Negotiating an ASP/SaaS Agreement for Storage of Electronic Medical Records
Tuesday, April 20, 2010
Hospitals and other health care providers are converting millions of paper records into digital form, and creating others in original digital form. All these records must be stored somewhere, and health care providers need ready access to them. There are at least two storage options. One is for a hospital to install and operate the necessary software and records database on its own servers; the other is to outsource that function to a host, which will install the software and database on its servers and give the hospital access to them, in an Application Service Provider (ASP) arrangement (also known as Software-as-a-Service or SaaS). The difference between these options is that in the first arrangement, the hospital licenses a product (software); in the second, it subscribes to a service (access to the software and database on the vendor’s servers). The pros and cons of each arrangement are outside the scope of this article. But when a hospital elects an ASP/SaaS arrangement for storage of its patients’ medical records, the implications are quite different from those presented by the use of an ASP/SaaS arrangement by a non-health care entity storing other types of records. This article offers a short summary of those implications, and suggests an approach to dealing with each.
Access to Patient Records. The most significant difference lies in the importance to a health care provider of untrammeled access to its patients’ medical records. In most ASP arrangements, there is a provision in the agreement to the effect that in the event of non-payment or other dispute, the vendor can suspend the customer’s access to its records (no payment, no service, the argument goes). One can understand the vendor’s point of view. But where a hospital is concerned, and lives depend on the information in those records, losing access to them – even temporarily, during the resolution of a dispute — would be untenable. Suggestion: negotiate a provision to the effect that the vendor will not withhold or restrict access to patient records in its possession for any reason, under any circumstances; and where non-payment is concerned, provide that the vendor will not suspend or terminate access in the event of a good faith dispute between the parties of which the hospital gives the vendor notice in writing.
Acceptable Use Policy. ASP arrangements often incorporate by reference an Acceptable Use Policy, or AUP, which provides that under certain circumstances, the vendor may block a health care provider’s access to its system (and thus, its patients’ records). This policy is designed to protect the vendor in the event that a user engages in any one of a variety of unacceptable behaviors that expose the vendor to risk. Those behaviors might include infringing on the intellectual property rights of third parties, engaging in illegal activities, transmitting information that is obscene or violates the privacy rights of third parties, promoting fraudulent financial schemes, interfering with the vendor’s network, etc. A vendor has good reason to take steps to protect itself — but those steps generally include blocking the hospital’s access to the vendor’s system. Suggestion: negotiate a provision limiting the circumstances under which the vendor can block the health care provider’s access to its system to one or more of the following: (i) blocking access by the particular user believed to have violated the AUP, (ii) blocking access when the parties agree that the conduct of the user constitutes criminal activity and the vendor could be found to be engaged in a crime by virtue of providing the hosted services, or (iii) blocking access immediately and with advance written notice to the health care provider, following issuance of a court order permitting the vendor to do so.
Disaster Recovery Plan. Consistent with the notion that it must preserve continuous access to its records, a hospital or health care provider should be sure its ASP vendor is contractually obligated to provide a copy of its disaster recovery plan, that the plan complies with appropriate guidelines for information technology disaster recovery plans and that the vendor provides the hospital or healthcare provider annually and at no charge with a statement from its auditors regarding the vendor’s compliance with its disaster recovery plan.
Sunsetting. In the interest of avoiding disruption in its access to its patients’ records, a hospital or health care provider may want to seek assurances that the ASP vendor will not cease to offer its services in the marketplace (known as “sunsetting”) for some period of time. For example, the hospital may negotiate a provision to the effect that the vendor will provide twelve months’ advance written notice prior to sunsetting any component (or all) of its service, and will not give that notice for three years from the date the arrangement is entered into. The incentive for a vendor to honor a sunsetting provision is a promise to refund to the hospital or health care provider a portion of the fees paid to the vendor in the event it ceases offering its services prematurely, such portion to decline with the passage of time.
Transition Assistance. All relationships come to an end, and a hospital’s access to its patients’ records can become an issue when its relationship with an ASP vendor ends, especially if the end is unexpected or the result of a dispute. Consistent with the notion that it must preserve continuous access to its records, the hospital should negotiate a provision to the effect that upon termination for any reason, the vendor will assist the hospital in the orderly transition to a new vendor. That assistance should take the form of access to the vendor’s system and the vendor’s support of that system for up to six (6) months following termination (or whatever period of time the hospital expects it would need to transition to a new vendor), for which services the hospital can be expected to pay the vendor at its then-current hourly rate.
Indemnification. Finally, there is another distinction between hospitals/health care providers and other companies (banks, for example) entering into ASP arrangements. Many hospitals and health care providers – and not just those associated with universities — are nonprofit organizations. For profit organizations are owned by shareholders or members who accept some level of risk in exchange for the expectation of a return on their investments. One of those risks is that in the event the organization incurs liability in some form, it may be called upon to indemnify those to whom it is liable, resulting in a reduction in the investors’ return. Nonprofit organizations have no shareholders who expect a return on investment. Indeed they are prohibited by law from directing earnings to the private benefit of those interested in their activities. The result is that the financial structure of a nonprofit organization is quite different from that of a for profit organization. Suggestion: in cases in which the hospital or health care provider operates on a nonprofit basis, take the position that it is not in a position to defend, indemnify or hold harmless the ASP vendor from any damages of any kind.
As health care providers accumulate patient records in digital form, the question of where to store them becomes critical, because the party that houses the records controls access to them. When considering storage under an ASP arrangement, health care providers need to be aware of the limitations on access typically found in ASP agreements – and that those limitations can be successfully negotiated.
Anne Davies Newman
Read MoreIf you want to see my LinkedIn profile, click on this button:
