Successful cloud-based EMR should include data rights in vendor's contract
■ A practical look at information technology issues and usage
A contract stating that a practice owns the patient data entered and stored on a Web-based electronic medical record may not guarantee that the practice can control how the data are used or accessed.
Issues relating to the use, accessibility and portability of patient data often are lumped under an umbrella referred to as "data ownership." Although it is important for physicians to have a legal right to the data they collect on patients through normal practice operations, they need to worry about the "what-ifs."
Some of the what-if scenarios with data play out by way of natural disasters. Others could be the result of changes made on either the practice's or the vendor's part. Because data can be viewed, used or accessed by multiple people, issues of who gets to use the data, and for what purposes, come into play.
Lynette Ferrara, partner at CSC's Health Informatics Practice, said practices need a plan that addresses all of these issues. "The vendor they choose should support that plan," she said. "But at the end of the day, they have to be responsible for knowing what questions to ask, particularly in areas" such as data ownership. Experts say physicians should know what provisions to look for in their contracts with vendors.
Concerns about data ownership stem from the fact that cloud-based EMRs are hosted, and therefore store data somewhere off-site from the practice.
Attorney Gerard Nussbaum, director of technology services for the global management consulting firm Kurt Salmon Associates, said data ownership is difficult for many people to understand, because it's different from owning something tangible. You can "own" data, he said, but it can be used by you, others in your practice, the guy down the street and so on.
Therefore, when contracting with a vendor, physicians should understand not only who owns the data, but who can use it; who determines who can use it; how, or even if, you can exclude someone from using it; and how to access it, especially if you part ways with the vendor.
Ferrara said the contractual questions can be taken care of by looking at what provisions vendors offer to address a few key issues.
Data mining. Some vendors have processes to use aggregate data from all of their clients to sell or distribute for several reasons, including public health canvassing and research. Some use the data to run site-specific analytics for each client, some of which is required for meaningful use attestation. Ferrara said many systems are set up for optimal speed and performance for physicians entering data. Adding the capability for physicians to run their own analytics only would slow it down. Therefore, the vendors offer analytics as part of the package.
Ferrara said practices need to know if and how they can extract their data to run analytic reports. Don't just take the vendor's word if they tell you it's possible, she said. Have the vendor demonstrate how it works.
Nussbaum said practices should know how the aggregate data are being used. Once patients know the practice has an EMR, many probably will ask their physicians how their information is being used and by whom. The doctor should have an answer.
Disaster recovery. Though it's understood that in a cloud environment data are housed off-site, practices need to have uninterrupted access. Therefore, vendors must have a plan for when that data center goes down. Most companies have a second site -- in a different geographic area so the same natural disaster would not affect both sites -- that is used in the event of an outage. The transfer of sites should be seamless. Ferrara said the vendors should be able to demonstrate how the practice can get back online if a disaster hits one of the data centers.
Data backup. If disaster strikes the practice, the data may be in the cloud, but retrieving it may be more difficult than finding Internet access. Most data are encrypted while in motion, and the keys to unencrypt the data may not be available if those keys were specific to a certain device, said Jonathan L. Schaffer, MD, managing director of eCleveland Clinic, Information Technology Division at Cleveland Clinic. He said a plan must be in place for unencrypting data if those keys are lost or unavailable. If the backup plan involves data that can't be unencrypted, "it's no good to me," he said.
Exit strategy. Whether it's the vendor going out of business, the practice splitting up, or a new system being installed, the vendor should demonstrate for any potential client how the data can be retrieved or transferred to a new system. The contract should specify how the data will be formatted and the process for getting it to the practice or into a new system.
Nussbaum said physicians buying off-the-shelf EMRs probably will not have a lot of wiggle room when it comes to contract specifics. "That's not to say that the terms are wrong or bad or anything like that," he said. Practices just need to understand what they are getting.
Ferrara said deal-breakers include a vendor that cannot answer how a practice can retrieve its data. She said not only should the vendor be able to tell you, and include it in the contract, but the process should be demonstrated.
Contracts need to plan for future contingencies. Features that are attractive and important to an organization today might not matter much in the future, Dr. Schaffer said.
"Things change," he said. "We change, our practice needs change, our practice patterns change and companies change as well. So the two parties in the relationship sometimes find that what's attractive now may not be attractive in 12 months, 12 years or even 30 or 40 years."
Practices need to anticipate all of the possible scenarios and have protections written into the contract. "The contract is there to protect organizations," Dr. Schaffer said.