Navigating Healthcare Technology Contracts, Top Challenges & Trending Topics

Ryan Portwood, Partner

Intellectual Property | Health Technology

Why is this Important?

• Hospital California shut down its emergency department after the EHR and data system failed. The failed systems led to issues with properly dispensing medications, verifying physician orders, reviewing patient labs, MRIs and other diagnostic procedures, and led to an inability for clinicians to review patient records.

• A small primary care provider was locked out of its cloud based EHR over a dispute involving unpaid maintenance fees. The provider could not access medical histories for 4,000 of its patients.

• A software issue at University of Kentucky Healthcare on Sept. 23 caused the Lexington-based health system to divert some patients who arrived by EMS to other nearby hospitals.

2

Software Delivery Models

• Healthcare provider hosted

• Cloud based

3

Initial Considerations When Selecting Technology Vendors

• Don’t fall in love.

• Involve all the key stakeholders early to ensure there is an accurate list of desired features (“must haves” v. “like to haves”).

4

Healthcare Technology Agreements: Naming Schemes

• Software License Agreement

• Software Services Agreement

• Master Software License and Services Agreement

• Subscription Services Agreement

• Master Services Agreement

• Software-as-a-Service (SaaS) Agreement

• Cloud Services Agreement

• Hosted Services Agreement

5

Other Types of Agreements that include Technology Products and Services

• Types of agreements in healthcare where technology may be one of the ancillary products/services offered by provider/supplier/vendor:

• Data registry

• Telemedicine/telehealth

• Research

• Management services in connection with joint venture

6

Healthcare Technology Agreements: Key Terms • Scope of license

• License fees/user fees/maintenance fees

• Service level agreements

• Representations/warranties

• Data use/rights

• Data security

• HIPAA

• Indemnification

• Limitation of liability

• Cyber insurance

• Transition services

7

Scope of License

• How broad does the license grant need to be? • Enterprise-wide (e.g., across all affiliates) • Certain designated sites (vendor may require schedule/appendix listing

facilities)

• Who needs to access the software? • “Users” or “Authorized Users”

• Employees, subcontractors, temp staff • Employees, contractors and temp staff of affiliates

• Licensing metrics • Unlimited number of “Authorized Users” • Named user vs. concurrent user

8

Scope of License: Common Terms

• License Grant • “Vendor hereby grants to Customer a [perpetual (on-premises),] non-exclusive, royalty-free,

non-sublicensable, non-transferrable (except as permitted under this Agreement) license to use [, install (on-premises)] the Software for its internal business purposes and in accordance with the documentation.”

• Authorized Users • “Authorized Users” means Customer and its affiliates (and their respective employees,

agents and independent contractors) authorized by Customer to use the Software.”

• Restrictions • “Customer shall not: (a) rent, lease, lend, sell, distribute, publish, transfer or otherwise make

the Software available to any third party (except as permitted under this Agreement); (b) reverse engineer, disassemble, decompile, decode, adapt or otherwise attempt to derive or gain access to the source code of the Software; or (c) authorize the use of the Software in any manner or for any purpose that is unlawful under applicable law.”

9

License Fees/User Fees/Maintenance Fees

• What does the fee structure look like?

• Can you increase/decrease # of licenses?

• Is it a flat fee, or based on number of users or hospital beds?

• What are the maintenance fees – when do they renew, and is there a cap on any increase?

• Be wary of audit provisions. • On premise or remote

10

Service Level Agreements (“SLAs”)

• Support services • Response and resolutions times • Escalation procedures • How to contact software vendor’s support team • Service credits for failure to meet response/resolution times

• Hosted/cloud SLAs • Uptime/availability (e.g., 99.99%) • Scheduled downtime (how often, when and for how long) • Service credit if uptime/availability falls below commitment

• TIP: Ensure that SLAs are attached to the Agreement and not linked to a website

11

Warranties (specific to technology agreement)

• Software’s conformance or operation in accordance with documentation (e.g., written instructions on how to operate/use software)

• Support services performed in professional/workmanlike manner and in accordance with Service Level Agreement

• Software does not contain bugs, viruses, Trojan horses, etc.

• If 3rd party software incorporated into underlying software, software vendor has necessary rights/licenses to allow you to use such 3rd party software

• Software does not infringe or misappropriate a 3rd party’s IP rights

12

Warranty Remedies and Exclusions

• What are the remedies in the event there is a breach of the warranty? • Modify, replace or terminate/refund fees

• Are there acceptable exclusions? • Modifications, combinations or use of Software in violation of agreement

13

Data Rights/Use

• Is agreement clear that you (healthcare entity) own all of your data? • Derived, aggregate, resultant and usage/metadata

• Is there an express license from you to vendor with respect to your data

that indicates how it can be used/processed? • Limited to provision of services • Other use cases (e.g., de-identify for vendor’s own purposes)

• How is your data returned to you?

• TIP: Ensure you don’t pay to get it back

14

Data Rights/Use: Common Terms

• Ownership of Data: • “As between Customer and software vendor, Customer is, and shall be, the sole and

exclusive owner of all right, title and interest in and to Customer Data, including all intellectual property rights therein.

• License to Data: • “Customer grants to software vendor a limited, royalty-free, non-exclusive, non-

transferrable and non-sublicensable license to process Customer Data to the extent necessary to provide the Services for Customer’s benefit. All other rights in and to the Customer Data are expressly reserved by Customer.”

• TIP: Look out for “”Notwithstanding the foregoing…”, or “; provided, however,…” They usually trigger terms regarding data de-identification, aggregation and secondary uses of your data.

15

Data Security

• What are software vendor’s express commitments to safeguard your data, including your patients’ data (e.g., PHI)? • Administrative, technical and physical safeguards

• Only process/host your data in the U.S. (exceptions may apply)

• Provide 3rd party assessment reports on security controls (e.g., SOC reports)

• Backup and disaster recovery

• Ensure BAA if patient data processed, accessed, transmitted or stored

• Does software vendor have access to your IT networks/systems? • Ensure your IT/Information security departments know and assess

• Ensure agreement includes obligations/restrictions on software vendor’s access

16

Data Security: Common Terms

• Vendor security program • “Software vendor will maintain and enforce an information security program

including security measures (including physical, technical and organizational security policies, procedures and safeguards) with respect to its processing of Customer Data that comply with, at minimum, industry best practices and applicable law.”

• Access to healthcare provider’s systems

• “To the extent software vendor is given or otherwise obtains access to any computer programs, systems or software owned, operated or licensed by Customer, software vendor shall not (a) derive or attempt to derive the source code, source files or structure of all or any portion of such programs or software by reverse engineering, disassembly, decompilation or any other means; (b) copy, translate, port, modify, or make derivative works based on such programs or software or any portion thereof; or (c) damage or disable any such programs, systems or software.”

17

HIPAA in HIT

• Cloud computing guidance

• BAAs

• E-mailing and texting

• Patient right to access to ePHI

• Encryption

18

Indemnification

• What should the software vendor’s indemnity obligations look like?

• Should the healthcare provider have indemnity obligations to the software vendor?

19

Indemnification: Look/feel in HIT Agreement

• Indemnification from software vendors (generally): • IP infringement (patent, trademark, copyright and trade secrets)

• Breach of confidentiality and data/privacy obligations

• Gross negligence/willful misconduct

• IP indemnity exclusions • Modification, combinations, unauthorized use, etc.

• Infringement mitigation • Procure right to use Software, modify/replace or terminate Agreement and

refund all fees

20

Indemnification: Healthcare provider

• Limited indemnification by health care provider:

• Gross negligence/willful misconduct

• Customer data used by software vendor (for purposes of and in compliance with Agreement) infringes a 3rd party’s privacy rights

21

Limitation of Liability: “The Last Set of Issues”

• What damages/liabilities can/should be disclaimed?

• Typical language with regards to limitation on indirect/consequential damages • “IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY UNDER

THIS AGREEMENT UNDER ANY LEGAL OR EQUITABLE THEORY, INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, AND OTHERWISE, FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED, OR PUNITIVE DAMAGES.”

TIP: Make sure limitation is mutual.

Limitation of Liability: Monetary/Aggregate Cap

• What is an acceptable monetary/aggregate cap?

• 12-months’ fees paid?

• Multipliers on fees paid?

23

Limitation of Liability: Exclusions

• Should there be exclusions, if so, what obligations or damages should be excluded?

• Should exclusions apply to indirect/consequential damages and direct damages?

• Typical exclusions (carve-outs): • Indemnification • Breach of confidentiality • Breach of security (and resulting costs of unauthorized use, disclosure, transmission

or destruction of data) • Gross negligence and/or willful misconduct

• Secondary (or “super caps”) on data breach damages (to be discussed)

24

Cyber Risk Insurance

• The average total cost of a data breach in the healthcare industry was $6.45 million, or 65 percent higher than the average total cost of a data breach.

• How much is enough? ($1M, $5M, $10+)

• What are the policy limits/exclusions?

25

Transition to New Provider

• Ensure continuity of service.

• Negotiate a transition support plan in the beginning.

• Does data need to be converted? Who will convert/at what cost?

26

Top Challenges

• Offshore subcontractors • Location • Level of access to data (stored locally or

mere access) • Regulatory restrictions

• Acceptance Criteria • Acceptance process before “Go Live”. • time frames for

testing/rejecting/responding. • Suspension of services

• Mission critical • Notice and right to cure prior to

suspension • Limited to certain accounts • Blocking or preventing access to data

• De-identification of PHI • Compliant with HIPAA • For provision of services and/or

commercial purposes

• Negotiating liability caps on data/PHI breaches • How much is enough?

27

HIT Trending Topics

• Artificial Intelligence (A.I.) or machine learning • Mayo/Google partnership

• Wearable technologies • Send real-time data to physician

• HIPAA applicability

• Online terms and conditions/portals • Can/should you negotiate

• Implanted medical devices • Vulnerability to hackers

28

Questions?

29

Thank You

Ryan D. Portwood Kutak Rock LLP

ryan.portwood@kutakrock.com