Electronic Health Records and Healthcare Reform

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA NOTICE OF PRIVACY PRACTICES

GENERAL TERMS. 1.1 Hardware refers to the computer equipment, including components, options and spare parts.

GUIDANCE FOR MANAGING THIRD-PARTY RISK

ROLE OF CONTRACT MANAGEMENT IN A HEALTHCARE COMPLIANCE PROGRAM DESIGN

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Business Associates: HITECH Changes You Need to Know

OFFSHORE OUTSOURCING IN HEALTH CARE: PRIVACY AND SECURITY CONCERNS

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Minimizing Risk in Technology Agreements

END USER LICENSE AGREEMENT ( EULA )

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

EHR Donation: Compliance with Stark Law and the Anti-Kickback Statute

Risk Management of Outsourced Technology Services. November 28, 2000

HSS Specific Terms HSS SOFTWARE LICENSE AGREEMENT

MASTER SERVICES AGREEMENT

Select Internet. Standard Terms and Conditions relating to the supply of online backup services by Select Internet

Regulatory Update with a Touch of HIPAA

PWNIE EXPRESS TERMS AND CONDITIONS AND END USER LICENSE AGREEMENT PWN PULSE SOFTWARE AND SENSOR HARDWARE AS A SERVICE

Addressing Employee Health and Wellness:

BUSINESS ASSOCIATE AGREEMENT

New Privacy Laws Impacting the Health Care Work Place

Business Associates under HITECH: A Chain of Trust

Revised 10/13 SUBSCRIBER AGREEMENT. Introduction

CCH INCORPORATED, A WOLTERSKLUWER COMPANY ACCESS AGREEMENT FOR THE

Heritage Credit Union Mobile Deposit User Agreement Effective: April, 2016

Contracting Guidelines with EHR Vendors

Negotiating EHR Agreements: Complying with HIPAA, Stark and AKS, Overcoming Privacy and Security Risks

Business Associate Agreement (BAA) Guidance

ENHANCED HOST CONTROLLER INTERFACE SPECIFICATION FOR UNIVERSAL SERIAL BUS (USB) ADOPTERS AGREEMENT

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Infor Sys Ve. Top 10 Warning Signs of Problem Vendors

Licensor: Deveo Oy Customer: [address line 2] LICENSE NUMBER:

HIPAA BUSINESS ASSOCIATE AGREEMENT

AHLA. Y. Advising Providers in Adopting or Substituting a Health IT System. Charles C. Dunham Bond Schoeneck & King PLLC Albany, NY

BUSINESS ASSOCIATE AGREEMENT

Use & Disclosure of Protected Health Information by Business Associates

The HIPAA Audit Program

DISCLAIMER. HIPPAA Notice of Privacy. HIPAA Notice of Privacy Practices Printable PDF. Effective November 1, 2015

Central Florida Health Information Technology Initiative. UCF College of Medicine Regional Extension Center

BUSINESS ASSOCIATE AGREEMENT

Business Associate Liability Under HIPAA/HITECH

Mobile Check Deposit (MCD) User Agreement ( Agreement )

Why Lawyers? Why Now?

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Transcription:

Legal Issues in the EHR Acquisition RFP Process Gerry Hinkley Co-Chair, Health Care Industry Team Pillsbury Winthrop Shaw Pittman LLP National EHR Acquisition, Implementation and Operations Summit October 3 6, 2010 San Francisco

Legal Issues To Be Covered Procurement Policy Managing conflicts of interest The Standard License, Hosting and Services Agreement Warranties and limitation of liability Termination Data breach liability Source code escrow Issues for pilots Issues for sublicensing Using the vendor to comply with Stark EHR donation requirements Antitrust issues for GPOs 2

Procurement Policy Elements Acknowledgements Procurement requirements imposed by grants, government regulations Required third party approvals Acquisition strategy and business plan Roles and responsibilities Competition requirements Vendor qualification criteria Document retention requirements Conflicts of interest 3

Managing Conflicts of Interest Employees, consultants, members of governing bodies, and subcontractors prevented from using their positions for purposes that are, or give the appearance of being, motivated by a desire for private gain for themselves or others, such as family and business Appropriate procedures for recusal, to prohibit affected personnel from involvement in any procurement in which they have an actual or potential conflict of interest Discipline, up to and including termination, of personnel who violate this prohibition 4

The Standard License, Hosting and Services Agreement In the RFP, include the form of agreement Responders must provide substitute provisions Establish a scale for grading requested changes to the agreement Elements of the agreement to be scored Transfer of risk of loss Ownership of data Business associate compliance Security audits Indemnification Insurance coverages Warranties and limitation of liability Termination and transition Data breach liability Source code escrow 5

Warranties and Limitation of Liability Documentation Warranty EHR software will perform as described in the documentation There can be a difference between what salespeople verbally promise and what is documented in the functional specifications RFP response should be designated as part of documentation Performance Warranty Software, as delivered, will perform to the functional specifications Key is to make certain that functionality is adequately covered by the specifications Include obligation of vendor to comply with state and federal laws and regs, e.g., HIPAA, HITECH, etc. Maintain CCHIT and meaningful use certification Infringement Warranty Assurance against risk that the vendor s software infringes on another vendor s proprietary software Customer s rights to it data need to be maintained Obligation to procure rights to use the software or comparable software must be absolute Not acceptable for vendor to terminate and refund payments 6

Warranties and Limitation of Liability - 2 If software does not function to specifications and the EHR system cannot be repaired by the vendor the customer may have the right to Obtain a refund from the vendor and get damages Have vendor pay for a replacement system Resort to self-help Require vendor to implement a detailed plan to remedy malfunctions The vendor will attempt to limit its liability for breach of warranty to amounts paid under the agreement Customer should quantify the total direct and indirect cost of replacing the system Specify that amount as liquidated damages for breach 7

Termination Vendor may only terminate for nonpayment Customer may terminate for vendor s material breach Transition on termination Customer ceases use of software Immediately, if vendor termination Phased, if customer termination Vendor provides electronic copy of patient data in a format transferable to another system Vendor continues to be obligated as a business associate of customer with respect to patient data that is retained by vendor Vendor must sequester patient data that is retained by vendor 8

Data Breach Liability Determine who the covered entity is and who is acting as a business associate of the covered entity The business associate may itself be a covered entity If the hospital is hosting or providing maintenance, it is the physician s business associate in that capacity Under HITECH, business associates are now directly liable under HIPAA Under proposed rules, business associates subcontractors who handle PHI are business associates themselves Responsibility for managing data breaches -- a covered entity may delegate responsibility for Identifying the existence of a potential breach Making the assessment whether a substantial risk of harm is presented so that a reportable breach has occurred Managing notifications Assisting with mitigation Consider partnering with an insurer and/or a data breach management vendor 9

Issues for Pilots Pilots are often used to De-bug installation and implementation Create physician champions for the technology Train hosting and maintenance personnel Pilot agreement Vendor s, sponsor s and pilot participants responsibilities during the pilot Pre-implementation Installation Training Feedback Championing deployment Pilot timeline Hardware and software to be installed and piloted Compensation to pilot participants Transition to production Pass-through provisions from vendor s license 10

Issues for Sub-licensing EHRs are often deployed via a master license to a sponsor Master licensee may be taking on unfamiliar hosting and maintenance responsibilities Sub-licensee may not have direct access to the master licensor/vendor Key sub-license agreement terms Impact of termination of master license Ownership of data Management of warranties Hosting and maintenance obligations Security breaches Pass-through warranties, limitations on liability 11

Source Code Escrows Protects against vendor s failure, discontinuation of supported application, acquisition by a competitor By agreement, a copy of the source code is kept by a trusted third party Mechanism for storing updates, upgrades and new releases Ensures that the customer will have future access to the source code to continue support through self-help Caveat: if software is antiquated, finding support may not be possible even if you have access to the source code 12

How To Address the EHR Donation Exception Sunset Recipients of DHS referrals can pay up to 85% of the cost of software and certain related services to referrals sources Hospital subsidies cannot continue past December 31, 2013 Options to deal with the sunset if you are designing a program now Transition maintenance and support to physicians Terminate maintenance and support If your program does not address the sunset, work with the vendor and physicians now to effectuate a transition or termination Consider application of the community-wide health information system exception 13

Using the Vendor to Comply with Stark EHR Donation Requirements Physicians must pay at least 15% of the cost of software Hospitals do not want to be creditors of members of their medical staff Physicians may not take seriously an obligation to pay the hospital Vendors are used to being creditors of their customers Create mechanisms to be administered by vendors for Determining physician s share if costs are variable Security deposits (to avoid lapses in service) Billing of physician s share Collection of physician s share Documenting payment 14

Antitrust Issues for GPOs GPO goals Better prices for members Improve quality, reliability, and service for members purchasing activities Improve products and services Steps to avoid antitrust enforcement Market power (35-40% of market is safety zone) Avoid potential for price-fixing collusion among purchasers if goods purchased are substantial part of overhead (> 20% of revenues) Limit member information that is gathered and shared to avoid collusive overflow Emphasize pro-competitive benefits of GPOs in helping members to reduce costs, maintain or expand offerings and charge lower prices Develop antitrust guidelines and training for GPO participants 15

The purpose of this presentation is to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice legal counsel may only be given in response to inquiries regarding particular situations. 16

CONTACT INFORMATION Gerry Hinkley Pillsbury Winthrop Shaw Pittman LLP 50 Fremont Street San Francisco, CA 94105 Direct: (415) 983-1135 gerry.hinkley@pillsburylaw.com 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information