Affidavit: Healthcare and The Law - EHR Contracting – The Office of the National Coordinator for Health Information Technology (ONC) as Contracting Advisor?

Contributor: Lisa Clark, JD'89
To learn more about Lisa, click here.


1242.jpgTechnology is shaping the healthcare industry, but implementation is burdensome, expensive, and uneven. Critical to the transition from a paper-based to a technology-based infrastructure is the successful adoption of electronic health records (“EHRs”) by hospitals, physicians, nursing homes, and other providers. But the relationship between providers and their EHR vendors has not always been easy, and the U.S. Department of Health and Human Services (“HHS”) became sufficiently concerned about EHR vendor-provider contracts to release guidance entitled “EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print” (the “EHR Guidance” September 26, 2016).  Although the government generally avoids counseling parties on contracting matters, it weighed in under its mandate to advance the adoption of technology.  This is notable given the anticipated loosening of government oversight by the Trump administration, which likely will direct agencies away from offering detailed contracting advice.  It is too early to tell whether the EHR Guidance will remain as is or be modified or withdrawn under the new administration. 

Pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, HHS is authorized to establish programs to improve healthcare quality, safety, and efficiency through the promotion of health information technology (“HIT”) through the Office of the National Coordinator for Health Information Technology (“ONC”). The ONC is specifically charged with the development of a nationwide HIT infrastructure that permits the exchange of EHRs and other health information between and among healthcare entities at the community, region, state, and ultimately national level.  This system depends on the sturdiness of the foundational provider-based EHR built by an EHR vendor.   

As more and more providers have implemented EHRs, there have been increasing concerns within the government and among stakeholders regarding the complexity and fairness of some provider-EHR contracts. Although there are many hospitals and other providers with experienced IT staff, counsel, and consultants who are able to properly negotiate multi-year, multi-million dollar EHR contracts, there are many less sophisticated providers who may not fully understand what is covered by the EHR vendor contract.  Further complicating the environment is that many providers maintain several legacy and clinically-based EHR systems (an EHR each for the emergency room, the physical therapy department, the children’s unit, etc.) And, there are many EHR vendors with varying degrees of experience and sophistication. 

Given these issues, there are many operational and legal risks associated with EHR vendor contracts, including data breaches, licensing disputes, and patient harm caused by EHR malfunction.   For instance, as covered entities under the Health Insurance Portability and Accountability Act (“HIPAA”), healthcare providers may be subject to significant fines and penalties for data breaches, even if the breaches are caused by vendors.  A provider may not understand when it has breached a third-party’s intellectual property license. Or, an EHR vendor may not create adequate safeguards to protect against malware that could impact clinical decision-making or even shut down an EHR system.  Additionally, hospitals and physicians are exposed to the loss of government incentive monies and fees for not implementing EHRs on a timely basis.  One hospital sued an EHR vendor for not implementing an EHR system under the timeframes set forth in the contract, thereby causing the hospital financial loss. The vendor argued that it was the lack of compliance by the caregivers and other end-users that caused the delay.  These problems are not uncommon. 

The ONC’s recommendations in the EHR Guidance derive from the government’s interest in quality of care and patient safety issues.  The ONC urges providers to be particularly mindful of the risk and warranty provisions contained in contracts with EHR vendors.  The new publication directs providers to ensure that all vendor core services and performance obligations are expressly stated in the EHR contract, and cautions against assuming that vendors will comply with all EHR maintenance requirements that are outside of the written contract.  Providers should insist that EHR vendors warrant to such representations as reasonable system response times, provision of ongoing support and maintenance, and service agreements.  Vendors should also warrant to the interoperability of their products with other components of an EHR infrastructure, including with any legacy systems.  If they can’t ensure interoperability, the contract should state how those problems will be addressed.  These are all foreseeable risks and should be covered in the contract.     

In addition to identifying these risks, the EHR Guidance delves into risk allocation, recommending that risks be equally divided between the provider and the EHR vendor.  The government advises that both parties should share risk related to patient safety and confidentiality issues – more traditional areas of government oversight – but also recommends that EHR contracts expressly attribute responsibility to the party with access to back-end controls, network processes, and hardware and software contractors.  Finally, the ONC encourages providers to be aware of any caps on vendor liability. The financial damage can be enormous when a vendor is only liable for a fixed amount of damages, as is the case in many existing contracts.   

Overall, the guidance reinterprets basic principles of successful contracting - the careful description of the services, the identification of potential and foreseeable issues, and the proper allocation of risk – for the EHR environment.   Whether one agrees with the ONC’s approach or not, and whether or not the government will continue to promote the guidance in current form, the guidance provides helpful tools for parties, and particularly providers, engaged in EHR contracting. 

Additional resources relating to the implementation of EHR systems is available on the U.S. Department of Health and Human Services website.  The entire text of the ONC’s recent guidance can be found as part of the ONC’s Health IT Playbook, at


Contact Lisa at: [email protected]


Disclaimer: This article is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this article are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.