Periodic independent audits should be conducted to ensure that safeguards are in place to prevent these breaches. Vendors that cannot, or are unwilling to, perform such audits should be avoided. Define and document the vendor’s insurance coverage, which protects you and the vendor from the costs of data loss and recovery. The insurance should be extended to patient notification and any associated expenses.
Explore this issue:April 2012
Specific parameters regarding availability or uptime of the system have to be addressed. Your EMR/EHR software is critical to your organization; minimal response times must be negotiated, and consequences for the vendor that falls short of its obligations should be clearly defined. No one ever expects or plans for a “divorce,” but if a break occurs, your termination rights must be clearly defined in your contract. Your data is your most valuable asset, and any dispute with your vendor puts your organization at significant risk. If the provider suspends or refuses to allow access to the data, you may be unable to provide service to your patients. You should reserve the right to access and retrieve data at any time as well as to receive assistance if operations must be moved to another provider. In cases in which the vendor is the sole proprietor of the software, this becomes a more serious problem that must carefully be thought through.
Before your company enters into any agreement, the contract must be reviewed by an experienced attorney or consultant who understands cloud computing. I believe that cloud technology is here to stay because of its convenience and cost savings. The liability issues will not completely resolve but should diminish as the technology matures.
Rodney Lusk, MD, is director of the Boys Town Ear, Nose and Throat Clinic and Cochlear Implant Center at Boys Town National Research Hospital in Omaha, Neb. He has been working with EMRs since 1996. He may be reached at firstname.lastname@example.org.