|
Chapter 10
Key Elements to Consider in a Contract with an HIO
CIOs are used to dealing with a vast variety of contracts for widely differing products and services. In that regard, reaching a binding agreement with a health information organization will require similar due diligence and legal assistance for review of contract language.
However, contracts with HIOs will require specific features, particularly in light of expected changes and refinements of regulations regarding patients’ personal health information (PHI).
HIOs are considered business associates of the HIPAA-covered providers who contract for their services. Before passage of the HITECH Act in 2009, they were not directly subject to enforcement by the federal government. However, HITECH expands jurisdiction to the government to regulate the privacy and security of PHI to business associates. HIOs continue to be business associates of the covered entity providers who contract with them. A summer 2011 Notice of Proposed Rulemaking to adjust the HIPAA Privacy Rule for accounting of disclosures of PHI proposed an expansion of business associate requirements and penalties for business associate contracts that release PHI.
HIOs offer standardized contracts, typically termed participation agreements. The following information on contractual elements and guidance on what should be included is intended to assist healthcare IT executives in taking necessary contractual precautions to help protect the interests of their organizations. As always, legal counsel should review all documents that bind an organization into a contractual relationship.
-
Grant of right to use services: These provisions give providers the right to access and use a system, based on certain restrictions. Verbiage in this section can discuss changes and terminations, and responsibilities regarding third-party software for licensing and installation.
-
Access to the system: Provisions outline permitted and prohibited uses, and perhaps delineates what other types of organizations may be granted access to the system. Rights of authorized users may be spelled out, and discipline and termination steps may be outlined.
-
Purpose of the system: Very simply, the contract permits sharing of patient health information among all participants in the HIO. However, the contract also should spell out which information should be shared and which is not to be shared over the network, particularly individuals’ information if they have opted to exclude their information from sharing over the network.
-
Business Associate acknowledgement: The contract should spell out that the HIO acknowledges its role as a business associate and that it agrees to the terms and conditions of the HIPAA Business Associate Agreement.
-
Audit provisions: The contract should provide opportunities for HIO participants to audit system performance as it relates to the agreement.
-
Computer systems implications: The contract should spell out responsibilities for installing hardware, software and communication systems infrastructure, and how the HIE participant can contract with the HIO for services.
-
Policies and procedures: The contract should spell out the HIO’s role in developing these rules of operations, and procedures that will be followed if the HIO changes them, and time requirements for implementing changes.
-
Fees and charges: Of course, the contract will explain the basis on which participant fees are based, when payments are expected, and responsibility for taxes and other charges. Prices likely will vary depending on type of provider and/or size of organization.
-
Confidentiality provisions: The contract outlines the need for parties to protect each other’s confidential information and not to disclose it to third parties.
-
Other typical contract language: Standard contract language that protects both the HIO and the provider signing the contract in areas such as warranty, disclaimers, limitation of liability, dispute resolution, term modification, indemnification and more.
-
Additional detail: A contract should describe the HIO’s system, with vendors and products, and how the components will provide which services to participants.
Other Considerations
Many state HIT leaders have strongly positioned contractual elements that also must be included, such as privacy and security expectations, consent for the exchange of information, including special concerns for HIV, behavioral health and minors; and the content and technology standards about which exchanges must be built to connect to statewide and, eventually, national health information networks.
There are also a host of contractual elements that address uniqueness and liability concerns. For example, patient health data moves from a provider across the exchange and may be found to require modification due to error. The responsibility of individual physician providers to review and consider exchanged data and its implications – even when the data may create some level of ambiguity – is a debated legal consideration. Systems must provide clear audit trail reports to help resolve questions about data integrity. HIOs also must display the source organization of the data if any questions arise among end users of the information. Further, HIOs may disclaim data in the same manner that EHR vendors do, requiring clinical providers to own their decisions despite the data that the solutions present. These and other similar issues will continue to find a place of equilibrium as HIOs mature.
|
