Before you transmit, make sure patient data are secure

You might have come across, in your contracts for laboratory or technical services, something called an "interface agreement."

An interface agreement structures how laboratory test orders and results will be communicated and transmitted between the physician's computer system and the laboratory service provider's system. For example, recently a physician practice client had me review such an agreement as part of a contract involving phlebotomy services.

In the past, transmission of patient information by e-mail or online most often was addressed in the actual service or provider agreement. But as state and federal health care regulations have evolved on the protection of patient information, physicians have had to balance the convenience of transmitting and receiving patient information, including lab results, in "real time" with the responsibility of protecting patient information from unauthorized disclosure.

In light of state and federal regulations, including the security requirements of the Health Insurance Portability and Accountability Act of 1996, interface agreements are being broken off into their own section. Physicians should read them carefully to make sure it's spelled out exactly how patient information will be protected and secured from unauthorized disclosure to third parties.

This column highlights key areas you should consider before signing an interface agreement including: practice group responsibilities, error/virus reporting, term and termination, limitation of liability and exclusion of damages, and compliance with laws.

Practice group responsibilities. Make sure the interface agreement spells out the responsibilities of each party. You should consider including language stating that the information exchanged between your practice and the service provider will not be used for promotional, marketing or advertising, or for test send-outs to other labs if the underlying agreement is for laboratory services. You should ensure that whatever means you use for a technological interface will not be copied, disclosed, marketed, licensed, sold or distributed to any third party. To retain control of the interface and its use, you should designate a person in your practice, or an outside vendor, to be responsible for the installation, training and support, and maintenance of the interface as related to the contractual relationship between the parties.

You also might consider designating a time limit from the installation of the interface as to when both parties will match its test codes to the transmitted test codes. This is important to ensure that test results or patient information being transmitted matches the information being received by your practice. Ask the lab or other service provider to give you a cross-reference test dictionary so you can match up the information you are receiving from that company.

You also should consider including a provision in your contract that each party is responsible for maintaining its own system, including all hardware, software and related expenses. If any equipment is being provided to your practice by the service provider, make sure the equipment is specifically listed within the agreement, and maintenance and replacement for such equipment also is addressed.

Error/virus reporting. You might consider including the following sample language as a mutual responsibility of both parties regarding the notification and reporting of errors and virus detection:

"Each party will immediately report to the other party notice of any failure of the interface that prevents accurate and timely transmission and/or receipt of test orders, results and reports, to allow the parties to transmit orders or reports via alternative methods. Each party will immediately report the discovery of any virus or other system corruption (whether it is on the practice group's system or on the service provider's system) if it is connected with the interface between the parties."

Not only do transmitted errors and computer viruses slow down or halt the pace of your practice and your ability to render quality patient care, errors and viruses also might expose your practice to liability. You should make sure there is a reporting mechanism in place for errors and viruses, to safeguard your practice from unnecessary exposure.

Term and termination. Check to make sure that the term of the proposed interface agreement is consistent with the term of the main service provider agreement. The interface agreement should remain in force until the service arrangement between the parties is terminated. Your duties and obligations pursuant to the interface agreement should not exceed the agreement's actual term and termination.

Limitation of liability and exclusion of damages. Many interface agreements include provisions limiting the service provider's liability and exclude the availability of damages (monetary compensation for loss of use, data or profits) to your practice. These provisions usually are typed in all capital letters and appear in bold print so that they are recognizable by both parties.

Make sure that you read and understand these provisions. Often physicians skim over these provisions, and their meaning becomes clear only after a problem arises with the relationship or rendered service. You might consider including language stating the exclusion-of-damage limitation does not apply to claims by your practice for errors or damages that result from the company's negligence.

Compliance with laws. Consider including a provision in your interface agreement requiring both parties to comply with all applicable laws, rules or regulations, including federal and state self-referral laws, anti-kickback laws, and HIPAA privacy and security regulations.

Before you commit to a service agreement that includes the transmission of electronic patient information between your practice and the service provider, make sure that you carefully review and understand how patient information will be transmitted, protected and stored.