User Agreements for Electronic Health Information Networks

By Paul Smith, partner and co-chair of HIT/HIPAA practice of DWT,
and Rebecca L. Williams, RN, JD, partner and co-chair of HIT/HIPAA practice of DWT
Published by DWT's Health Information Technology Law Group
[August 2005]

Electronic health records promise to improve health care in many ways—by giving providers current and complete patient health information, by using intelligent systems to avoid errors, and by aggregating data for quality monitoring, public health surveillance and research. These benefits depend on the willingness of consumers and providers to share health information through data networks accessible to other providers, public health authorities and researchers.

Confidence is key: if providers and consumers are uncertain how their health information will be used, or if they are concerned about its security, they will cling to the comfort of a paper record locked in a file cabinet. Electronic health information sharing networks must have clearly defined rules concerning use, disclosure and security of health information.

User agreements can have several purposes, including:

• Establishing the rules for all the participants in an information sharing network
• Setting out the terms on which participants will have access to the network and the information contained on the network
• Determining how participants will make data available through the network
• Serving as a business associate contract between the network operator and HIPAA-covered participants, if one is needed
• Identifying who owns the systems, software and data that make up the network

A health information exchange needs to address privacy considerations consistently – particularly the use and disclosure of health information. HIPAA compels the disclosure of health information to the individual to whom it pertains and to the Department of Health and Human Services to investigate HIPAA compliance. In all other circumstances, HIPAA is permissive: it allows a provider to disclose health information, but does not require it. Someone has to make a decision whether to release the information. For example, will each participant have control over the use and disclosure of its health information or will the information be centralized in the network? Will participants be allowed to access information for their health care operations in addition to treatment and payment? How will access by researchers or public health authorities be handled? How will participants respond to law enforcement requests or demands for information? How will more stringent state law protections be addressed, particularly if network participants are located in more than one state? The network needs consistent policies on myriad topics such as these. The user agreement is the tool through which these policies are established and enforced and through which participants are assured that the information they make available through the network will be used and disclosed only for appropriate purposes.

A health information exchange also needs a strong and consistent approach to security. The HIPAA security rule does not require any particular security measures – it allows covered entities of different kinds and complexities to have widely differing security implementations as long as mandated processes are followed. Although this may be appropriate for insular operations, no one will want to make data accessible through an electronic network without assurances that the data will be accessible and secure and, in particular, that access will be properly restricted and monitored. Again, the user agreement is the means by which participants agree to a common security standard.

Participants will want to make data available through the system. The information exchange needs technical standards for communication and interoperability. Beyond these, participants will have expectations concerning the reliability of data – is it accurate and complete, and is the record stable, so that health care decisions are not only appropriate, but supportable in the future if the need arises? May participants withhold sensitive health information, remove such information or apply additional safeguards for the information? These are questions that the user agreement should answer.

The user agreement must describe the obligations of the entity holding the information and operating the network. This entity usually is viewed as the business associate of each of the participating covered entities, and the user agreement typically will incorporate a HIPAA business associate contract. If responsibilities such as creating or using a limited data set or de-identified information are involved, the user agreement also will need additional HIPAA-mandated language. The entity running the system will have other responsibilities: credentialing users, maintaining and supporting the system and monitoring and policing its use. These responsibilities need to be defined, and the agreement must strike an appropriate balance between protecting the privacy and security of health information, on the one hand, and, on the other, limiting the liability of the information exchange and its participants for failure or misuse of the system.

Consumer access is an important topic for the user agreement. HIPAA gives consumers rights to see, copy and amend their health records, to receive an accounting of non-routine disclosures and to request additional privacy protections. Who will administer these rights, and how will responsibility be shared among the participants? Aside from the mandatory rights, network participants may want to make health information available to consumers through an online personal health record. Providers will need to be involved in decisions about what information is made available to their patients and how their patients contribute information to the record.

Financing the operation of an information exchange is a pressing problem, affected by regulatory and economic issues. The user agreement will need to establish license and use fees, terms of payment and consequences for failing to pay fees.

The user agreement should address privacy, security and other breaches. Who is responsible for auditing and investigating complaints and possible breaches? How will mitigation and any notification efforts be handled? Who will determine and administer sanctions? How will liability be apportioned? Will participants indemnify each other? Although these issues often invite negotiations, they should be addressed in the user agreement.

Finally, the user agreement will have to provide for termination. For example, the agreement should spell out the circumstances under which a user may be terminated and the consequences of termination, particularly for data that the terminated user contributed to the system or accessed through it. HIPAA generally would require the user’s data to be returned or destroyed, unless return or destruction is not feasible. Returning or destroying data impairs the stability of the shared record: providers may be (and should be) reluctant to rely on a record that could disappear at any time. For this reason, the participants may regard returning or destroying data as infeasible, even if it is technically possible.

All this adds up to a good deal of fine print. The variety of participants adds complexity: the rules of participation will be different for providers, health plans, researchers, consumers and public health authorities. Although the user agreement is an important document, it should not be allowed to become a barrier to participation or a topic of extended individual negotiation. Balanced, flexible terms that apply to all participants (or participants in like categories) are important. Also helpful is a thoughtful distribution of provisions among policies and procedures that can be easily changed and a signed document that sets out the basic agreement and incorporates the policies and procedures.

For more information, please contact any of the following attorneys:

Author: Paul T. Smith San Francisco, California (415) 276-6532 PaulSmith@dwt.com

Author: Rebecca L. Williams, RN, JD Seattle, Washington (206) 628-7769 BeckyWilliams@dwt.com

Contacts:
Paul Smith, San Francisco, (415) 276-6500, paulsmith@dwt.com
Becky Williams, Seattle, (206) 622-3150, beckywilliams@dwt.com
Tom Jeffry, Los Angeles, (213) 633-6800, tomjeffry@dwt.com
Bernie Thurber, Portland, (503) 241-2300, berniethurber@dwt.com

This Advisory is a publication of the Health Law Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2005, Davis Wright Tremaine LLP.