After 20 years of handling telehealth issues, I can finally discuss the importance of telehealth contracting, as more and more providers have embraced it over the past year.
Telehealth contracts can take all kinds of forms. Whether the contract involves electronic health records (“EHR”), software, an app, or some form of equipment for telehealth, the basic contracting issues I’ve outlined below apply. Over the past year, I have seen many mistakes made with regard to contracting.
Too often our healthcare clients and even our telehealth vendor clients blindly sign standard agreements. And who can blame them? Often, a provider is so excited about the new technology out there they just want to get the platform in the door to help patients or drastically improve medical care as part of their operations. However, signing these agreements blindly can be dangerous. These agreements must be negotiated and attention to details is paramount.
There are four crucial areas of concern. Please note that these are only a few important areas in a list of 400 other critical areas in telehealth contracting.
- Limitations on liability clauses;
- Indemnification clauses;
- Data security language; and
- Scope of work provisions.
For limitations on liability clauses, careful attention must be paid to not unduly, or unfairly, limit a telehealth software vendor’s liability. For example, many standard contracts are one-sided, with vendors carving out liability for incidental, consequential or punitive damages. Other standard clauses may limit liability to a dollar amount that is way too small to properly reflect responsibility or expectations under the agreement. There has to be a way to compromise and make sure that vendors not overly limit their liability to leave providers stranded when there is negligence by the vendor, or, say, a cyber or data leak that could cost millions of dollars in HIPAA fines and penalties for an unsuspecting healthcare provider.
Healthcare providers should consider reasonably revising these clauses to even the playing field when it comes to telehealth liability issues. Reasonable carve outs to these sections are, therefore, warranted.
For indemnification provisions, similar carve outs should be negotiated to allow providers to be indemnified for certain acts or omissions of a vendor. These negotiations will vary on the telehealth product offered, and the scope of services, as well as the provider size and capabilities. Again, carve outs that allow the indemnification to apply and work in conjunction with the limitation of liability provisions should be negotiated carefully.
As for data security, everyone knows that with all the mountains of data utilized in a telehealth platform, comes all that much more responsibility to protect that healthcare data. As such, special attention should be paid to cybersecurity issues: what limits are placed on liability for a data breach, how much liability should be footed by the vendor, and what is the process for mitigating/fixing a HIPAA breach that may occur or worse yet, a hacking or cybercriminal event?
Asking these questions will also allow the provider to understand, and allow them to tout, the vendor ’s experience and readiness to combat hacking incidents, giving both parties comfort in the contracting process. Lastly, don’t forget to ask about cyber liability insurance and whether its adequate to protect both parties in the event of a breach.
Finally, when negotiating these agreements, many providers and vendors focus most of their attention on the terms and conditions, rather than a Scope of Work document that may be attached as an exhibit. This is a mistake. To the contrary, providers and their counsel should pay close attention to the Scope of Work, and negotiate that vigorously to meet important expectations on timelines, modalities, implementation, support, maintenance, and problem solving techniques of the telehealth vendor. Often we see providers that fail to focus on the “service levels” referenced or buried in the Scope of Work, which could require an inordinately small or unreasonable amount of “uptime” for a platform, when the provider would want or expect telehealth service uptime levels to be closer to 100%. Paying close attention to the Scope of Work is just as important as the basic underlying contract itself.
Similarly, vendors also need to pay close attention to these provisions when contracting on their side. The proliferation of telehealth is a two-way street. Making sure the vendor is protected can be just as important as making sure the provider is protected. With reasonable negotiation, the parties can strike an agreement that will not only solidify the relationship between the parties, but also allow the service to flourish.
Neville M. Bilimoria is a partner in the health law practice group, in the Chicago office of Duane Morris.
Reprinted with permission of Chicago Lawyer.