January 23, 2020

January 22, 2020

Subscribe to Latest Legal News and Analysis

January 21, 2020

Subscribe to Latest Legal News and Analysis

“Access Denied” – Understand How Your Electronic Health Records Are Controlled

Earlier this week, my colleague Dianne Bourque commented on a small medical practice’s inability to access its patients’ medical records one July day after its EHR vendor blocked the practice from pulling the data stored in the EHR.  In the Boston Globe article, the EHR vendor compared the situation to an electric company turning off the power after months of nonpayment. As technology advances, we abandon “outdated” ways of doing things – our cordless phones won’t work when our power is shut off, and a doctor who has switched to an EHR can’t grab the paper chart off the stacks when its EHR shuts down. A main purpose of the push for providers to adopt EHR is to streamline patient care – a doctor at the hospital doesn’t have to wait for the primary care provider’s chart with the relevant medical history to be delivered or faxed, but just uploads the relevant data set with the patient’s history so they can diagnose and treat the patient.  But that all goes out the window if your EHR goes dark, and you can’t get to the records. 

Our best advice for providers looking to avoid a situation like the one covered in the article is to focus on HIPAA privacy and security rule compliance and “meaningful-use” requirements when contracting with an EHR vendor, but not lose sight of other practical aspects of the relationship.  Your EHR vendor relationship should not rule your patient relationship.   

A few things to consider in your contracts:

  • Be sure your EHR vendor agreements specify who owns the data and make sure that a data “black-out” is not a remedy the vendor can use if there is a contract dispute. 

  • Remember that data backup is a HIPAA compliance requirement.  Covered entities must maintain retrievable, exact copies of ePHI, so inability to provide care following data “black-out” may reveal HIPAA compliance failures.  

  • Specify that the data must be returned to the provider if the agreement is terminated by either party for any reason. Providers have medical record retention obligations under state law whether or not their EHR vendor is still in business.

  • Clearly delineate each party’s obligations in your agreements – who, what, when, and how. 

These are just a few of many issues you will need to consider when negotiating and entering into EHR vendor contracts.  The small practice in Maine provides a cautionary tale and a reason to review your existing agreements to see if they need more clarity.  A common mantra of health care reform (including the push for EHRs) is the triple aim: improved patient experience, improved population health, and reduced per capita costs. But a break-down in the new and improved system doesn’t advance any of these aims.  At the end of the day, patient safety is paramount to all of the parties – and where technology has its limits, the parties should understand in advance where the data will be.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Rachel Irving Pitts, Mergers Attorney, Mintz Levin, Compliance Review Lawyer

Rachel's practice primarily involves transactional and regulatory matters, including mergers and acquisitions, regulatory compliance review, telemedicine issues, and provider and service contracting matters for various health care providers, administrative organizations, payors, and health systems. Rachel has worked on over 20 transactions valuing more than $200 million since starting at Mintz Levin. She works with hospital systems, dialysis, long-term care, and retail providers, individual providers and practice groups, management companies, independent practice associations, and third-...