Ever since hospitals started implementing electronic health record software, certain concerns have lingered in hospital executives’ minds about accountability, liability, even the threat of medical malpractice. And startling legal events of 2017 did not alleviate those fears.

On the last day of May, eClinicalWorks settled a landmark $155 million False Claims Act suit with the United States Department of Justice that invariably raised questions: Is it the only EHR vendor to, knowingly or not, certify software for meaningful use criteria despite deficiencies that could be a risk to patient safety? Will the DOJ investigate rival EHR makers for similar reasons? Is a class-action lawsuit coming, too?

That last query answered itself when in mid-November eClinicalWorks was hit with a class action case exactly one dollar short of $1 billion. The suit, filed by the estate of patient Stjepan Tot, alleges breach of fiduciary duty and gross negligence because the software failed to accurately display his medical records and, as such, blocked him from determining when his cancer symptoms first appeared.

EHR vendor Epic Systems, too, was greeted with a False Claims suit in early November. That case alleges Epic’s billing software has a glitch that double bills the government for anesthesia services and, as such, caused hundreds of millions in overpayments.  

Then in late November the law firm Anderson, Agostino & Keller filed suit against CIOX Health and 62 Indiana hospitals for falsifying records in an overbilling and kickback scheme to the tune of $300 million.

When taken together, those incidents have left many hospital executives and IT professionals wondering exactly what their responsibility might be in all this. Not to mention what they can do to protect themselves.

Take a deep breath because it’s time to pull out that EHR contract and take a look inside. No time like right now.

EHR contracts: What to look for

Whereas hospitals and other customers can really only do so much in terms peeling back the curtain concealing EHRs code, there are steps anyone can, and indeed should, take when either switching to a new EHR vendor or renegotiating existing contracts.

“What you always should be doing is looking at documentation, relying on common sense and medical judgment, and if they see something that doesn’t look right, question everything,” said Erin Whaley, a partner with Troutman Sanders, a law firm in Richmond, Virginia.

[Also: Solving cloud computing's CapEx vs. OpEx conundrum once and for all]

Whaley added that good contracts will ensure that customers have indemnification, recourse against the vendor in the event that something goes wrong, limitation of liability clauses that prohibit the vendor from capping what it pays and essentially leaving a hospital on the hook. 

As a healthcare attorney, Whaley said contracts run the gamut from large health systems that likely negotiated solid contracts to small and critical access hospitals lacking in-house legal expertise and mid-size hospitals that may not have had the savvy to negotiate as well for themselves.

“Different vendors have different contracting standards, some are able to limit their liability for any type of breach. That’s something providers should be looking at,” Whaley explained. “Negotiating renewals or a new contract presents an opportunity to get more favorable terms.”

What not to miss in EHR contracts

For Corinne Smith, a partner with Strasburger & Price, a Texas law firm, it’s easy for healthcare organizations to miss crucial elements as there’s a lot to consider -- especially in the IT realm where it’s difficult for people to know exactly what to expect from a vendor.

So to start, an organization will need to determine the right contract based on whether the EHR platform is in a cloud or on the provider’s network. Smith explained that if the EHR runs on the organization’s own server, there doesn’t have to be the same level of service agreements, as the provider is responsible for their own service.

But if the platform is cloud-based, Smith said there will need to be a separate contract for that element. 

Hospitals often fail to pay enough attention to the terms involving the system after it’s installed. Providers will need to get into their own system for claims disputes, revenue cycle and even potential litigation.

“There needs to be a plan in place for the date past installation,” said Smith, especially concerning how the data is converted into the old system and if and where it will be stored. “Usually that’s another charge.”

Another crucial element to examine is terms and conditions -- this should be of special concern to providers that don't necessarily make quick payments. Smith explained that providers should look into interest terms and can even demand there be a dispute resolution process included, with both timing and renewal.

“All of these things should be put into the price,” Smith said. Providers should also look for hidden costs, like additional charges for interface, training and the like. “A lot of those are sort of buried.”

The biggest mistake an organization can make is “paying too much money up front before a product is fully tested and put into production, then holding money in reserve for after testing and go-live,” Smith added.

“I’ve seen contracts where they have to pay for the whole platform before testing was complete,” said Smith. “If they pay in full upfront, there’s just not the same level of urgency. You have to hold a substantial amount of money of the contract to make it worthwhile for the vendor.”

[Also: Epic's rival EHR vendors say they too are making the 'CHR' switch]

And the service agreement should not start until after the EHR goes live, after the tests and modules are put into place.

Smith encourages her clients to use a unique method to make sure they’re in control of what goes into the EHR contract and that all of their needs are met.

“The best thing to do -- to be the most proactive and get the most from the contract -- put out an RFP of your terms and conditions,” said Smith. “Before you get a contract from Meditech, Cerner or others, let the vendors know you’re not going to have a contract unless they meet your outlined terms.”

These elements can include ONC requirements and pricing, among others, and will ensure that your contract is built on your terms and needs, Smith explained. “It’s just so difficult because each of these companies have their own contracts, and they don’t like to deviate.”

Don’t forget ONC’s certification site

Providers should refer to the Office of the National Coordinator for Health IT’s website that lists vendor requirements, regulations and certifications. Smith explained it outlines necessary elements for contracting with an EHR vendor, which can prevent missing technological functions.

Despite these recent False Claims suits hospitals still need a product that has been certified to attest to meaningful use and earn reimbursement incentives. 

“For the most part EHR certification criteria today does, in fact, ensure that hospitals are buying attestation-capable EHRs,” said Blain Newton, Executive Vice President of HIMSS Analytics. 

Newton added that since the inception of meaningful use, the Centers for Medicare and Medicaid Services has paid some $37 billion to more than 537,000 providers, based on CMS data posted in September of 2017.
Smith said that organizations should require vendors to include representation warranties in the contract, stating that they meet ONC requirements.

“In the contract, there should be requirements that when new regulations come out, the vendor must make the best effort to comply with those regulations moving forward. It should also include all the things they need to do to meet those standards,” Smith said. “And you can be sure the vendors aren’t too happy with that because it’s more work for them.” 

Plaintiffs prefer deep pockets

Troutman Sanders attorney Whaley said that plaintiffs thus far have been looking for big payouts.

“Right now some of the deepest pockets out there are the EHR vendors,” Whaley added. “So if plaintiffs can find a claim against EHR vendors they see bigger recovery than against hospitals or physicians for malpractice.”

But it cannot be ignored that as the suit involving CIOX Health and 62 Indiana hospitals showed that hospitals, too, can face lawsuits over their use of EHRs and the Epic and eClinicalWorks demonstrate that the EHR certification process for attesting to meaningful use and earning reimbursement incentives, the evidence suggests certification works. 

And that means dusting off that EHR contract should be on the list of hospital executives New Year’s resolutions, 2018 edition. 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com