business

Successful cloud-based EMR should include data rights in vendor's contract

A practical look at information technology issues and usage

By Pamela Lewis Dolan covered health information technology issues and social media topics affecting physicians. Connect with the columnist: @Plewisdolan  —  Posted Jan. 30, 2012.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A contract stating that a practice owns the patient data entered and stored on a Web-based electronic medical record may not guarantee that the practice can control how the data are used or accessed.

Issues relating to the use, accessibility and portability of patient data often are lumped under an umbrella referred to as "data ownership." Although it is important for physicians to have a legal right to the data they collect on patients through normal practice operations, they need to worry about the "what-ifs."

Some of the what-if scenarios with data play out by way of natural disasters. Others could be the result of changes made on either the practice's or the vendor's part. Because data can be viewed, used or accessed by multiple people, issues of who gets to use the data, and for what purposes, come into play.

Lynette Ferrara, partner at CSC's Health Informatics Practice, said practices need a plan that addresses all of these issues. "The vendor they choose should support that plan," she said. "But at the end of the day, they have to be responsible for knowing what questions to ask, particularly in areas" such as data ownership. Experts say physicians should know what provisions to look for in their contracts with vendors.

Concerns about data ownership stem from the fact that cloud-based EMRs are hosted, and therefore store data somewhere off-site from the practice.

Attorney Gerard Nussbaum, director of technology services for the global management consulting firm Kurt Salmon Associates, said data ownership is difficult for many people to understand, because it's different from owning something tangible. You can "own" data, he said, but it can be used by you, others in your practice, the guy down the street and so on.

Therefore, when contracting with a vendor, physicians should understand not only who owns the data, but who can use it; who determines who can use it; how, or even if, you can exclude someone from using it; and how to access it, especially if you part ways with the vendor.

Ferrara said the contractual questions can be taken care of by looking at what provisions vendors offer to address a few key issues.

Data mining. Some vendors have processes to use aggregate data from all of their clients to sell or distribute for several reasons, including public health canvassing and research. Some use the data to run site-specific analytics for each client, some of which is required for meaningful use attestation. Ferrara said many systems are set up for optimal speed and performance for physicians entering data. Adding the capability for physicians to run their own analytics only would slow it down. Therefore, the vendors offer analytics as part of the package.

Ferrara said practices need to know if and how they can extract their data to run analytic reports. Don't just take the vendor's word if they tell you it's possible, she said. Have the vendor demonstrate how it works.

Nussbaum said practices should know how the aggregate data are being used. Once patients know the practice has an EMR, many probably will ask their physicians how their information is being used and by whom. The doctor should have an answer.

Disaster recovery. Though it's understood that in a cloud environment data are housed off-site, practices need to have uninterrupted access. Therefore, vendors must have a plan for when that data center goes down. Most companies have a second site -- in a different geographic area so the same natural disaster would not affect both sites -- that is used in the event of an outage. The transfer of sites should be seamless. Ferrara said the vendors should be able to demonstrate how the practice can get back online if a disaster hits one of the data centers.

Data backup. If disaster strikes the practice, the data may be in the cloud, but retrieving it may be more difficult than finding Internet access. Most data are encrypted while in motion, and the keys to unencrypt the data may not be available if those keys were specific to a certain device, said Jonathan L. Schaffer, MD, managing director of eCleveland Clinic, Information Technology Division at Cleveland Clinic. He said a plan must be in place for unencrypting data if those keys are lost or unavailable. If the backup plan involves data that can't be unencrypted, "it's no good to me," he said.

Exit strategy. Whether it's the vendor going out of business, the practice splitting up, or a new system being installed, the vendor should demonstrate for any potential client how the data can be retrieved or transferred to a new system. The contract should specify how the data will be formatted and the process for getting it to the practice or into a new system.

Nussbaum said physicians buying off-the-shelf EMRs probably will not have a lot of wiggle room when it comes to contract specifics. "That's not to say that the terms are wrong or bad or anything like that," he said. Practices just need to understand what they are getting.

Ferrara said deal-breakers include a vendor that cannot answer how a practice can retrieve its data. She said not only should the vendor be able to tell you, and include it in the contract, but the process should be demonstrated.

Contracts need to plan for future contingencies. Features that are attractive and important to an organization today might not matter much in the future, Dr. Schaffer said.

"Things change," he said. "We change, our practice needs change, our practice patterns change and companies change as well. So the two parties in the relationship sometimes find that what's attractive now may not be attractive in 12 months, 12 years or even 30 or 40 years."

Practices need to anticipate all of the possible scenarios and have protections written into the contract. "The contract is there to protect organizations," Dr. Schaffer said.

Pamela Lewis Dolan covered health information technology issues and social media topics affecting physicians. Connect with the columnist: @Plewisdolan  — 

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story