Recently, as I was reviewing various clauses in an electronic health records (EHR) contract for a practice that had hired me to assist with the negotiations, I noticed a statement in the licensing clause that unfortunately is all too common:
[Vendor] may have nonexclusive rights to aggregated and deidentified patient data and may use or disclose such deidentified data for any purpose.
So, if I had let this go without modification, what would this mean to the practice? That the vendor would have the right to sell the data to a third party to be used for whatever purpose the third party wished.
Now, let's be clear, this is deidentified data, which means records are not attributable to any specific practice or patient. But the point is, this is your data and should any vendor, without your consent, have the right to profit from information obtained through your hard work? Of course not. Does it make sense that you would be paying a vendor for use of an EHR system and that the vendor then makes money from use of the patient database that you have built up? In my estimation, this is a perfect example of "double dipping."
This brings up just one of the items you need to be aware of when dealing with electronic clinical patient data. And being knowledgeable about patient data and potential for issues is never more pronounced than when entering the Web- and cloud-based world.
Patient data conversion
One practice came to me after a frustrating bout with its cloud-based software vendor. The practice decided they had found better software for their needs and wanted to transition its patient data to this new system. However, the present software vendor was not too happy about this decision. They told the practice it wasn't possible to do an electronic conversion and that the best they could do was provide PDF files at what I thought was an unfair cost, given the situation. So the practice was on the hook to hire a temp to enter all the patient data into the new system. Problem was, given that the vendor was cloud-based and had control of all the patient data, it put the practice in what was a "their way or the highway" situation.
Another practice contacted me to help them deal with a similar situation, only this time the vendor said they could provide the patient data in electronic format, but it would charge the practice $10,000 for this conversion. And that's not counting the additional fees that the new vendor would charge for importing the data.
So how do you avoid situations like the above? It all comes down to being proactive before signing the deal and recognizing that you need to address the future potential of transitioning your data. All relationships can go sour at one point, and there needs to be a plan for this possibility. To find out a little more detail about this you can review the following EHR Contracts Checklist.
Holding patient data hostage
One of the worst abuses I have seen from vendors regarding using your patient data as leverage is when they try to include in their contracts a version of the following:
Licensee will receive copy of data within 10 days of receipt of final payment, including all amounts due.
I see this all the time with hosting companies. When I questioned one EHR cloud-based vendor attorney about this, he responded that the only way, upon termination, they could guarantee that they would receive their money was to basically hold the practice's data hostage until the practice was paid in full.
From the vendor standpoint I get it, but it is unethical and can cause great harm to the practice. If the vendor has a problem with a practice's payment, other mechanisms are outlined in the contract to address this. In legal terms, this idea of holding data hostage is more commonly referred to as "electronic self-help."
Finally, regarding patient data, one of the big concerns is security. With the growing popularity of cloud-based dental software, this is an area where a practice should do some due diligence. In the past few years, I have seen many data centers claiming to have expertise in hosting healthcare software. The fact that we are talking about patient data adds a level of complexity to the situation. It's important to verify that the vendor that is hosting your dental electronic health record software has experience with healthcare software and has staff that is focused on its security. In addition, it's essential that on the most basic level you at least get guarantees that the data center's hardware and software are compliant with HIPAA requirements.
One of the things that keeps practices from fully committing to integrating dental EHRs is the worry about patient data, and there are some areas in which it is critical to cross your T's and dot your I's, especially when it comes to contracts. However, for every possible issue there is a solution, and as long as you are proactive you should be just fine.
Mike Uretz is a 30-year software veteran and nationally recognized healthcare software and electronic health records expert. Mike has consulted with hundreds of practices and multiclinic groups to help them properly evaluate and select their software solutions, structure and negotiate contracts, and provide management and oversight for their implementations. He was a member of the Certification Commission for Health Information Technology EHR Certification Workgroup and co-chairman of the Best Practices Advisory Committee for Contracts. He was instrumental in developing standards for structuring software contracts and pricing used nationwide. He is the founder and executive director of DentalSoftwareAdvisor.com and the founder of the LinkedIn group Dental Software, Electronic Health Records and Electronic Health Records. He can be contacted at MikeU@DentalSoftwareAdvisor.com.