EHR Contracts:
Key Contract Terms for Users to Understand
June 25, 2013
Prepared for:
The Office of the National Coordinator for
Health Information Technology
Washington, DC
Prepared by:
Westat
An Employee-Owned Research Corporation
®
1600 Research Boulevard
Rockville, Maryland 20850-3129
(301) 251-1500
Disclaimer
This guide was developed under the contract Unintended Consequences of Health IT and Health
Information Exchange, Task Order HHSP23337003T/HHSP23320095655WC. It should not be viewed as
legal advice and does not attempt to address all of the many legal and other issues that may arise in
contract negotiations. Each healthcare organization presents its own unique circumstances. Purchasers
should consult an experienced attorney for assistance in contract negotiations.
Key Contract Terms for Users to Understand ii
Table of Contents
Chapter Page
Ta
ble of Contents ............................................................................................................................. iii
Introduction ...................................................................................................................................... 1
Negotiating EHR Contract Terms...................................................................................................... 1
Ways in Which EHR Systems are Provided ...................................................................................... 2
1
Indemnification and Hold Harmless ............................................................................. 3
What does it mean? ....................................................................................................... 3
What do you need to know?.......................................................................................... 4
2
Confidentiality and “Non-disclosure” Agreements ...................................................... 6
What does it mean? ....................................................................................................... 6
What do you need to know?.......................................................................................... 7
3
Warranties and Disclaimers .......................................................................................... 9
What does it mean? ....................................................................................................... 9
What do you need to know?.......................................................................................... 9
4
Limitation of Liability ................................................................................................ 12
What does it mean? ..................................................................................................... 12
What do you need to know?........................................................................................ 13
5
Dispute Resolution ...................................................................................................... 16
What does it mean? ..................................................................................................... 16
What do you need to know?........................................................................................ 16
6
Termination and Wind Down ..................................................................................... 18
What does it mean? ..................................................................................................... 18
What do you need to know?........................................................................................ 19
7
Intellectual Property Disputes ..................................................................................... 21
What does it mean? ..................................................................................................... 21
What do you need to know?........................................................................................ 21
Key Contract Terms for Users to Understand iii
Introduction
Who is this for? Health care providers who plan to acquire electronic health record (EHR) systems
should benefit from learning about the contract terms discussed in this document. When this document
uses the term youit means purchasers and users of EHR systems who are or may become legally bound
by EHR technology developer contracts.
Why should you read this? This document explains a few key EHR contract terms and what you need to
know about them. Understanding these terms may help you select an appropriate EHR system and protect
your practice or organization from business and patient safety risks that may arise when you rely upon
EHRs for critical aspects of your operations. It should help you make sure that your EHR system does
what you expect and that you have ways to manage issues as they arise. If you misunderstand these terms
you may not be able to rely on your contract to help prevent disruptions to your practice.
What else do I need to know? This addresses a few key terms in EHR contracts. Moving from paper
medical records to an EHR has broad implications for your practice, most of which this paper does not
begin to address. Furthermore, this is not a complete description of standard contract terms or a HIPAA
business associate agreement that will be required in most cases. It is not legal advice.
1
It is always best
practice to consult with an experienced attorney for legal advice that can help you with specific EHR
contract and your specific situation.
Negotiating EHR Contract Terms
Your ability to negotiate contract terms depends in part on the EHR technology developer (also known as
an EHR vendor) you choose. Most EHR technology developers will offer standardized contracts with
some negotiable terms but some will not negotiate any terms. You can choose whether or not to work
with an EHR technology developer that offers only a non-negotiable contract. If you decide to accept
standard EHR technology developer contract terms without negotiation, it may be especially important to
understand the implications of the standard terms and to make yourself aware of terms that may not be in
the contract that could provide you with added legal protection.
1
The substantive parts of this document were written by Marilyn Lamar, JD, as a subcontractor to Westat. Ms. Lamar has negotiated on behalf of
providers with EHR technology developers over many years. She is active in the health information technology practice group of the American
Health Lawyers Association. This paper reflects her experience and discussions with other lawyers who have negotiated in similar circumstances but
it does not constitute legal advice.
Key Contract Terms for Users to Understand 1
If you work with an EHR technology developer that will negotiate contract terms, your ability to
negotiate is likely to vary depending on your circumstances, the EHR technology developer’s standard
contract terms, how much you know about alternative contract terms, your skill at negotiating, and state
law, among other things. Again, consulting with an experienced attorney for legal advice is a best
practice.
In addition to legal advice, you may benefit from technical advice regarding the EHR system, including
how it will interface with other systems, who is responsible for data backup, how to meet your contractual
responsibilities, and how to ensure that patient information can be transitioned if technology becomes
outdated.
Ways in Which EHR Systems are Provided
EHR systems may be provided in at least two different ways:
The EHR software may be licensed to the customer to operate on the customer’s own
equipment; or
The EHR system may be provided as a service, with or without a software license to the
customer. In this approach, the EHR technology developer operates the EHR software on its
own equipment and makes the information available to the customer over the Internet. This
may be referred to as cloud computing, ASP (application service provider), or SaaS
(software as a service). (For more information, see NIST’s Special Publication, Cloud
Computing Synopsis and Recommendations, May 2012, NIST SP 800-146.)
This discussion of contract terms is relevant to both approaches, but the differences may influence
contractual responsibilities, such as whether you or the EHR technology developer is responsible for data
backup.
Key Contract Terms for Users to Understand 2
1. Indemnification and Hold Harmless
What does it mean?
“Indemnification” is a general term for the promise by one party to a contract (such as you) to reimburse
or “make whole” the other party (such as the EHR technology developer) for certain types of costs or
losses. Indemnification is often used in EHR technology developer contracts to cover claims that a third
party, who has not signed the contract (such as a patient), may bring against the EHR technology
developer or you. The term hold harmlessis sometimes used with “indemnification” and generally has
the same meaning.
Contracts establish the responsibilities of each party to the other—the EHR technology developer
provides the EHR software and services as warranted, and the customer agrees to pay the license and
service fees. However, third parties may be harmed by what the EHR technology developer or you do or
fail to do. These third parties typically do not have the right to sue for breach of contract under the
contract itself because they have not signed it and are not parties to it. However, they may have the right
to sue the EHR technology developer and/or you for injuries they suffer as the result of negligence, patent
infringement, or other “acts or omissions” associated with the EHR system.
To address this risk, EHR technology developers and their customers may allocate responsibility for
third-party claims by agreeing to “indemnify and hold harmless” the other party for certain types of
claims under limited circumstances. Essentially this means that the indemnifying party agrees to
reimburse or “make whole” the other party with respect to a third-party claim by paying costs, attorneys
fees, judgments, and amounts agreed to in settlement of the claim. The indemnifying party may also agree
to “defendthe indemnified party; this requires hiring and paying for a lawyer to defend the indemnified
party against the third-party claim.
Typically, if a contract does not include indemnity language or if it has mutual indemnity language, each
party to the contract would be responsible for its own “acts or omissions.” Each party then would be
responsible for the harm it caused or was in the best position to prevent, if it becomes necessary to
allocate liability for harm to a third party.
Standard EHR contracts may provide for indemnification of the following types of claims:
A claim for personal injury or death of a patient brought against the EHR technology
developer in connection with your use of the EHR system. Standard EHR technology
developer contracts often require you to indemnify the EHR technology developer for
patient claims brought against the EHR technology developer, without regard to whether the
Key Contract Terms for Users to Understand 3
EHR technology developer in some way caused or failed to address the underlying problem
that caused the injury.
A claim for privacy or security violations. This could be a claim by a patient under state law that
you breached the patient’s privacy rights. It could also be a claim by the Office for Civil Rights
of the Department of Health and Human Services that you, or the EHR technology developer as
a business associate, have breached obligations established by the Health Insurance Portability
and Accountability Act (HIPAA).
A claim of intellectual property infringement. This would happen if a third-party owner of a
patent or copyright sues you, claiming that your use of the EHR system infringes the
owner’s patent or copyright.
What do you need to know?
EHR technology developer contract language often includes indemnification language that shifts liability
to you without regard to the cause of the problem or whose “acts or omissionsmay have given rise to the
claim. An example of an indemnity provision that would shift liability to you even if the EHR technology
developer’s software or services was a cause is provided below.
Customer agrees to defend, indemnify and hold harmless EHR technology
developer and its employees, officers, directors, or contractors (collectively,
“EHR technology developer Indemnitees”) from any claim by or on behalf of
any patient of Customer, which is brought against any EHR technology
developer Indemnitee regardless of the cause if such claim arises for any reason
whatsoever out of the operation of the EHR Software licensed to Customer
under this Agreement.
An example of mutual indemnification, in which each party is responsible for its own negligence, is
provided below. This approach should be used with legal advice about your particular situation and
applicable state law:
Each party (the “Indemnifying Party”) agrees to defend, indemnify and hold
harmless the other party and its employees, officers, directors and contractors
(collectively, the “Indemnitees”) from any claim by or on behalf of any patient
of Customer which is brought against an Indemnitee to the extent that the claim
arises out of (1) the Indemnifying Party’s acts or omissions in connection with
the EHR System or related services or (2) the Indemnifying Party’s breach of
its responsibilities under this Agreement.
Indemnification Related to Patient Injuries
You should pay close attention to whether you are required to indemnify the EHR technology developer
for patient claims arising to some degree from harm related to EHR use, even if the harm was caused by
Key Contract Terms for Users to Understand 4
some aspect of the EHR system, such as a known “bug” or problem with software design. Common EHR
developer indemnification language may also shift liability to you related to third party software, such as
clinical decision support, that your EHR technology developer has integrated into the EHR system.
You may want to negotiate with the EHR technology developer a mutual approach to indemnification that
makes each party responsible for its own acts and omissions, so that each party is responsible for harm it
caused or was in the best position to prevent.
Insurance Coverage Issues
If you are considering agreeing to indemnification language that gives you the obligation to indemnify the
EHR technology developer against third party claims, without regard to who was responsible for the acts
or omissions that caused the claim, you need to understand that your insurance may not cover the claim.
You should consult with your insurance broker or carrier regarding the possible impact of indemnification
language on your insurance coverage, especially for patient malpractice claims related to injury
potentially caused in part by the EHR system. The exact wording of the indemnity may be important in
determining whether you have insurance coverage.
Indemnification Related to Privacy and Security as a HIPAA Business Associate
or under State Law
Although this request has been uncommon, the expansion of direct liability under HIPAA to “business
associatesmay cause some EHR technology developers to request indemnification for damages under
HIPAA or under state privacy protection laws. You may want to question contract language that would
require you to indemnify the EHR technology developer for liability associated with the EHR technology
developer’s failure to comply with a HIPAA business associate agreement (which may be integrated into
the standard EHR contract) or to protect the privacy and security of information in the EHR system.
Instead, you may find mutual indemnification more appropriate, in which case the EHR technology
developer would indemnify you if it or its agents and subcontractors do not comply with HIPAA or state
law and you would be similarly obligated with regard to your actions.
Intellectual Property Indemnification
An EHR technology developer will often agree to indemnify and defend against a third-party claim that
the EHR technology developer’s EHR software or service infringes any third party’s patent, copyright, or
other intellectual property. The specific terms of this indemnification are important, and they are
discussed in detail in the section on Intellectual Property Disputes.
Key Contract Terms for Users to Understand 5
Other Provisions Related to Indemnification
Another important aspect of indemnification provisions is the description of the costs and expenses from
which the indemnified party will be held harmless. Typical language would cover all claims, demands,
liabilities, obligations, settlements, awards, costs, and expenses (including attorneysfees and court costs)
incurred by the indemnified party as a result of the third-party claim.
Some EHR contracts seek to limit the costs and expenses to those that are finally awardedagainst the
indemnified party as a result of the third-party claim. This language would exclude coverage of amounts
agreed to in settlement so you may find it unacceptable because many cases settle rather than going to
trial.
Common indemnity provisions also include the following obligations on the part of the party seeking to
be indemnified:
Promptly notifying the indemnifying party of any third-party claim;
Giving the indemnifying party sole control over the defense of the claim; and
Providing the indemnifying party, at the indemnifying party’s
expense, all cooperation
reasonably necessary to assist in the defense.
It is very important to honor these obligations. If you fail to do so, you may lose your right to be
indemnified.
2. Confidentiality and Non-disclosure Agreements
What does it mean?
Most EHR technology developers regard the intellectual property in their software as their main asset.
They seek to protect this intellectual property with contract provisions, such as confidentiality and non-
disclosure terms, that do not allow the software to be copied or disclosed. Often state law requires non-
disclosure or confidentiality contract provisions in order to protect software as trade secrets. EHR
technology developer contracts also often assert copyright protection for the software.
EHR contracts typically include language that prohibits you from disclosing the EHR technology
developer’s confidential information, subject to standard exceptions. Standard exceptions include:
Disclosures required by law or regulation, sometimes with an obligation to give the other
party advance notice and the opportunity to oppose the disclosure or seek confidential
treatment,
Key Contract Terms for Users to Understand 6
Disclosure of information that has been independently developed by the disclosing party,
and
Disclosure of information that is available to the general public or has been provided
separately to the disclosing party without violation of an agreement.
While EHR technology developer contracts may broadly protect the EHR technology developer’s
information, they may not address confidential information about your business, except for a HIPAA
business associate agreement that covers protected health information of your patients.
What do you need to know?
EHR technology developer contracts often define confidential information expansively to include almost
everything the EHR technology developer discloses or provides to you. The contracts then often protect
that confidential information with restrictions on disclosure and severe consequences for breach,
including the right to terminate the agreement. The definition of confidential information may be broad
and could restrict your ability to share access to the EHR technology developer’s software in order to
compare different EHR technology developer systems, provide access to researchers, or even address
possible patient safety concerns. You should review the confidentiality and non-disclosure language
carefully to make certain it does not inhibit your ability to conduct activities you value.
Customary Exceptions. You may want to review EHR technology developer contracts to make sure they
contain the customary exceptions identified above.
Restrictions on Ability to Report Problems. Typical contract provisions would not prohibit you from
reporting EHR problems including disclosures of confidential information, if the disclosure is required
by law, although you should check your EHR technology developer contract on this point. However, you
may also be interested in whether voluntary disclosures of EHR problems would be prohibited without
the EHR technology developer’s consent if they include information defined as confidential, such as
access to documentation or screen shots. In general, reporting that does not involve disclosure of
confidential information itself, such as reporting the fact of possible EHR causes of harm, would not be
prohibited.
Nonetheless, you should review the contract to determine if you might be deterred from voluntary
reporting of EHR-related safety events to a patient safety organization, accrediting organization, or other
private sector safety oversight agency. Because reporting adverse events is vitally important to patient
safety, some EHR technology developers encourage such reporting and enable it using their software.
EHR technology developers appear to be moving increasingly in that direction. However, you may want
Key Contract Terms for Users to Understand 7
to review the language in an EHR technology developer’s contract to see if voluntary adverse event
reporting allows you to fully describe a problem (including screen shots and software documentation,
when relevant) to a patient safety organization, accrediting organization, or other oversight agency.
Disclosures to Consultants, Researchers and Other Third Parties. You may be interested in providing
access to third parties for several reasons, including helping you evaluate and improve the EHR software
or its use in your organization, enabling a consultant or reviewer to compare your EHR to another
product, or supporting research on EHR quality or safety. The Institute of Medicine (IOM) report Health
IT and Patient Safety: Building Safer Systems for Better Care encouraged public reporting on
comparative user experience as one way to promote safer EHRs through increased transparency.
You may want to review the non-disclosure and confidentiality provisions in your EHR contract to
determine if they would inhibit disclosure of confidential information (e.g., screen shots or
documentation) to third parties you would want to give access to such information, such as consultants,
researchers, possible purchasers or other third parties. Some contracts allow disclosure only if the EHR
technology developer consents; therefore you may decide to seek language that allows such access if the
recipient signs a reasonable non-disclosure agreement with the EHR technology developer and makes
doing so easy.
Your Confidential Information. You may have information other than protected health information
(PHI) that you would like to prohibit the EHR technology developer from disclosing or using for any
purpose other than supporting your EHR. Such information may include proprietary information about
your business such as salaries, quality metrics, managed care contracts and marketing information. If the
EHR technology developer’s contract does not protect your confidential information, you may want to
consider requesting that the confidentiality provisions be made mutual.
Interaction With HIPAA Business Associate Agreement. You must have a business associate
agreement (BAA) with the EHR technology developer to ensure that there is no use or disclosure of
protected health information other than as permitted or required by the BAA or as required by law and
that they use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to
electronic protected health information. You may want to consider incorporating the terms of the BAA
into the EHR technology developer’s contract and expressly stating that in the event of any conflict or
inconsistency, the BAA takes precedence. For more information about the requirements concerning
business associate contracts and their requirements please visit the OCR website
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
.
Key Contract Terms for Users to Understand 8
3. Warranties and Disclaimers
What does it mean?
A warranty is a contractual promise, which may be “express” (stated in the agreement) or impliedby
law. If you want to make sure that an EHR technology developer is obligated to do something or the EHR
will perform in a certain way, you should consider including an express warranty on that subject.
In general, implied warranties may be part of the contract (even if unstated) unless the implied warranties
are expressly disclaimed in the contract. Standard disclaimer of warranty language often refers to some
terms that have their origin in the Uniform Commercial Code (the UCC”) even though the UCC applies
to the sale of goods and does not always apply to software or services, The UCC implies certain
warranties unless they are expressly disclaimed in a “conspicuous” way, such as a disclaimer in all capital
letters, which is why you will see some portions of the contract written that way. Common treatment of
implied warranties in EHR technology developer contracts is discussed below.
What do you need to know?
EHR technology developer contracts frequently include language disclaiming all implied warranties
(meaning those that are not expressly set forth in the agreement). Therefore, express warranties are very
important in EHR technology developer contracts because protection by implied warranties may not
be allowed under the contract. Combined with the entire agreement language (discussed below) found
in most contracts, you may have difficulty enforcing promises or statements that may have been made by
the EHR technology developer in the sales process or in advertisements or product literature, even if you
relied upon those in choosing the EHR technology developer’s product.
Typical EHR technology developer disclaimer language that limits the EHR technology developer’s
responsibility for how or whether the software performs or meets expectations is set forth below:
No Other Warranties. TECHNOLOGY DEVELOPER DISCLAIMS AND
EXCLUDES ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED,
OTHER THAN THOSE EXPRESSLY SET FORTH IN THIS AGREEMENT,
INCLUDING BUT NOT LIMITED TO WARRANTIES OR CONDITIONS
OF TITLE, NON-INFRINGEMENT, SATISFACTORY QUALITY,
MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE,
WITH RESPECT TO THE EHR SOFTWARE, FIXES, RELATED
MATERIALS, AND SERVICES. TECHNOLOGY DEVELOPER WILL NOT
BE LIABLE FOR ANY SERVICES OR PRODUCTS PROVIDED BY THIRD
PARTY VENDORS, DEVELOPERS, OR CONSULTANTS USED BY
CUSTOMER IN CONNECTION WITH THE EHR SOFTWARE.
Key Contract Terms for Users to Understand 9
One implied warranty under the UCC that is frequently disclaimed is the warranty of “merchantability,”
which is defined in the UCC as goods that are of a sufficient quality to “pass without objection in the
tradeand are “fit for the ordinary purposes for which goods of that description are used.” These are not
easy standards to apply to EHRs so it may be more effective to have specific express warranties regarding
the specific features and functions that are important to you.
If you select your EHR using a request for proposals (RFP), then your RFP and the EHR technology
developer’s response, together with other sales materials, could provide a description of functionality that
would be helpful in developing express warranties.
One common express warranty offered by EHR technology developers is that the EHR will function in
accordance with the EHR technology developer’s then current” documentation. If so, you (or a qualified
consultant working for you) should read the documentation and determine if it is sufficient to serve as the
basis of an express warranty. Sometimes the documentation may be more like a user manual than a
description of the features and functions you expect to be part of the EHR. Further, if you are relying on a
EHR technology developer’s express warranty based on EHR technology developer documentation, you
may want the contract to require that future versions of the documentation will not reduce the features and
functions from those described in the documentation when the contract is signed.
Another UCC warranty often disclaimed in EHR technology developer contracts is the implied warranty
of “fitness for a particular purpose.” This implied warranty would apply under the UCC when the EHR
technology developer has reason to know of any particular purpose for which the goods are required and
that you, as the buyer, are relying on the EHR technology developer’s skill or judgment to select or
furnish suitable goods. If you have relied on the EHR technology developer’s skill or judgment in the
selection process but the implied warranty is disclaimed, you may want to consider developing an express
warranty that the EHR technology developer has provided reasonable advice upon which you have relied.
A Meaningful UseWarranty
Health care providers eligible to participate in the Medicare and Medicaid EHR Meaningful Use
Incentive Programs may find that standard EHR technology developer contracts, even for certified
products, do not provide an express warranty that the EHR is certified and will be revised in the future to
satisfy certification requirements needed to achieve meaningful use.
Key Contract Terms for Users to Understand 10
Some EHR technology developers provide this warranty and some do not. For those that do, it is
important to consider the strength of the remedy for breach of the warranty and how long the warranty
extends into the future. (Consider the limitation on liability” discussion below.)
If the EHR technology developer does not provide a warranty regarding its product’s certification, you
should, at a minimum, check the federal government website to determine if the EHR in question is
currently certified.
2
Some EHR technology developers may be reluctant to promise that their software
will support the achievement of future stages of meaningful use and additional certification requirements
because doing so may require functionality that has not yet been specified. However, not having that
assurance in the form of an enforceable express warranty presents a risk you should evaluate. For
example, if the EHR technology developer chose not to seek certification to support future stages of
meaningful use, you might have to acquire certified modules from other EHR technology developers or
change to a different EHR technology developer entirely.
Given the importance of this issue, the EHR technology developer’s express commitment to remain
certified in a timely manner should be an important consideration in selecting an EHR technology
developer. If you proceed with an EHR technology developer that is unwilling to make this commitment,
you may want to negotiate the ability to terminate the agreement without further payment if future
certification is not met so you are able to transition to another EHR system without having to pay two
EHR technology developers. The termination and wind down language discussed later will also be very
important.
Response Time Warranty
Although EHRs are almost always faster than finding information in paper records, you may want to
consider negotiating a response time warranty that addresses how long the EHR system takes to respond
to a request for data about a patient or to perform other functions.
Numerous factors influence an EHR’s response time, including the number of transactions, the size of the
database, the equipment configuration, whether other software is running, and the time it takes to transfer
information using the internet. Many of these factors are beyond the control of the EHR technology
developer, so response time warranties are seldom included in the EHR technology developer’s standard
EHR contract. Nonetheless, because of the importance of response time to your productivity and
satisfaction with the EHR, you may want an express warranty on response time. A technical expert may
be able to assist you. You may consider negotiating a response time warranty by measuring response time
2
http://oncchpl.force.com/ehrcert.
Key Contract Terms for Users to Understand 11
as an average of all transactions over a specific period of time, such as a month, with credits against
future fees if the agreed upon average is not achieved. However, proving that a response time warranty is
not satisfied may require special testing, such as running the EHR system in isolation to eliminate factors
beyond the control of the EHR technology developer.
Entire Agreement Language
The importance of including appropriate express warranties is heightened by a provision in most contracts
stating that it is the entire agreementbetween the parties. An example of this language is provided
below:
Entire Agreement. This Agreement is the entire agreement between the parties
with respect to the subject matter hereof and supersedes all prior or
contemporaneous representations, proposals, understandings or agreements,
whether written or oral.
This means that the Agreement itself includes all of the terms and conditions that the parties have agreed
to and, except in unusual circumstances, no other documents, oral statements, or prior correspondence or
negotiations will be binding. For example, if an EHR technology developer has publicly or in sales
presentations stated that future versions of the software will enable users to achieve meaningful use of
certified EHR technology, the “entire agreementlanguage in the contract could make those statements
unenforceable unless the contract included an express warranty on that point. You should review the
contract to make sure that all documents and statements that describe anything you believe is important to
making the EHR work for you are in fact included in the contract in a way that makes them a binding
obligation of the EHR technology developer.
4. Limitation of Liability
What does it mean?
Limitations of liability are a common business practice to limit the financial risk of the EHR technology
developer for claims that might arise from problems with the EHR system. EHR technology developers
often suggest that, without limitations of liability, prices would increase.
Two common limitations of liability terms, described in more detail below, would limit total EHR
technology developer liability (often called a “cap”) and would exclude consequential and other special
damages. What this means is that the EHR technology developer may only be liable for damages for
breach of the contract or to satisfy an indemnification obligation within the limits established in these
Key Contract Terms for Users to Understand 12
terms. You could be responsible for damages caused by the EHR technology developer to the extent those
limits are exceeded.
What do you need to know?
Evaluating the Risks Related to Limitation of Liability Provisions
In evaluating an EHR purchase, you should know the maximum amount for which the EHR technology
developer could be liable if there are problems with the system which the EHR technology developer
caused or failed to correct. Limitations of liability provisions should also be reviewed for their impact on
the indemnification obligations assumed by the EHR technology developer. To evaluate whether these
terms are reasonable, you may need to evaluate the risk that the EHR technology developer’s non-
performance or other conduct could require you to spend funds to address problems you did not create or
could not control.
In negotiating limitations related to your business risks, you may want to consider a fundamental
principle of contract risk allocation that the more control a party has over the factors giving rise to a
particular risk, the more responsibility that party should have for liability that may result if that
particular risk results in damages to the other party. For example, under this principle, if the EHR
technology developer controls whether the software accurately records and transfers data, then, assuming
you follow the EHR technology developer’s instructions, the EHR technology developer should be
responsible for harm that arises from the EHR’s failure to accurately retain or transfer data. If the problem
is so severe that you need a new EHR, you should consider whether the limitation of liability provision
would be sufficient to cover the costs of termination and wind down and any additional costs you incur to
obtain an EHR with the functionality promised in the original contract.
The following is an example of limitation of liability provisions that should be evaluated because it could
create a business risk for you -
LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES SHALL
TECHNOLOGY DEVELOPER BE LIABLE FOR ANY REASON FOR ANY
AMOUNT IN EXCESS OF THE TOTAL AMOUNT PAID DURING THE
PRECEDING TWELVE (12) MONTHS WITH RESPECT TO THE ITEM OF
SOFTWARE OR THE SERVICE TO WHICH SUCH LIABILITY RELATES
REGARDLESS OF WHETHER SUCH CLAIM ARISES IN CONTRACT,
TORT, OR OTHERWISE.
EXCLUSION OF CONSEQUENTIAL DAMAGES. UNDER NO
CIRCUMSTANCES WILL TECHNOLOGY DEVELOPER BE LIABLE FOR
ANY INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL OR
OTHER INDIRECT DAMAGES ARISING UNDER OR RELATING TO
THIS AGREEMENT OR TO ANY SERVICES, SOFTWARE, OR OTHER
Key Contract Terms for Users to Understand 13
MATERIALS PROVIDED BY TECHNOLOGY DEVELOPER TO
CUSTOMER, INCLUDING, WITHOUT LIMITATION, LOST DATA, LOST
PROFITS, OR THE FAILURE TO ACHIEVE ANTICIPATED SAVINGS,
WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES AND NOTWITHSTANDING THE
FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY
HEREIN.
Limitation of liability provisions like those above typically include two components: (1) limits as to the
total dollar amount of damages for which the EHR technology developer could be liable under the
agreement (a cap”) and (2) exclusion of certain types of damages (for example, consequential, special,
incidental, or punitive damages) for which the EHR technology developer seeks to disclaim liability
entirely.
In the examples above, the first provision (titled “LIMITATION OF LIABILITY) is an example of a
limit on the total dollar amount or cap of damages for which the EHR technology developer could be at
risk regardless of the type of damage. Dollar amount limitations are often stated as total,” “cumulative
or “aggregate.This means that all damages to which you may be entitled under the agreement,
throughout its term, are accumulated. Once the limit is reached, you no longer have the right to recover
damages over that limit. This may be inadequate to protect your interests. The dollar amount limitation
should be evaluated in light of the true maximum cost to you that would result from a breach by the EHR
technology developer.
The approach taken in establishing the dollar amount often depends on how the EHR is provided. If the
EHR is provided as a service, the EHR technology developer will often try to limit liability to the fees
received during a specific period of time (the example above used 12 months). If the EHR consists of
licensed software, the amount of the license fee may be used as the cap.
The second example above (titled “EXCLUSION OF CONSEQUENTIAL DAMAGES”) should also be
carefully reviewed. The following is provided as background for that discussion:
Directdamages typically are not excluded from consequential damages and could be
recovered, subject to any cap in a limitation of liability term. A claim for direct damages
would involve assessing what additional costs you incurred as a direct result of the EHR
technology developer’s breach. For example, did you need to obtain additional software or
equipment?
“Consequential” damages often include lost profits, damage to reputation (goodwill), or
other types of harm that flow as a consequence of the breach. As in the example above, they
are often excluded.
Key Contract Terms for Users to Understand 14
Lost data” may not be a type of consequential damage, so EHR technology developers may
try to specifically exclude this type of damage in an effort to transfer the risk of lost data to
you. Since the loss of data can have serious adverse consequences for continuing patient care
and to your overall practice, you should consider whether a contract term that would shift
full responsibility for lost data to you would be acceptable.
Y
ou and your attorney may want to negotiate to have certain types of claims excluded from any
limitations of the EHR technology developer's liability, whether financial or by type of damage.
Examples of claims for damages that could be excluded from limitations of liability language include:
Claims that the EHR technology developer has agreed to indemnify, such as intellectual
property indemnification;
Personal injury and property damage caused by the EHR technology developer or its
personnel;
Breach of confidentiality and breaches of a EHR technology developer
s business associate
obligations under HIPAA;
Damages arising from the E
HR technology developer’s negligence or willful misconduct;
and
Damages related to the E
HR technology developer's wrongful refusal to perform its
obligations under the agreement.
The following are examples of why you may conclude that excluding these types for damages would not
provide adequate compensation:
If negligence of the EHR technology developer’s personnel caused a fire at your office that
made it unusable for patient care, you might want to seek damages for lost revenue without
being excluded as a type of consequential damages;
If the EHR technology developer were responsible for a disclosure of PHI in violation of the
HIPAA Privacy Rule or Breach Notification Rule or for failure to have appropriate
safeguards for e-PHI as required by the Security Rule, the damages could include penalties
payable to the government, the cost of mailing notices to affected patients and claims by
patients for resulting identity theft or damage to reputation under state law, some of which
might otherwise be excluded as consequential damages; or
If the EHR technology developer refused to support the EHR or return patient data under
ci
rcumstances not permitted by the contract, you might want to seek damages in excess of
the financial limitation on direct damages because of the serious impact on your business
and continuity of patient care.
Finally, limitations of liability terms in standard EHR technology developer EHR contracts often protect
only the EHR technology developer. You may want to consider mutual limitations of liability or terms
Key Contract Terms for Users to Understand 15
that would limit your legal and financial exposure to the EHR technology developer if you were to breach
the agreement.
5. Dispute Resolution
What does it mean?
Dispute resolution is the method by which disagreements between the parties will be resolved if the
parties cannot come to an agreement between themselves. Contract disputes are resolved either by a trial
in a court (litigation) or through an out-of court process agreed upon in the contract (arbitration). The
parties have the right to go to court unless they have agreed to arbitration.
Arbitration is an out-of court process that will be followed only if agreed upon by both parties – either in
the contract or later. Instead of a judge, the decision maker is usually one or three arbitrators appointed by
an arbitration service. There is no jury and the arbitration proceeding is not open to the public. The rules
of the arbitration service are followed rather than court rules. The decision of the arbitrator is usually
enforceable in a court but its scope is limited to the payment of money (not ordering someone to take an
action). Arbitration is sometimes viewed as faster and cheaper because the parties can agree to limit the
number of witnesses and the decision itself cannot be appealed (except under unusual circumstances). The
parties will need to pay the arbitrators and the service.
The parties may also agree to use non-binding mediation or other informal means of dispute resolution,
described below, before either litigation or arbitration.
What do you need to know?
The dispute resolution provisions of an EHR contract are among the most important to ensure continuity
of patient care and business operations. Whether litigation or arbitration is better depends on many
variables and should be discussed with an attorney before the contract is signed.
As a practical matter, informal means of dispute resolution that precede more formal litigation or
arbitration are extremely useful, and can be required in the contract. Mediation allows an experienced
mediator to work with both parties to try to negotiate a settlement in order to avoid litigation or
arbitration. The contract could require mediation before either party starts a lawsuit or an arbitration
proceeding. Typically the parties will pay the mediator and the service that provides the mediator.
Key Contract Terms for Users to Understand 16
The contract may also provide for other informal means of dispute resolution, such as requiring senior
executives of each party to meet to discuss the dispute before litigation, arbitration or even mediation
could begin.
Other Contract Terms that Impact Dispute Resolution
Regardless of whether litigation or arbitration applies, you are likely to need to use the EHR and receive
support until the dispute is resolved. Therefore, you should understand whether the contract:
Requires the EHR technology developer to continue to perform even if it has not been fully
paid (such as because of a dispute over quality or the amount due) or if other disputes have
arisen so there is no interruption in access or service that could reduce care to patients.
Allows you to withhold payment of disputed amounts until the dispute is resolved (for
example, disputes about how a rate schedule was applied); and
Permits you t
o withhold all or a portion of payments for poor service.
An EHR technology developer form contract will often not give you the rights described above so they
would need to be negotiated.
You may want to consider contract language requiring both parties to continue to perform their obligations
(including payment) until the dispute has been resolved. Requiring continued performance could prevent the
EHR technology developer from suspending performance during a dispute which could cut off your access to
patient records. However, you should be aware that requiring continued performance may obligate you to pay
for software or services which you believe do not satisfy the contract. If both parties decide to require
continuing performance you should preserve your ability to terminate the contract if necessary to comply
with HIPAA and other legal requirements.
The EHR technology developer contract may also include the following terms that protect the EHR
technology developer and pose additional barriers to a fair resolution of a dispute. Carefully consider
terms that:
Permit the EHR technology developer to terminate support or other services if there is a
dispute, including non-payment;
Allow the EHR technology developer to charge late fees or interest on payments not made in
full and on time regardless of whether the fees are disputed;
Require the customer’s claim to be made within twelve months or another period of time
af
ter it arose (often much shorter than the statute of limitations that would otherwise apply);
Key Contract Terms for Users to Understand 17
Require litigation or arbitration only in the EHR technology developer’s home state
(jurisdiction and venue); and
Provide that the laws of the EHR technology developer’s state apply to the contract.
Finally, many contracts address the costs of dispute resolution. Under U.S. law, the losing party in
litigation or arbitration generally is not required to pay the attorneys’ fees and costs of the winning party
unless the contract requires the loser to pay. This means that if there is a claim and the EHR technology
developer eventually loses, you may not recover the fees and costs of litigation or arbitration so you need
to consider whether or not you want language that would require the losing party to pay the fees and
costs. The downside of such language is that if you lose, you pay the EHR technology developer’s fees
and costs.
The costs of litigation or arbitration can be significant and typically are not covered by insurance for
breach of contract cases. You should therefore understand the practical effect of dispute resolution terms
on your ability to enforce your rights under the contract through either litigation or arbitration.
6. Termination and Wind Down
What does it mean?
Termination and wind down provisions in an EHR technology developer contract are critical to ensure
that you will have uninterrupted access to patient records despite termination of the contract, disputes
with the EHR technology developer, changes in technology, or acquisition of the EHR technology
developer.
Many EHR contracts grant a perpetual” license to use the software, but limit the time during which the
EHR technology developer is obligated to support a particular version of the software. For perpetual
licenses, the time period for EHR technology developer support effectively limits how long most
customers will be able to use the software. For example, if the EHR technology developer is no longer
answering questions, fixing bugs, and providing enhancements for the software to comply with new
regulations, most customers will need to upgrade to a new version of the EHR system or find another
EHR technology developer.
If the EHR system is provided based on a contract for a service, as is the case for many cloud-based
EHRs, the contract will typically be for a specified time period, sometimes with renewal periods. You
may not be able to continue using the current version of the software if the EHR technology developer
updates the service with new or revised software.
Key Contract Terms for Users to Understand 18
What do you need to know?
Despite the potential need to transition between EHR technologies, some standard EHR technology
developer contracts fail to provide for termination and wind down services. Thus, how your contract
addresses the transition from one EHR technology to another should be well understood.
Term of Support or Service; Transition Services
The EHR technology developer contract should specify the number of years for which the EHR
technology developer will support the software or provide the service. You may want the initial support or
service term to be short but have the EHR technology developer commit to a longer term if you decide to
renew. The EHR technology developer may argue that you should be committed to use (and pay for) the
support or service for the same period. Often the counterargument is that the EHR technology developer will
not incur much additional cost if you do not renew support or service, as opposed to the very significant
adverse impact to you if support or service is not available.
As a practical matter, you should keep close track of renewal dates and begin considering your options well
in advance of when notices related to renewal must be provided.
Consequences of Termination
Software licenses typically require that you return all copies of the software and related documentation at
the end of the license term. This provision rarely generates comment, but you may need access in order to
respond to investigations or litigation. Possible exceptions could
Allow you to retain an archival copy of the most recently used software, all previous
versions, and all documentation for use in responding to e-discovery requests for
documentation in its “native format”; and
Permit use in litigation/arbitration or government investigations regarding reimbursement,
malpractice, or other matters in which the use of such items would help establish what
information was known to you at the time in question and how it appeared. For example, to
defend a malpractice claim it may be necessary to use an old version of the software to
determine what information could have been seen by a physician who reviewed a patient’s
records at a particular point in time.
If the EHR technology developer provides the EHR system as a service, the EHR technology developer
would need to maintain the copies as you typically would not have received the software.
Key Contract Terms for Users to Understand 19
Commitment for Transition Services
To ensure continuous access to patient records, you should consider how information in the EHR will
continue to be available, including transitioning information from one EHR system to another. There are
many reasons you may find yourself transitioning from one EHR technology developer to another, but
you are likely to need assistance from your current EHR technology developer regardless of the
circumstances. It may be impossible to predict exactly what these transition services will involve, but it is
important to at least obtain the EHR technology developer’s general agreement to assist. Contract terms
that support the transition may speed and simplify the transition for what can be a very time-consuming,
expensive, and difficult process. Details you may want to address include the following:
Grant you the right to use the software during a stated transition period for a stated fee.
Require the EHR technology developer to continue to provide support at the same level set
forth in the contract or, at a minimum, at the same level as received by other customers. This
may be of particular importance if disaster recovery services are needed during a transition
period.
Require the current EHR technology developer to provide assistance with transitioning data
t
o a new EHR technology developer’s system. In some situations, it may be extremely
difficult to have an effective transition without cooperation from the “legacyEHR
technology developer.
The EHR technology developer that is being replaced may want a minimum amount of notice, limit the
number of hours that it will commit to spend, charge its then-current rates for the additional services, and
require a confidentiality agreement with the new EHR technology developer.
Return of Data
The EHR technology developer is likely to be a business associate” as defined in HIPAA, and a business
associate agreement (BAA) must be entered with the EHR technology developer. The BAA must
include a commitment of the EHR technology developer to return or destroy all protected health
information within a stated time period. If the return or destruction of the e-PHI held by the EHR
technology developer is not feasible, the obligations imposed by the BAA live-on to protect the
information and limit its further uses and disclosures to only those purposes that make the return or
destruction of the PHI infeasible.
You may wish to include a provision regarding the return of your own confidential data, beyond what is
protected health information under HIPAA.
Key Contract Terms for Users to Understand 20
7. Intellectual Property Disputes
What does it mean?
Your contract with an EHR technology developer gives you the right to use the software and possibly
other intellectual property specified in the contract under the conditions specified in the contract. If your
EHR technology developer does not have all of the rights necessary to provide the software or service
without “infringing” or violating the intellectual property rights of others, you could be sued. Under
intellectual property (“IP”) law, a third party that holds a patent or copyright can sue anyone who uses
software or services that “infringe” or violate the third party’s exclusive right to use the patent or
copyright. IP law also protects trade secrets from being taken or used without permission.
This means that you could be sued by a holder of an infringed patent or copyright or a misappropriated
trade secret even though you are only a licensee of the software or copyright.
What do you need to know?
Unfortunately, it is common for the holder of a patent with infringement claims against an EHR
technology developer to approach the EHR technology developer’s customers with a demand to “cease
and desist” using the infringing technology, which could seriously impact patient care and your business.
The patent holder may also claim monetary damages from the customers. As a result of this pressure,
some customers enter into a license and pay the patent holder a royalty in order to settle the claims. This
should not be necessary if the EHR technology developer has agreed to defend and indemnify you for
third party IP claims.
The EHR technology developer is typically in the best position to make sure that its software or service
does not infringe any third partys IP so most EHR contracts include the EHR technology developer’s
promise to “defend and indemnify” the customer from patent and copyright infringement. You may also
seek indemnity for claims that a third party’s trade secrets have been misappropriated or used without
permission.
The EHR technology developer, if it gives an intellectual property indemnification, often asks to receive
prompt notice of the claim, to be able to control the defense and settlement of the claim, and to receive
cooperation from you as the indemnified party.
Some EHR technology developers try to limit their possible liability for IP infringement by allowing the
EHR technology developer to replace or modify the software or service or even terminate the license or
Key Contract Terms for Users to Understand 21
service arrangement if an infringement claim cannot be settled on terms acceptable to the EHR
technology developer. You should carefully review these terms with respect to the issues below:
If the EHR technology developer can replace or modify the software or service, does it
promise that the new or modified version will still have all of the features and functions of
the original?
If the software is replaced or modified, will the EHR technology developer pay for necessary
retraining of customer personnel and modification of any interfaces that must also be
changed?
If the EHR technology developer te
rminates the license or service, what portion of the
customer’s fees and other expenses will be refunded?
How will the transition to new software or services be handled if the EHR technology
de
veloper no longer has the necessary IP rights?
Does the language exclude responsibility for IP infringement claims based on a combined
u
se of the EHR technology developer’s technology with technology that it did not provide?
You may want to consider modifying such exclusions if the EHR technology developer’s
product requires the use of other technology.
You may also be asked to warrant that you have all rights necessary to post information to the EHR
technology developer’s website for a service based EHR and to indemnify the EHR technology developer
if a third party claims that data you post on the EHR technology developer site violates the third partys
IP rights. This may be reasonable, but you should make certain you understand the implications of this
language before signing the contract. For example, you need to make sure that you own or have the
necessary right to post anything that you or your employees did not create. Even if you have seen other
content on the internet, it is not necessarily available for you to include in your website or a patient portal
that is part of your EHR.
Key Contract Terms for Users to Understand 22