EHR Contracting and Data Security

Similar documents
eclinicalworks Hosted Contract Addendum Summary

The Privacy Rule. Health insurance Portability & Accountability Act

Take It or Leave It: Pitfalls and Challenges of IT Contracts Thursday, May 4, 2017 General Session; 9:00 10:30 a.m.

Software Development Agreements: Negotiating and Drafting Key Provisions

Legal Issues in the EHR Acquisition RFP Process

With Proper Leadership You Can Do SaaS Deals Without Pain

Negotiating Business Associate Agreements

SPRINT CLOUDCOMPUTE INFRASTRUCTURE SERVICES PRODUCT ANNEX

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Steps To Take When Closing Your Practice

HIPAA Security How secure and compliant are you from this 5 letter word?

GE Healthcare Hosted Contract Summary

Payment Adjustments & Hardship Exceptions for Eligible Hospitals and CAHs Last Updated: March 2014

The Audits are coming!

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

This Webcast Will Begin Shortly

Limited Data Set Data Use Agreement For Research

What You Need to Know Before Purchasing a PACS Peter B. Mancino, Esq, Terence A. Russo, Esq

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

10/10/2012. Goals. The Exciting Future of Practice Management. Practice Management. Practice Management. The Future. Practice Management

A Guide to Healthcare Buzzwords and What They Mean: Part One (A through L)

Determining Whether You Are a Business Associate

North Country Telehealth Conference 2018 Operationalizing Telemedicine: Legal and Regulatory Issues

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Health Care Compliance Association

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

ARE YOU HIP WITH HIPAA?

HEALTHCARE BREACH TRIAGE

Health Information and Technology Update

Technology & IP Forum: Technology Agreements Staying Ahead of the Curve with Checklists and Practice Pointers for Numerous Important Issues

HIPAA Background and History

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Kaiser Permanente Terms and Conditions for the Purchase of Goods and Services

Physician Relationship Compliance Issues

Physician Relationship Compliance Issues. Charles Oppenheim Hooper, Lundy & Bookman, PC

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Certifying Employee Training Navicent Health s Corporate Integrity Agreement Year Two

Drafting Complex Cloud Computing Agreements: Negotiation and Risk Mitigation Strategies

HIPAA, Privacy, and Security Oh My!

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Check In Systems. Software Usage Agreement

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

LEGAL ISSUES IN HEALTH IT SECURITY

MITIGATING RISK IN VENDOR TECHNOLOGY CONTRACTS

Information Security and Third-Party Service Provider Agreements

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

IBM Phytel Cloud Services

ANCILLARY services: How to Stay Out of Trouble. The neurosurgical minefield Informed consent

Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals Last Updated: August, 2012

Ensuring Interoperability of Health Information Technology Under the 21 st Century Cures Act

The Challenge of Implementing Interoperable Electronic Medical Records

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Structuring Telemedicine Agreements for Healthcare Organizations, Physician Groups and Telemedicine Practitioners

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Hot Topics in Software as a Service and Cloud

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Compliance Guide

Cyber Incident Response When You Didn t Have a Plan

Hospital Incentive Payments to Physicians for Quality and Cost Savings

Reviewing and Drafting IT Agreements

Mobile Deposit Capture Agreement and Disclosure Mobile Deposit Capture ("Mobile Deposit") Georgia s Own Credit Union ( Georgia s Own )

Meaningful Use Requirement for HIPAA Security Risk Assessment

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Leroc Madeira LDA, a subsidiary of Corel Corporation owner of Mindjet

Beyond the Cover Story: A Focused Overview of the Key Provisions of the ACO Regulations.

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

ICT PROCUREMENT A PRACTICAL GUIDE

MILLER COUNTY AMBULANCE DISTRICT. Request for Proposals: EMS Ambulance Billing Services Closing May 9th, 2014

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

In this course, we will cover the following topics: The structure and purpose of Navicent Health s Compliance Program The requirements of the

Oregon Healthcare Quality Reporting System Participating Provider Organization Portal Access Agreement

Objectives. Definition

SaaS, PaaS and IaaS: Evaluating Cloud Service Agreement Models, Negotiating Key Terms, and Minimizing Contract Disputes

Healthcare Industry Key Issues kkk

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

Adventure Credit Union Mobile Remote Check Deposit Agreement

HIPAA BUSINESS ASSOCIATE ADDENDUM

MU Stage 1 - EP Public Health Reporting Exclusion

CMS PROPOSES KEY PROVISIONS OF MACRA PHYSICIAN PAYMENT SYSTEM FOR 2019

Health Care Fraud for Physicians

NEGOTIATING PHYSICIAN EMPLOYMENT AGREEMENTS KEY PROVISIONS. 1. Can t limit a physician s independent medical judgment

Fifth National HIPAA Summit West

DEPARTMENT OF HEALTH AND HUMAN SERVICES. Have Financial Relationships: Exception for Certain Electronic Health Records

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

13th AMC Security & Privacy Conference June 12, 2017

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Update on the Medicare and Medicaid Meaningful Use Programs

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

Combined Liability Insurance for Financial Technology Companies Proposal Form

Sender's Direct Phone (202) Sender's Direct Facsimile (202) MEMORANDUM

CUSTOMER AGREEMENT WITH SVIC FOR HIGH SPEED INTERNET SERVICE

Transcription:

EHR Contracting and Data Security Briar Andresen Steven Helland January 10, 2018

Overview What is required HIPAA-related issues Selecting a vendor Key provisions Main EHR vendor EHR adjacent Data security risks

What is required? What are the must-haves for EHRs? Use certified EHR technology (CEHRT)

What is required? For EHR incentive programs: Eligible professionals, eligible hospitals, CAHs that participate in EHR Incentive Programs must show they haven t restricted compatibility or interoperability of certified EHRs Prevention of Information Blocking Attestation Don t have to show any documentation in order to attest Continue to submit evidence of meaningful use to avoid payment reduction from Medicare or get incentive from Medicaid

Donations of EHR Still ok (until Dec. 31, 2021, then?) Anti-kickback safe harbor, Stark exception Complex regulations; if you will provide or receive EHR function at less than FMV, review requirements carefully

HIPAA and EHR contracting Patient s rights obligations Amendment, access, requested restrictions If a person requests electronic copy of PHI, must provide access in form/format requested, if readily producible Images and other data must be included in electronic copy Can you capture everything, and is there a process to do so? Phone notes, provider notes, etc. Transition of records to a new vendor is a HIPAA issue

HIPAA and EHR contracting Execute a BAA with the vendor If they create, maintain (including in the cloud), receive, or transmit PHI If they will have access (including for troubleshooting) Indemnification in BAA for breaches (not just notification costs) Transition issues

HIPAA and EHR contracting Make sure that, regardless of BAA status of the vendor, new technology is a part of an updated risk assessment Risk assessment is ongoing, not once a year If technology changes the EHR environment, it should affect the risk assessment True for updates/upgrades, too Will information be transferred to vendor? How? Will vendor access EHR? What access is permitted?

Risk assessment Vendor risk assessment before contracting Access Use Review of policies and procedures? Use outside of US? Is vendor willing to provide information about processes? Does it make sense?

Selecting your EHR vendor Selection committee What are your functional requirements? What are your technical requirements? Pricing Cloud or SaaS vs. installed software RFPs or Proposals? Tip: Select at least 2 finalists

Elements of an EHR contract Quote/Proposal with pricing, modules and schedule License or service Terms and Conditions Maintenance and Support terms and conditions Statement of Work outlining implementation, conversion, customizations, training, etc. Service Level Agreement Business Associate Agreement

Key provisions in health IT contracts Pricing & Power of the Purse Tie upfront payments to milestones and hold a portion until after Go Live Annual/monthly fees start on Go Live, not contract signing Cap the annual increases to maintenance or subscription

Key provisions in health IT contracts Pricing continued Counting. How are fees calculated? Pay attention to definition of user, transaction, claims, etc. Tip: Sneaky terms may be hidden in Definitions Ask about future pricing for additional users, new locations, new modules Credit for acquisitions Ability to reduce for divestitures

Key provisions in health IT contracts Implementation and acceptance testing Portion of implementation and license fee should be tied to acceptance Does the customer have a meaningful opportunity to confirm the functionality before Go Live? Failure to Launch : If vendor cannot correct deficiency, does customer have right to terminate for a full refund? Contract term: Interoperability, required operating environment?

Key provisions in health IT contracts Key personnel Consistency Right to remove Expenses / Travel costs Warning: Can be 15-25% of implementation fees

Key provisions in health IT contracts Term/Termination/Transition For cloud-based software: Annual or monthly renewals Termination by customer for convenience at any time For installed software: perpetual software license with annual/monthly maintenance Support and maintenance can be terminated by customer at any time or annually

Key provisions in health IT contracts No Plan to Sunset Plan to continue to support, 5-7 years Right to transition at no fee to successor product

Key provisions in health IT contracts Warranties Perform per Documentation Tip: Plain English, and real examples. Comply with laws and regulations Non-infringement Services will be provided in a professional and workmanlike manner Vendor will diligently work with third party database vendors

Key provisions in health IT contracts Limitation of Liability Mutual (to fees paid) No limit on vendor s liability for Vendor s breach of BAA or other HIPPA violations Security/confidentiality breaches Tip: Stipulate, security breach liability includes cost of notice and 2 years credit monitoring. Indemnification obligations Fraud, gross negligence, intentional misconduct

Key provisions in health IT contracts Indemnification from Vendor intellectual property infringement breach of privacy and security Breach of warranties (maybe) Insurance General liability Worker s compensation Employer s liability Professional liability Cyber / privacy

Key provisions in health IT contracts Data privacy and security Particularly important in SaaS / Cloud Documented security policies, standards and procedures Physical security Security audits / testing Backup obligations Disaster recovery

Key provisions in health IT contracts Support and maintenance Updates and other enhancements included in support fees Service levels System up-time and response time Support response and resolution time Credits for failure Ability to terminate for repeated SLA failures

Key provisions in health IT contracts Jointly developed databases who owns, who can use? Can another vendor access that database? View it?

Data security Who is helping you keep your data secure? IT Dedicated outside security vendor? Vendors generally? Employees the front line When contracting, who reviews vendor access to PHI/the EHR? Are firewalls in place? Are minimum necessary requirements being met?

Current events

Scary health care issues: Phishing

Scary health care issues: Ransomware

Information blocking Deploying products with limited interoperability High costs for information exchange 21 st Century Cures Act Mandate for vendors and providers HIPAA BAA provisions

Can you protect yourself? Educate employees Test (fake phishing emails) Have a plan if/when disaster strikes What s the response? Who s in charge? Have a potential cyber security partner to review situation, determine what information was compromised? Update anti-malware tools that can predict malware Patch on time!

Can you protect yourself? No personal webmail on corporateconnected devices? Data backups (for long period of time) Maybe end up just paying. Look at options that make sense for your organization. You can t guarantee complete protection, but you can make sure you are taking reasonable steps

Contact information Briar Andresen 612.492.7057 bandresen@fredlaw.com Steve Helland 612.492.7113 shelland@fredlaw.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback