Health Information Technology Advisory
Bulletin
Choosing a Health Information Technology Vendor:
Guidelines for Success
By Rebecca L. Williams, Richard S. Wyde and Brian Bennett
[March 2005]
The successful implementation of health information technology (HIT) can provide extraordinary benefits for health-related organizations, including accessibility to comprehensive patient information, error reduction, greater efficiency and financial savings. HIT is a tool, however, and along with potential benefits come limitations and risks that must be addressed in any project or operation for it to succeed.
The goals of HIT implementation ultimately depend on the successful procurement of the underlying information technology. To realize the potential benefits while minimizing negative risks, buyers must be sure to make the wisest possible decisions when purchasing HIT systems and associated services. Without smart decision-making at the beginning of a new project or operation, a buyer is likely to have a troubled or failing HIT project within a year to 18 months. Accordingly, buyers should consider the following:
HIT Must Satisfy A Buyer’s Business Needs and Price Plan
Most buyers have defined their “business” needs, e.g., identified operations that require automation and then face the daunting task of determining which HIT product or service can best meet these needs. Moreover, the buyer must decide up front if it needs or wants to own software or if a license will suffice. Unless the agreement specifies that the developer has transferred its ownership rights to the buyer, the developer owns the software and the buyer has only the licensed rights described in the agreement. If a buyer does not own the software, it potentially could lose the rights it has under the license and/or be required to pay additional license fees whenever it expands its HIT to new sites. Of course, the buyer also must also determine whether the price for the product or service is appropriate.
Pay Only for Deliverables That Work
There is usually some compromise between the vendor’s need to have some funds for technology as soon as possible – for paying hardware suppliers, for example – and the buyer’s need to pay for actual products and to retain some funds until the service or product has been successfully implemented and tested. Buyers should retain a significant percentage of the total price until the acceptance of deliverables or services. An additional percentage might be withheld until an entire system has performed successfully for 60 or 90 days after its acceptance.
Perform Acceptance Tests and Require a Refund for Failed Systems or Services
A buyer should only choose a vendor that allows the buyer to test new systems or services after they are installed to confirm that they operate according to all necessary specifications. The acceptance tests should have defined periods (in the work plan) for testing, corrections of failures and retesting the system as a whole. The work plan should have a “drop-dead date” by which the system must work in accordance with its specifications. If the technology does not work by the drop-dead date, the buyer should have the option to terminate the contract, in whole or in part, or to require the vendor to continue to fix and retest the technology. If the buyer decides to terminate the contract, then the vendor must remove the technology and refund any money the buyer has spent for the returned technology.
Test Entire Services or Systems, as Well as Isolated Parts
Buyers reduce risks by testing each of the specific functions of the HIT system or service and then testing the entire integrated and networked system, which should operate without failure when interfaced to other systems. If corrections are made to address failures that occur in one part of the system, the whole system should be retested to confirm that it all works correctly.
Acceptance and Warranty Performance Specifications Should Be Objective and Absolute
A preferred vendor will agree with a buyer upon objective performance standards and specifications that must be met before acceptance of the technology, which also will be included in the warranty. Specifications should include standard, published user and technical documentation, all documents and standards relied upon by the buyer in making its purchase decision (e.g., requests for proposals, vendor proposals, brochures, and other standards that the technology must meet) and detailed performance standards such as response times, batch processing time and uptimes.
Beware of Qualifiers in Acceptance or Warranty Standards
Vendors try to have buyers accept systems that work “substantially” or “materially” in accordance with the specifications. Allowing such qualifiers or hedges into an objective standard, however, will severely limit the likelihood that the buyer will receive the system it thinks it has purchased and will lead to arguments about how close the system is to its specifications.
A Warranty Is a Promise the Vendor Must Keep
HIT vendors should warrant that the system or service will: (i) operate in accordance with the mutually established specifications; (ii) comply with all federal, state, county, and local regulations, statutes, guidelines, and codes; and (iii) contain no viruses, bombs, or disabling devices that could be triggered if the buyer fails to perform one of its obligations, such as making a payment when due. The warranty may be limited to a certain period, such as one year from acceptance of the entire system for large purchases. For a breach of warranty, the vendor should repair or replace the service or system, in part or in whole, at no additional cost. If a vendor cannot satisfy its warranty obligations, then the buyer should have the right to terminate the agreement and receive a full refund.
Vendor Should Provide Firm Schedule for Performance of All Obligations
A preferred vendor (and a successful HIT project) will have a detailed work or project plan for the entire system or project, with mutually agreed upon firm dates, for such important events as delivery, installation, data conversion, the beginning and projected ending of acceptance testing, implementation and project completion.
Buyer and Vendor Must Manage the Project Carefully
Unmanaged projects fail. Both the buyer and the vendor must carefully manage their parts of the HIT project. Preferred vendors agree to stay on schedule every day or update the schedule in an acceptable way and subject to the buyer’s agreement, attend meetings, provide weekly and monthly reports, fully staff the project, make decisions in a timely manner, stay within the scope of the project, perform change orders as needed and timely perform their other obligations.
Buyer and Vendor Should Negotiate Terms of Maintenance Services Upon Initial Purchase
The buyer should negotiate maintenance terms at the time of purchase, when it will be more likely to obtain significant support concessions. Since maintenance agreements generally cost 18 to 25 percent of the initial purchase price, maintenance agreements are as important as the purchase agreements.
Vendor Should Agree to Give Buyer Remedies for Foreseeable Problems
Technology projects rarely proceed as planned. This contingency should be built into a procurement contract. Typical remedies in large technology agreements include free hardware for performance standard failures, termination for default or convenience, software source code escrows, liquidated damages to compensate the buyer for failures by the vendor to perform key obligations, temporarily withholding payments from nonperforming vendors until they perform all of their obligations up to the standards (sometimes even withholding payments for acceptable work if the vendor is in default of another obligation), permanently setting off payments that would otherwise be made to a vendor due to the vendor’s breach, and letters of credit.
Vendor Should Indemnify Buyer From Certain Harms
Most standard vendor contracts contain only limited indemnification or do not provide for indemnification by the vendor at all. At a minimum, a buyer should try to receive general indemnifications against harm caused by the vendor’s acts or omissions (or by its negligence or willful misconduct), against the vendor’s disclosure of the buyer’s confidential information, and against the system’s failure to meet all applicable laws and guidelines. In arrangements with vendors, particularly those that are installing sophisticated HIT and using licensed software or creating custom software to operate the equipment, indemnifications against infringement or misappropriation of intellectual property are increasingly critical.
In many cases, HIT will be involved in making crucial medical decisions. Buyers should consider indemnity provisions that protect against malpractice or related claims that result from faults in the HIT. Buyers, however, also should resist reverse indemnification provisions, where a vendor will attempt to be indemnified if it is sued directly by an injured party. If the buyer is unable to resist these types of reverse indemnification provisions, the buyer should verify that its insurance will cover such a contractual obligation.
Vendors Should Agree to Strong Confidentiality and Security Obligations
Data managed by HIT in most cases will include sensitive personal information. The implementation of HIT must comply with general federal and state privacy laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”). Most vendors, in implementing and maintaining HIT, will be business associates of a covered entity buyer. Therefore, the required provisions for a business associate contract must be included. Moreover, confidentiality, privacy and security provisions should include mitigation and indemnity clauses that survive any disclaimers and termination provisions in the contract. The confidentiality provisions also should include an appropriate definition of the information to be protected, the standard of care to be used, a limitation on the purposes for which the confidential information may be used, and a clear statement of who will retain property rights in the information. In addition, a HIT contract should contain specific notification requirements in the event that a party improperly publishes or discloses confidential information and should entitle the injured party to immediate injunctive relief without requiring a cure period.
Damages Disclaimers and Limitations Must Be Mutual for Both Sides and Carefully Crafted to Lift the Limits for Certain Harms
A damages disclaimer is a provision that disclaims responsibility for certain types of damages. Damages limitations impose a total cap on damages recoverable under the contract. If these provisions are included for the vendor, the vendor still should be liable for all damages arising from its indemnification obligations, breaches of its obligations to protect the buyer’s confidential information, and federal penalties and disallowances.
Contact Information
As a leader in providing legal services to the health care and information technology industries, DWT is taking an active part in identifying and addressing potential health information technology legal issues that may affect our clients. For assistance in negotiating procurement agreements or for additional information on HIT, please contact:
This advisory is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP. Our purpose in publishing this advisory is to inform our clients and friends of recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
Copyright © 2005, Davis Wright Tremaine LLP.
|
