| 
Choosing a Health Information Technology Vendor:
Guidelines for Success
By Rebecca
L. Williams, Richard S. Wyde and Brian Bennett
[March 2005]
The successful implementation of health information
technology (HIT) can provide extraordinary benefits for health-related
organizations, including accessibility to comprehensive patient
information, error reduction, greater efficiency and financial
savings. HIT is a tool, however, and along with potential benefits
come limitations and risks that must be addressed in any project
or operation for it to succeed.
The goals of HIT implementation ultimately depend
on the successful procurement of the underlying information
technology. To realize the potential benefits while minimizing
negative risks, buyers must be sure to make the wisest possible
decisions when purchasing HIT systems and associated services.
Without smart decision-making at the beginning of a new project
or operation, a buyer is likely to have a troubled or failing
HIT project within a year to 18 months. Accordingly, buyers
should consider the following:
HIT Must Satisfy A Buyer’s Business
Needs and Price Plan
Most buyers have defined their “business”
needs, e.g., identified operations that require automation and
then face the daunting task of determining which HIT product
or service can best meet these needs. Moreover, the buyer must
decide up front if it needs or wants to own software or if a
license will suffice. Unless the agreement specifies that the
developer has transferred its ownership rights to the buyer,
the developer owns the software and the buyer has only the licensed
rights described in the agreement. If a buyer does not own the
software, it potentially could lose the rights it has under
the license and/or be required to pay additional license fees
whenever it expands its HIT to new sites. Of course, the buyer
also must also determine whether the price for the product or
service is appropriate.
Pay Only for Deliverables
That Work
There is usually some compromise between the
vendor’s need to have some funds for technology as soon
as possible – for paying hardware suppliers, for example
– and the buyer’s need to pay for actual products
and to retain some funds until the service or product has been
successfully implemented and tested. Buyers should retain a
significant percentage of the total price until the acceptance
of deliverables or services. An additional percentage might
be withheld until an entire system has performed successfully
for 60 or 90 days after its acceptance.
Perform Acceptance Tests
and Require a Refund for Failed Systems or Services
A buyer should only choose a vendor that allows
the buyer to test new systems or services after they are installed
to confirm that they operate according to all necessary specifications.
The acceptance tests should have defined periods (in the work
plan) for testing, corrections of failures and retesting the
system as a whole. The work plan should have a “drop-dead
date” by which the system must work in accordance with
its specifications. If the technology does not work by the drop-dead
date, the buyer should have the option to terminate the contract,
in whole or in part, or to require the vendor to continue to
fix and retest the technology. If the buyer decides to terminate
the contract, then the vendor must remove the technology and
refund any money the buyer has spent for the returned technology.
Test Entire Services or
Systems, as Well as Isolated Parts
Buyers reduce risks by testing each of the specific
functions of the HIT system or service and then testing the
entire integrated and networked system, which should operate
without failure when interfaced to other systems. If corrections
are made to address failures that occur in one part of the system,
the whole system should be retested to confirm that it all works
correctly.
Acceptance and Warranty
Performance Specifications Should Be Objective and Absolute
A preferred vendor will agree with a buyer upon
objective performance standards and specifications that must
be met before acceptance of the technology, which also will
be included in the warranty. Specifications should include standard,
published user and technical documentation, all documents and
standards relied upon by the buyer in making its purchase decision
(e.g., requests for proposals, vendor proposals, brochures,
and other standards that the technology must meet) and detailed
performance standards such as response times, batch processing
time and uptimes.
Beware of Qualifiers in Acceptance or Warranty
Standards
Vendors try to have buyers accept systems that
work “substantially” or “materially”
in accordance with the specifications. Allowing such qualifiers
or hedges into an objective standard, however, will severely
limit the likelihood that the buyer will receive the system
it thinks it has purchased and will lead to arguments about
how close the system is to its specifications.
A Warranty Is a Promise the Vendor Must Keep
HIT vendors should warrant that the system or
service will: (i) operate in accordance with the mutually established
specifications; (ii) comply with all federal, state, county,
and local regulations, statutes, guidelines, and codes; and
(iii) contain no viruses, bombs, or disabling devices that could
be triggered if the buyer fails to perform one of its obligations,
such as making a payment when due. The warranty may be limited
to a certain period, such as one year from acceptance of the
entire system for large purchases. For a breach of warranty,
the vendor should repair or replace the service or system, in
part or in whole, at no additional cost. If a vendor cannot
satisfy its warranty obligations, then the buyer should have
the right to terminate the agreement and receive a full refund.
Vendor Should Provide Firm Schedule for Performance
of All Obligations
A preferred vendor (and a successful HIT project)
will have a detailed work or project plan for the entire system
or project, with mutually agreed upon firm dates, for such important
events as delivery, installation, data conversion, the beginning
and projected ending of acceptance testing, implementation and
project completion.
Buyer and Vendor Must Manage the Project Carefully
Unmanaged projects fail. Both the buyer and the
vendor must carefully manage their parts of the HIT project.
Preferred vendors agree to stay on schedule every day or update
the schedule in an acceptable way and subject to the buyer’s
agreement, attend meetings, provide weekly and monthly reports,
fully staff the project, make decisions in a timely manner,
stay within the scope of the project, perform change orders
as needed and timely perform their other obligations.
Buyer and Vendor Should Negotiate Terms of
Maintenance Services Upon Initial Purchase
The buyer should negotiate maintenance terms
at the time of purchase, when it will be more likely to obtain
significant support concessions. Since maintenance agreements
generally cost 18 to 25 percent of the initial purchase price,
maintenance agreements are as important as the purchase agreements.
Vendor Should Agree to Give Buyer Remedies
for Foreseeable Problems
Technology projects rarely proceed as planned.
This contingency should be built into a procurement contract.
Typical remedies in large technology agreements include free
hardware for performance standard failures, termination for
default or convenience, software source code escrows, liquidated
damages to compensate the buyer for failures by the vendor to
perform key obligations, temporarily withholding payments from
nonperforming vendors until they perform all of their obligations
up to the standards (sometimes even withholding payments for
acceptable work if the vendor is in default of another obligation),
permanently setting off payments that would otherwise be made
to a vendor due to the vendor’s breach, and letters of
credit.
Vendor Should Indemnify Buyer From Certain
Harms
Most standard vendor contracts contain only limited
indemnification or do not provide for indemnification by the
vendor at all. At a minimum, a buyer should try to receive general
indemnifications against harm caused by the vendor’s acts
or omissions (or by its negligence or willful misconduct), against
the vendor’s disclosure of the buyer’s confidential
information, and against the system’s failure to meet
all applicable laws and guidelines. In arrangements with vendors,
particularly those that are installing sophisticated HIT and
using licensed software or creating custom software to operate
the equipment, indemnifications against infringement or misappropriation
of intellectual property are increasingly critical.
In many cases, HIT will be involved in making
crucial medical decisions. Buyers should consider indemnity
provisions that protect against malpractice or related claims
that result from faults in the HIT. Buyers, however, also should
resist reverse indemnification provisions, where a vendor will
attempt to be indemnified if it is sued directly by an injured
party. If the buyer is unable to resist these types of reverse
indemnification provisions, the buyer should verify that its
insurance will cover such a contractual obligation.
Vendors Should Agree to Strong Confidentiality
and Security Obligations
Data managed by HIT in most cases will include
sensitive personal information. The implementation of HIT must
comply with general federal and state privacy laws, such as
the Health Insurance Portability and Accountability Act (“HIPAA”).
Most vendors, in implementing and maintaining HIT, will be business
associates of a covered entity buyer. Therefore, the required
provisions for a business associate contract must be included.
Moreover, confidentiality, privacy and security provisions should
include mitigation and indemnity clauses that survive any disclaimers
and termination provisions in the contract. The confidentiality
provisions also should include an appropriate definition of
the information to be protected, the standard of care to be
used, a limitation on the purposes for which the confidential
information may be used, and a clear statement of who will retain
property rights in the information. In addition, a HIT contract
should contain specific notification requirements in the event
that a party improperly publishes or discloses confidential
information and should entitle the injured party to immediate
injunctive relief without requiring a cure period.
Damages Disclaimers and Limitations Must Be
Mutual for Both Sides and Carefully Crafted to Lift the Limits
for Certain Harms
A damages disclaimer is a provision that disclaims
responsibility for certain types of damages. Damages limitations
impose a total cap on damages recoverable under the contract.
If these provisions are included for the vendor, the vendor
still should be liable for all damages arising from its indemnification
obligations, breaches of its obligations to protect the buyer’s
confidential information, and federal penalties and disallowances.
Contact Information
As a leader in providing legal services to the health care
and information technology industries, DWT is taking an active
part in identifying and addressing potential health information
technology legal issues that may affect our clients. For assistance
in negotiating procurement agreements or for additional information
on HIT, please contact:
This advisory is a publication
of the Health Information Technology Group of Davis Wright Tremaine
LLP. Our purpose in publishing this advisory is to inform our
clients and friends of recent developments in health law. It
is not intended, nor should it be used, as a substitute for
specific legal advice as legal counsel may only be given in
response to inquiries regarding particular situations.
Copyright © 2005, Davis Wright
Tremaine LLP.
|
