The healthcare industry is looking to information technology (IT) to enhance medical treatment and to reign in medical costs. The attorneys representing healthcare organizations are therefore being called upon to review agreements for the acquisition, access, and use of information technology. A standard technology agreement checklist of items to consider when reviewing and negotiating such agreements (e.g., implementation, acceptance, warranties, remedies, indemnification, bankruptcy issues, source code escrow, etc.), is a good starting point for the review of healthcare IT agreements. However, to properly represent the healthcare client a variety of other issues that are fairly unique to the healthcare industry need to be addressed. The following are ten of those important issues.
1. Medical Malpractice
IT vendors often include in their contracts a provision that states or provides that the IT vendor has no responsibility for the conduct of the medical treatment or patient care. Often there is also a corresponding representation and warranty by the healthcare organization regarding its responsibility for healthcare services. Frequently, the vendor's contract includes a provision pursuant to which the healthcare organization agrees to indemnify the vendor for all liability relating to the provision of medical care or for "medical malpractice claims," or "claims by patients" or some similar phrase. In representing a healthcare organization, it is important to carefully review any such provision and verify that it is not too broad and does not include an obligation of indemnification. Although the IT vendor may not be responsible for providing medical treatment, the failure of the vendor's product to work properly may negatively affect patient care or medical treatment, and therefore a blanket indemnification is usually inappropriate.
Additionally, assessing liability for medical malpractice can be an extremely complex and murky process. Such evaluation often involves numerous parties, claims, and cross claims as well as insurance claims, claims for contribution, and claims for subrogation. Adding to the mix, an indemnification obligation could have serious detrimental ripple effects for the healthcare organization. Additionally, such an indemnification obligation may run contrary to insurance coverage and subrogation rights.
2. Access to Information
Unrestricted access to the healthcare information contained in an IT system could be the difference between life and death or between healing or compounding an injury. Consequently, with some healthcare IT systems (those associated directly with the provision of medical care and treatment) it may be absolutely critical that the healthcare organization have unrestricted access to any and all information contained in that system, whether provided by the organization, its patients, doctors, or third parties. The point becomes especially critical in any healthcare IT contract under which the IT vendor will have access, possession, or control of the healthcare information. In those agreements there should be no provisions that allow the vendor to block or in any manner restrict the healthcare organization's access or use of the information or system and there should be an affirmative obligation to provide this information whenever requested regardless of any dispute or breach by the healthcare organization. Simply put, the IT vendor should not have what is in essence a contractual right to hold healthcare information ransom.
3. Legal Compliance
The healthcare industry is highly regulated. Often, the software or IT system that the healthcare organization is acquiring has been specially created for the healthcare industry. Such applications and systems are often designed and marketed to assist the healthcare organization to comply with its regulatory obligations. In those and similar instances, the contract should address the organization's expectations for the application or system to keep pace with changes in the regulatory landscape.
Counsel should look for appropriate representations and warranties that the application or system complies with all applicable federal and state laws and regulations. The more difficult issue to address, however, is the obligation for the IT vendor to keep the application or system in full compliance with all applicable laws. There are two main concerns involved when dealing with this issue. The first is price. Will the healthcare organization be required to pay extra for such regulatory enhancements? The second is the IT vendor's concern that it will not be able to develop the complying software. These issues are compounded when the parties are entering into a long term agreement. Obviously, the goal of the healthcare organization is to obtain these compliance modifications without additional cost and as soon as reasonably practicable to comply with legal requirements.
4. Broad License/User Grant
Many IT agreements provide that the system or software will be used solely for "internal business purposes" and only by "employees." Those phrases or similar concepts are likely to be inappropriate for a healthcare IT agreement if the application or system will be used by healthcare professionals.
Healthcare organizations work with referring physicians, physicians that have special privileges at the hospital, and others who utilize the organization's facilities, inclusive of information technology resources, but are not employees of the healthcare organization. Therefore, the license grant needs to be broad enough to cover all doctors, nurses, physicians, physician assistants, and other individuals who utilize the system to provide medical services and treatment, but are not employees of the healthcare organization.
The nature of the IT system being acquired will drive the importance of the support and service level obligations and guarantees. The closer the use of the system to actual patient treatment, the higher the importance of support and service guarantees.
There are three main aspects of any service level guarantee that need to be fully understood. First, exactly what is being measured. Second, over what time period is "it" being measured. And finally, what are the remedies or penalties if the guarantee is not met.
If an IT vendor promises 99% availability the users hear 99% and are usually happy with that alone. The 99% promise, however, often becomes illusory when the contractual provision is closely reviewed. How the vendor measures the 99% and over what period of time is critical. Each aspect of the availability equation needs to be understood in the context of the computation. For example, what is excluded from the equation? Does the vendor exclude scheduled maintenance? How is scheduled maintenance defined? When it comes to understanding service level guarantees, the devil is truly in the details of the equation.
The period over which availability is measured is also critical. Assuming the vendor is measuring the correct aspect of service, then the shorter the interval being measured the more protection for the healthcare organization. Recently, vendors have begun to understand that point and are pushing out the periods being measured. Counsel needs to explain the dramatic difference those extended periods can have and determine a period acceptable to the client.
Remedies for the breach of service guarantees are often a tough negotiation. Vendors most often offer some type of credit toward future fees owed. Healthcare organizations are often willing to accept such credits. The agreement needs to address what the remedy should be if the failure to meet the service level guarantee occurs too often (the recurring problem) or if the level of performance is just too far below the guaranteed level. In those instances, a credit against future fees is unacceptable. Consequently, the agreement needs to define the point at which the service is so poor the healthcare organization may terminate the agreement.
6. Termination for Convenience
Healthcare organizations are under financial pressures in many ways and therefore are often subject to strict budgetary restrictions and cost cutting moves. Those aspects of the healthcare industry must be kept in mind when negotiating the price, payment terms, and rights to terminate under executory IT agreements. For example, because of financial constraints and budgeting processes, a healthcare organization, much like a government entity, should seek to obtain a termination for convenience clause in its agreements. In many instances, a right to terminate for convenience conflicts with the vendor's revenue recognition rules. Often those conflicts can be addressed, however, by restructuring payments to the vendor and limiting the amounts the vendor may be obligated to repay if a termination for convenience is exercised.
7. Continued Performance
Healthcare IT agreements often include a force majeure provision that insulates a party from liability when it cannot perform due to causes which are beyond its control and that could not be avoided by the exercise of due care. Such provisions are usually mutual and generally thought to be reasonable. Extensive or unending delays, however, are unworkable; especially when health care is delayed. Consequently, any such provision should be revised to ensure the interests of the healthcare organization are protected and that patient care is not adversely effected.
The need for uninterrupted access is paramount. Counsel must be careful that neither a force majuere clause nor any other provision operates in any manner to prevent or hinder access and use of the technology. For example, dispute resolution clauses should be added to clearly provide that the IT vendor will continue to perform during any dispute and will not use the dispute as a breach or a force majeure event releasing it from performance.
8. Records Disclosure
The U.S. Department of Health and Human Services ("HHS") has promulgated requirements concerning record retention and disclosure. To comply with those requirements, the IT agreement may need to provide that the IT vendor will make such information available when required under those regulations. Such a provision should also address subcontractors with a value or cost of ten thousand dollars or more over a twelve month period. The IT agreement needs to provide that the subcontract will also need to contain a similar information disclosure and retention requirements.
9. HIPAA and Confidentiality
Pursuant to the Health Insurance Portability and Accountability Act of 1996, the Secretary of HHS publicized standards for electronic exchange, privacy, and security of health information. These standards require a covered entity (e.g., namely health plans, healthcare providers, and healthcare clearinghouses) to include certain protections for protected health information in any contract with a business associate (e.g., any organization that performs certain functions or activities on behalf of, or provides certain services to, a covered entity).
Most covered entities and many vendors have developed a form of business associate addendum to address the electronic exchange, privacy, and security rules. Many simply use the sample provided on the HHS web site. The IT agreement also should contain a standard confidentiality provision, and the IT agreement needs to reflect the interaction of the confidentiality provision and the business associate addendum.
10. Compatibility and Standards
The technology side of healthcare has attempted to impose various standards (with a good degree of success when compared to other industries) on all parties within the healthcare IT community. They have developed standards and procedures and counsel needs to be familiar with those standards and procedures from a legal perspective and ensure they are properly addressed in the IT agreement.
The above represent some of the additional major issues found in a healthcare related IT agreement. The factual circumstances of the transaction, the product, and the particular client may greatly affect the handling of these issues.
Michael J. Dunne and Russell F. Smith, III practice in the Corporate and Securities Department at Pitney Hardin LLP, where Mr. Dunne is a Partner and Mr. Smith is an Associate. This article represents only the authors' opinions and does not necessarily reflect the views of Pitney Hardin or any of its clients. Either one of the authors may be reached at (973) 966-6300.