Providers: Assess the risks in EHR vendor contracting
Providers need look beyond electronic health record vendor contracts themselves and take a risk management approach when evaluating an EHR purchase, since there are so many vendor-related risks that can adversely affect them, according to John Christiansen, a health attorney with Seattle-based Christiansen IT Law. Some of those risks, according to Christiansen, speaking on a recent webinar conducted by the American Bar Association's Health Law Section, include operational risk, risk to reputation and risks to patients.
"You need to know what the risks are and how to mitigate or deal with them. It could be a very negative hit," he said. "You need a meeting of the minds."
Several of the risk management tasks that providers should consider include:
- Determining a realistic budget for the EHR up front
- Conducting due diligence on the vendor, such as insurance coverage, qualifications, experience, financial stability, prior security breaches, any past or pending lawsuits or regulatory actions against it
- Entering into an adequate business associate agreement as required by the Health Insurance Portability and Accountability Act (HIPAA)
Providers also should include their future EHR needs and capabilities in this analysis, suggested Wendi Wright, vice president and chief privacy counsel for Allscripts, also speaking on the webinar.
For example, she said, providers may want the EHR vendor to connect them to immunization registries and personal health records, since that will be required in the more advanced stages of the Meaningful Use Program. Organizations should also know what an EHR's audit trail capabilities are, Wright said, since the final rule implementing the new accounting for disclosure requirements in the HITECH Act will be issued at some point.
To learn more:
- read the webinar description
Providers: Treat your EHRs like cupcakes
EHR vendor contracts becoming less provider-friendly
HIPAA business associate compliance by EHR vendors not optional
Critics blast 'unnecessary' HIPAA disclosures rule
Beware cloud EHR vendors who don't follow HIPAA rules