vendor satisfy future regulatory requirements, although it may
be necessary to agree to share the cost of changes.
e-Discovery and Litigation Holds. Complying with e-discovery requests and administering litigation holds may be challenging in the cloud-computing environment because data are
held by a third party and moved often to minimize costs. Organizations should discuss these requirements with the vendor
and ensure the vendor’s commitment (and associated fees) are
reflected in the contract.
Availability, Support, and Response Times. The contract
should specify the availability of the EHR system and support
depending on the organization’s needs. Response times and
a commitment to work outside of normal support hours to resolve critical problems should also be included.
Organizations may also negotiate the minimum average response times for functions, such as accessing a patient record.
The vendor may insist on limiting its financial obligations for
the service-level agreements regarding system availability and
response times.
In addition to reaching an appropriate limit on these performance credits, organizations must evaluate whether they can
terminate the agreement if the service-level agreements are not
met on a continuing basis or whether the limited credits against
future fees are the “sole remedy” so that the organization cannot
terminate and/or seek other damages.
Limitations and Exclusions of Liability. Vendor contracts
will limit the vendor’s exposure for damages, but the organization must determine whether the limits proposed are reasonable in amount and scope given the risks. For example, an exclusion of damages for “lost data” may not be acceptable if patient
records are stored in the vendor’s cloud. Limiting the vendor’s
exposure to the amounts paid by a customer in a 12-month period may not provide sufficient protection if the breach occurs
in the initial months.
Data Ownership and Access Rights. The contract should
state that the vendor does not have any rights of ownership to
patient records or other organization data. Any right of the vendor to de-identify such information or use it for benchmarking
should be carefully reviewed. Organizations should have the
right to obtain a copy of all patient records and other data at any
time regardless of whether there has been a breach.
Transition Services. Organizations should negotiate to obligate the vendor to provide transition services to help migrate all
data to another EHR in a generally accepted data format. Organizations may have to pay for these services, but they are often
critical when a contract is terminated.
Indemnification. Vendor contracts may require the organiza-
tion to indemnify the vendor from claims of third parties (such
as patients) that arise from use of the EHR even if the damage
was caused by errors in the vendor’s EHR. Organizations may
find this an unacceptable allocation of risk and negotiate for
each party to be responsible for its own actions (e.g., program-
ming errors of vendor versus organization error in using the
system). If the vendor is unwilling to change this language, the
organization should be aware that its insurance may not cover
payments made to the vendor under such a contract provision.
Reference
Dinh, Angela K. “Cloud Computing 101.” Journal of AHIMA 82,
no. 4 (Apr. 2011): 36–37.
Marilyn Lamar ( mlamar@lamarhealthlaw.com) is a partner at Liss &
Lamar PC.
