EHR Vendors and Contract Clauses

Simply put, electronic health record vendors and purchasers want contract agreements that offer security and protections from breaches and other responsibilities. In particular, “hold harmless” clauses are skewed in favor of the vendors that absolve them of responsibilities in the event of software errors, failures and other problems. The other primary issue concerns the legal doctrine called “learned intermediaries” which asserts “trained medical professionals should be able to identify and correct any errors caused by faulty software.” Again, these provisions lean towards protecting the EHR vendors over the providers.

When uninvited allegations of security and privacy issues are brought to the attention of the Finance Committee, the federal group that controls the funds issued to health organizations for the implementation of certified electronic health records allowed through the American Recovery and Reinvestment Act, actions must be taken to determine validity. Senator Charles Grassley, who controls such funds, sought to investigate further by contacting several health information technology vendors.

While political intonations may be evident since Senator Grassley seem to put forth little effort in securing clear answers to the problems that were initially brought the forefront from an article in the Journal of the American Medical Association that “discussed onerous confidentiality/nondisclosure contract clauses” but was “focused more on the hold harmless/learned intermediary provisions that shield vendors from liability for patient or financial harm” (2010). The Senator wants to know if EHR systems are safe and protects patients from harm.

Vendors and providers alike need contractual provisions that protect each entity. Reaching an agreement that works for both requires careful negotiations. Seeking professional and knowledgeable legal review is highly recommended. Vendors want their intellectual property rights protected and medical providers need to protect their organizations information technology practices. Vendors seek the hold harmless clauses in an “attempt to shield themselves from any fault for problems that arise with use of their health IT products” (2010). It is acknowledged by the providers, but “they don’t just want to give the entire legal store away” and want vendors to be responsible and accountable for appropriate software issues.

Lessons learned:

  •       Always negotiate for an agreed upon contract.
  •       Providers should not concede to EHR vendor’s terms.
  •       Seek professional and knowledgeable legal review and representation.
  •       Review the contract language multiple times and question all ambiguities.
  •       Consider another vendor if agreements cannot be appropriated negotiated.


Anonymous. (2010). Is ‘speak no evil’ and contract clause?  Health Data Management, 18 (4); 27-34.