Health care providers are quickly moving toward electronic medical records (EMR). 
While estimated total market penetration is still less than 20 percent, many more providers are considering or transitioning to EMR. Physicians and physician group practices should understand the potential risks and pitfalls as well as the important considerations for assessing and negotiating EMR purchase and service contracts. For the unwary, the risks of poorly negotiated EMR contracts and the implementation of inefficient or even non-functioning EMR platforms can be devastating.

Understand the Risks
Some of the risks associated with the use of EMR include:

  • the loss of patient medical records due to computer system failures, computer viruses and other technical problems
  • increased difficulty in controlling access to medical records and limiting such access to only authorized personnel
  • controlling the ease with which patient medical records can be copied, communicated and/or disseminated to unauthorized users or by authorized users for improper purposes
  • countering the perception by patients that their medical records will not remain confidential and will be viewed or used improperly

Develop a Solid Security Plan
Computer hacking crimes and identity theft are two of the fastest growing crimes in the United States, and patient medical records present attractive targets for hackers and identity thieves because they usually contain the three essential pieces of information that hackers and identity thieves need:

1. a patient’s name
2. date of birth
3. social security number

As a result, any physician or physician group practice either using or considering the use of EMR should establish a solid and effective security plan as well as policies and procedures designed to protect your computer systems and EMR. You should not only ensure that you are compliant with the HIPAA Security Regulations, but also take the necessary steps to ensure that your systems and EMR are as secure as possible from outside intrusion. Hiring an outside vendor that specializes in systems and computer security, and has expertise in the HIPAA Security Regulations to conduct penetration testing, monitoring and auditing of your computer and EMR systems is an excellent first step.

 Additionally, physicians and physician group practices should develop written policies and procedures pertaining to the access of patient medical records, including EMR, as well as the dissemination and communication of patient medical record information and EMR. The use of simple tools such as password and encryption protection, and education and training which focuses on instructing employees not to discuss patient medical record information or give out or share their system passwords can provide an inexpensive and effective means for protecting the security of your EMR.

Five Keys to Negotiating EMR Contracts
When evaluating and negotiating EMR contracts, physicians and physician group practices should initially focus on at least five basic issues:

  1. Ascertain what support is available from the EMR vendor, and ask about response time, after-hours support, and whether local support personnel certified to work on the operating system are available.
  2. Inquire as to whether there is a charge for developing software updates and special reports for the particular EMR system.
  3. Ask whether the EMR system includes error correction features that can help prevent users from entering wrong data such as patient ages and medications. In fact, the ability of an EMR system to recognize medication errors both by the type of medication and the dosage of the medication is a critical function which you should negotiate into your EMR contracts and platforms.
  4. Ensure that the EMR system can maintain an audit trail so that unauthorized access attempts can be tracked, monitored and ultimately prevented.
  5. Check that the EMR system can import and export data. For example, EMR systems must be able to integrate and function with billing and patient scheduling software, as well as with outside vendors’ software for claims submission, billing and clearinghouse functions.

Additional Issues to Consider
When reviewing and negotiating potential EMR contracts, here are a few additional issues physicians and physician groups should consider:

  • Ensure that that your hardware and computer systems can support and be fully integrated with the EMR software you are purchasing.
  • Consider structuring your contracts so that they pay in stages after the completion of certain phases of the development, implementation and testing of the EMR system.
  • Review installation requirements, training, warranty and maintenance, vendor staffing, and data conversion and data transfer requirements.
  • Determine whether the contract contains an assignment provision which would allow the EMR vendor to assign the contract without your written consent.

Beware of Assignment Provisions
There has been a tremendous amount of consolidation among EMR vendors within the last two years. Specifically, some estimates state that in 2003 there were approximately 325 EMR vendors in the national marketplace, and at the end of 2005, other estimates indicate there were less than 150. Many of the EMR vendors who are no longer around have either been bought out by or have merged with other EMR vendors, or have gone out of business or declared bankruptcy. In some of the buy-out and merger situations, vendors have been able to reassign their contracts with physicians and physician group practices without those physicians’ written consent. Often in these situations, the new EMR vendor will not honor old contract provisions or does not want to integrate the old EMR vendors’ software with their own which can cause functionality problems for the EMR platforms that have been purchased. In some cases, physicians and physician group practices are faced with having to purchase new software at very expensive prices or the alternative — a non-functioning EMR system.

In addition, when EMR vendors have gone out of business or bankrupt, the physicians and physician group practices that have purchased their EMR products are often left without any support or ability to maintain their systems. Therefore, it is essential that physicians and physician group practices perform the appropriate financial and business due diligence on EMR vendors with whom they are considering contracting.

Michael R. Lowe, Esq. is a Florida board-certified health law attorney and shareholder at Michael R. Lowe, P.A. Located in Longwood, Florida, Mr. Lowe specializes in health care law with an emphasis on the representation of physicians and physician group practices.