The Right Choice

HIPAA and security considerations when choosing an EMR vendor.
By Gwen Simons, Esq, PT, OCS, FAAOMPT
Choosing an electronic medical record (EMR) vendor can be one of the most important decisions a practice makes because it is not easy to change EMR programs once the choice is made. Therapists are increasingly choosing cloud-based software-as-a-service (SaaS) programs for greater access and lower startup/maintenance costs. But when the program stores patient data on cloud servers, more attention must be paid to the EMR vendor’s security safeguards and contract terms to fully comply with the Health Insurance Portability and Accountability Act (HIPAA) and avoid a security breach.
I’ve had the opportunity to review many contracts from EMR companies for physical therapists, and I haven’t seen a contract yet that provided adequate protections for the provider. When I’ve raised contract issues with EMR vendors, they usually say, “No one has ever asked that question or requested any contract amendments before.” That’s concerning! As the covered entity in the relationship with the EMR vendor, the provider is the one ultimately responsible if there is a security/privacy breach and could be subject to sanctions for HIPAA noncompliance. And with the growth in security breaches and ransomware problems in health care, providers have an obligation to choose an EMR vendor that will use best practices to secure their patients’ protected health information. That said, EMR vendors are usually hesitant to even consider requests to change their standard agreement. When that occurs, you should still seek assurances that the vendor is using best practices (versus minimally compliant efforts) to secure your data. If not, and if the vendor won’t contractually accept responsibility for securing the data they control in their cloud server, take your business elsewhere!
Every EMR vendor will say that their product is HIPAA compliant. That doesn’t necessarily mean it truly is or that the vendor uses best practices in securing patient data. Even when the product/service is HIPAA compliant, the warranties and limits of liability in the contract disclaim responsibility for any damages that occur should the vendor have any lapses in their security safeguards or HIPAA compliance. That’s why you need to thoroughly investigate the vendor’s security policies and procedures to make sure best practices versus minimal compliance methods are being used. Here are the most important questions you need to get the answers to:
- Does the EMR company itself own the servers hosting your data or will it outsource data storage to a data center? Under HIPAA rules, a vendor that stores protected health information (PHI) is a business associate, even if the data is encrypted and the vendor cannot access or read it. That means that if the EMR vendor contracts with Rackspace or some other data center to store your data, you must confirm that the EMR vendor has a contract with the data center that mirrors your business associate agreement with the EMR vendor. You also want to make sure the servers are in the United States; in fact, you should insist on a contract clause that prohibits it from being stored on servers elsewhere. If the data is stored on servers outside the United States, the laws of the jurisdiction where the server is housed may be in conflict with U.S. laws.
- Has the EMR vendor and/or its data center had an external security audit? If the company has not had an external audit, this is a red flag. Reputable companies do audits and will share their audit results under a nondisclosure agreement. You should also ask the EMR vendor and/or data center to share their security policies and procedures with you. If the vendor responds by saying, “We use the best security measures in the industry—the same ones that banks use . . .” but won’t provide policy proof for that statement, the vendor may not really be HIPAA compliant. The HIPAA Security Rule requires you and your business associates to have written security policies to address your risks. The EMR vendor’s security gaps are your risks. Therefore, you must address the vendor’s risks in your security rule policies.
- Is your EMR data encrypted on the server? Just because the data is encrypted in transit does not mean it is encrypted when it gets to and sits on the server. Some software vendors will tell you that the software does not encrypt the record because it would make it difficult for you to search for records or would slow down the operation of the software too much. If the data is not encrypted at rest on the server, then your data is at greater risk and you will have to report any and all data breaches.
- Are data backups encrypted? I’ve seen data center contracts that say they don’t encrypt data backups unless the customer pays for a higher level of service. Ask for assurances that backups are indeed encrypted so you will know whether unauthorized access to backup data will have to be reported. Also, if you rely on the EMR/data center vendor to back up your data, they will have to provide you with a procedure for how to access the backup in case of a disaster or emergency for you to meet your compliance requirements under HIPAA.
- Is the software capable of running audit reports to determine who accessed what records on what dates? Does the EMR vendor/data center perform and review audit records for unauthorized access attempts or will you be responsible for reviewing and maintaining audit records? If you ever have to undergo a HIPAA compliance audit, the Department of Health and Human Services (HHS) will look for evidence that you perform regular access audits and will expect you to maintain your audit data for 6 years.
- Are you responsible for downloading a record or will the vendor give you an electronic copy of it? If a copy is provided, will it be readable if you don’t have the software? HIPAA requires you to provide a readable copy of the patient’s record to the patient upon request, and you must be able to provide access to a readable copy of the record for at least 6 years (maybe longer under other state laws). Your EMR contract will acknowledge that you own the data entered into the program, but it may not say whether or how you can access the data upon termination. If it is not readable without the software, the vendor could hold your data hostage by charging a conversion fee or a fee to continue to provide storage and access to your data post termination.
- Does your Business Associate Agreement allow too much time for the BA to report security breaches to you? HIPAA requires the covered entity to report security breaches to individuals whose data was breached within 60 days of the breach discovery. The more time your service or BA Agreement gives the vendor to report suspected breaches to you, the less time you have to meet your obligation to investigate the breach, mitigate the damages, and notify your patients (or the media, if applicable) and HHS of the breach. You should try to get the EMR vendor to agree to report suspected breaches to you within 5 days of discovery—and certainly not more than 30 days.

These are but a few of the issues to consider when negotiating a contract with an EMR cloud vendor. You can find more information about what questions to ask and what contract terms to look for at:
15 Questions to ask before signing an EMR/EHR agreement, American Medical Association (available at www.hcma.org/EMR_agreement.pdf)
EHR Contracts: Key Contract Terms for Users to Understand, The Office of the National Coordinator for Health Information Technology, Washington, D.C. (available at www.healthit.gov/sites/default/files/ehr_contracting_terms_final_508_compliant.pdf).
Gwen Simons, Esq, PT, OCS, FAAOMPT, is a health law attorney in Scarborough, Maine, serving physical therapists and other health care providers in private practice. She can be reached at gwen@simonsassociateslaw.com.