A Lawyer’s Perspective on EHR Vendors Holding EHR Data Hostage

The following is a guest blog post by Bill O’Toole is the founder of O’Toole Law Group.
William O'Toole - Healthcare IT and EHR Contracts
The recent post, EHR Data Hostage Wouldn’t Exist if EHR Were Truly Interoperable, on EMR & HIPAA got me thinking, and I wanted to offer a few observations from my experience as an HIT lawyer.

The goal is wonderful. However, it would take years and years to achieve such a goal. Data extraction and subsequent import take time, sometimes lots of it. What if there were a standardized specification to which vendors could design extraction tools and programs? Follow that with contractual commitment that the vendor adheres to those specifications. We did it with HL-7, why not data transport?

Thankfully I have not yet represented a vendor that withheld data solely due to the departure of a customer. I have however been involved in very tough situations where the vendor treads a fine line in not releasing data until customers fulfill their obligations (such as paying for use of the software). I like to believe that there is more to the story in the vast majority of data hostage disputes, and in my experience, this has always been the case.

The emergence of the hosted subscription model has resulted in a control shift to the vendor, as opposed to the on premises model where the customer is in control and a vendor can be shut out. That said, vendor assistance is usually required to extract data.

“HIPAA vs. vendor rights” is a very hot topic for me. Providers must provide patient data on request. Vendors have a right to be paid. The contractual right of a vendor to suspend customer access to a hosted EHR butts head-on against HIPAA. I have discussed this with ONC and while the problem is recognized, there is no solution at the present time.

Bill O’Toole is the founder of O’Toole Law Group of Duxbury, MA. You may contact him at wfo@otoolelawgroup.com

About the author

Guest Author

Guest Author

1 Comment

  • The problem is a lot less complicated than the customers/vendors make it.

    Firstly, no problem in the hosted subscription model with a digital equivalent of “mechanics lien”.

    If fees/service payments etc are up to date, then surely the data needs to go to the vendor who really is nothing more than the custodian of the data, ultimately owned by the patient.

    My view on “. . . a standardized specification to which vendors could design extraction tools and programs” is we don’t need it.

    There are generic data exchangers that allow any publisher to export whatever data the publisher is willing to selectively share to any number of subscribers.

    The publisher puts out data using publisher data element naming conventions, subscribers read data using individual subscriber data element naming conventions. I call something “abc”, you like to read that as “def” and a 2nd subscriber wants to see ‘ghi”.

    Publishers do have to provide “long names” so that subscribers can know what they are trying to subscribe to.

    The only hurdles is publishers have to be able to export data in some reasonable data transport format to get to the e-hub and subscribers need to indicate what format they need for getting data out of the e-hub, transporting and parsing/importing to their systems.

    Formatters and parsers are easy to write – the owners of e-hubs reach a stage where requests for new formatters/parsers are few and far between.

    If they really get fed up, they can write a “sniffer” that looks at a few transactions for a new format and auto-generates a parser.

Click here to post a comment