This is the tenth article in my series on Cloud Based EHR / Practice Management Systems.   For a more detailed discussion, as well as a five-stop process for selecting an EHR, check out the Guide to Choosing an EHR.

One of the most important things I’ve learned during my evaluation of Cloud-Based EHR / Practice Management Systems is that not all HIPAA Business Associate Agreements (BAA) are equal. This was brought into focus for me when I had an attorney, specializing in HIPAA, review the BAA of one of the vendors. Additionally, she brought to my awareness some concerns in that vendor’s Terms of Service (TOS). This subject has since garnered increased attention from me during my evaluation of all of these services. We’ve even partnered with Person Centered Tech to incorporate their HIPAA-pporpriateness reviews.

I thought I’d take a moment to point out some of the important issues that come up. More importantly, I hope this is an impetus for everyone (and their lawyer) to take a very close look at both the HIPAA BAA and Terms of Service you are agreeing to when utilizing a vendor’s services. The following are just a handful of the things to consider within these two documents. Because of the importance of the data we are dealing with, it’s imperative that attention be paid to the entire scope and terms of your relationship to the vendor.

It’s important to note that I am not a lawyer and this does not constitute legal advice. I strongly encourage practices to consult with their attorney on this topic.

Availability

The first thing to consider is whether the vendor’s BAA and TOS are readily available. Some vendors I’ve spoken with could not, or would not produce their BAA and/or TOS when requested. This throws up a red flag for me. One vendor, in particular, admitted they hadn’t even had a BAA despite handling people’s PHI for over a year. They’ve since developed one, but this speaks to the importance of checking all the details before using a product. In my opinion, a company should be ready to stand behind their product, and their BAA and TOS are two of the most tangible ways they can do so. In some cases, you only see the TOS when you sign up for the account. Searching for it beyond that might lead to a dead end. I encourage practices to be sure these documents are readily available and that there are statements requiring the vendor to contact you should changes occur to either document.

Breach/HITECH

On that note, unless your practice (and its attorney) are comfortable with a basic (includes everything from the future) BAA, it’s important to make sure there are stipulations for how a breach of security is handled. Specifically, as a covered entity, a practice is required to notify all affected parties (i.e. your patients) of a breach within 60 days. In order to ensure compliance, you would need to be informed by your vendor of a breach much sooner than that. I’ve seen BAAs where the vendor noted they must notify of a breach within 60 days, apparently interpreting the requirements of HIPAA as they would apply to themselves. Unfortunately, this would leave an affected practice no window for compliance themselves.

Damages/Liability

It’s also important to note that a practice stands to suffer damages if there is a breach or loss of data. Knowing what a BAA and/or TOS allows (or doesn’t) in the form of damages is important. Some vendors’ documents acknowledge the damage that would result from these situations and stipulate exactly what costs they will cover, effectively offering you a form of guarantee (if it breaks, and it’s our fault, we’ll pay for the damages). Other vendors, through their BAA/TOS, place limitations on the damages they will pay for, even if the damage is due to their negligence. Knowing how you will be affected should such a catastrophe happen is important in evaluating these products.

By no means is this an exhaustive list of items you should consider when evaluating the BAA and TOS of a vendor. I strongly encourage you consult an attorney in determining if the BAA/TOS of a vendor is acceptable.

Next Article:  Miscellaneous
Return to the Table of Contents