Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

EHR Certification Value (or lack therof)

Posted on September 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It seems like this question comes up every couple months about the value of EHR certification. A reader of EMR and HIPAA, QA, recently offered the following comment about EHR certification.

The issue is less that the certification bodies are unscrupulous and more that the certification criteria themselves are a joke.

If one thinks that certification denotes that a system is safe, usable, reliable and will support the care delivery needs of any particular healthcare organization, then one will be quite disappointed.

If one thinks that certification denotes that a company offering a system has certain financial stability, legal liability coverage or quality management systems in place, one will be similarly disappointed.

ONC has no interest in rigorous certification. Only higher attestation numbers.

I think this comment hits the nail on the head. I won’t say that EHR certification provides no value, but let’s not do what far too many people are doing and misconstrue the value EHR certification offers. I echo QA’s comments that EHR certification does not certify:

  • EHR Safety
  • EHR Usability
  • EHR Reliability
  • EHR Financial Stability
  • EHR Liability Coverage
  • EHR Quality Management

Let’s not make EHR certification into more than what it delivers. I think most people have gotten this message, but a few are still lingering in the shadows.

Lawsuits Will Eventually Drive EHR Adoption?

Posted on August 2, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In the recent #HITsm chat, tireless patient advocate Sherry Reynolds offered this intriguing tweet:

The first question I’d ask based on this tweet is when will EHR become the “standard of care.” I’m sure that some could argue that now based on the $36 billion in EHR incentive money that the government is spending. However, even the most optimistic EHR adoption numbers are at 50% and I’d put it closer to 30% with ambulatory EHR dragging that number down. With that said, what would it take to have EHR as the standard of care that a doctor provider? I’m not a lawyer, but I know a number of healthcare lawyers read this blog. I hope that some of them will chime in with their thoughts.

Sherry’s last comment about not having the lab results points more towards the exchange of healthcare data being the real issue a doctor could face. Not only would this be a potential lawsuit issue for doctors, but at some point enough patients will ask this question as well. I’m sure most doctors aren’t worried since we’re pretty far from that tipping point.

I do think that doctors are quite attune to liability and can be a very big motivating factor for them. I think the same will happen with insecure text messaging in healthcare. The first couple lawsuits against a doctor for sending PHI over text and we’ll see widespread adoption of secure text platforms.

While I can see some of the realities that Sherry tweeted about, a part of me really hates to think that fear of lawsuits would end up being the driving force behind EHR adoption.

Covering Your Practice When Using a Hosted EHR

Posted on June 12, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by William O’Toole discussing a really misunderstood topic about clinic responsibility in a hosted EHR environment and how to protect your clinic. This ties in really well to Katherine’s previous post about Business Associates HIPAA Preparation.

Too many times people in EMR acquisition mode have made the assumption that hosted solutions automatically insulate the customer provider from liability for data breach or unauthorized disclosure of patient information, which is unsettling because it is simply not true. Health care providers are always responsible to patients for these unfortunate situations and nothing in HIPAA or the HITECH Act shifts that responsibility to the vendor of the hosted software solution. While HITECH does extend compliance requirements and potential penalties to vendors that provide services to providers involving patient information, this does not mean that the provider is not responsible to the patient.

All that gloom aside, it is completely possible to protect the provider organization through indemnification language in the software agreement with the vendor. In situations where the fault (violation of HIPAA) lies with the vendor that is hosting the software, and controlling and possessing patient data, if no indemnification provision exists, then any award for damages in a patient lawsuit would have to be paid by the provider without any contribution from the vendor. Think of the indemnification in that manner. It basically means that if there is a violation, and it is caused in part by the vendor, then the vendor will contribute to the payment of damages to the extent it was at fault.

An indemnification from a vendor Business Associate to a provider Covered Entity for any data breach or unauthorized disclosure of patients’ Protected Health Information (capitalized terms as defined under HIPAA) is critical in light of ARRA/HITECH and its impact on HIPAA. Briefly, ONC will be investigating, auditing, and penalizing both Covered Entities and Business Associates through powerful enforcement of HIPAA as mandated by the HITECH Act.

Providers should review all IT vendor contracts and Business Associate Agreements with those vendors. Ideally, for every vendor relationship with your hospital or practice, those two contracts should have matching language stating that the vendor will indemnify your organization for data breaches or unauthorized disclosures caused by the vendor. There are cases where the main customer/vendor agreement does not contain such language but the Business Associate Agreement does, which is still good. If absent from both, your organization is seriously exposed and you must consider the potential consequences and amend the agreements to include this type of protection whenever possible.

INDEMNIFICATION means a party to an agreement takes on financial responsibility for its actions and is legally obligated to pay damages to the other party. As you read a proposed contract, substitute “pay money to” in place of “indemnify”. It means the party will pay the damages resulting from its actions that would otherwise be paid by the other party if no indemnification existed. Look carefully at what indemnification(s) your organization is asked to provide, and what the other side is offering for indemnification. This comparison must be carefully considered before signing anything.

LIMITATION OF LIABILITY means the vendor is stating (often in ALL CAPS) what it is NOT responsible for. Typical exclusions are “special, incidental and consequential” damages. What this means is that while the vendor might take on responsibility for direct damages for something like product failure, which is often limited to the value of the contract, it purposely disclaims any responsibility for damages over and above the cost of the product. If consequential damages are disclaimed and excluded, the provider could only hope to receive a refund, which would exclude any additional costs like outside consulting trying to make the original product work for your organization, or the additional cost for a more expensive replacement product.

Important note: If you are able to obtain indemnification from a vendor as described above, you must also make sure that any limitation on consequential damages specifically and expressly excludes the indemnification provision. This means that the indemnification will cover both direct damages and then anything over and above that amount, which would be the consequential damages portion.

In summary, as a general statement, a hosting solution by itself does not provide legal protection for data breaches or unauthorized disclosures of patient information. That protection must be negotiated in your contract with the vendor in the form of an indemnification and it is very important.

This posting provides general contract information and is not intended as specific legal advice.

William O’Toole founded the O’Toole Law Group following twenty years as counsel for Medical Information Technology, Inc. (Meditech). His practice is concentrated in health care IT contract review and negotiation. He can be contacted directly at wfo@otoolelawgroup.com.

A Healthcare IT Twitter Roundup

Posted on November 28, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s the weekend and I have this cool new Twitter plugin, so I decided it would be fun to do a twitter roundup. I’ll post some of the tweets I find and add some short commentary. I’ll admit that I haven’t necessarily read all of the links, but the concepts I found interesting. As a side note, you can find me on @ehrandhit and @techguy (although this one has all sorts of tweets).


I’ve discussed the changing legal landscape in the EHR world. My personal feeling is that it’s a legal wash. There are likely more liabilities with EHR, but it also resolves some of the liabilities of a paper chart world. What do you think?


Mobile in healthcare is going to be a common theme going forward. I also love VoIP in many situations, but I’m still waiting to see the real breakthrough that makes VoIP the only solution. We’ll see.


I wonder how many responses he’s gotten. I think he’s in very good company as far as starting EMR projects. I’m just not sure how many are on Twitter and know of him. I figured I’d let others find him:-)


I know nothing about this glaucoma calculator or this person on Twitter. However, I think this is an example of the hundreds and even thousands of very specific niche applications that are going to hit the healthcare IT market.


Another EMR vendor to add to the 300+ EMR vendors. I wonder how often a new tweet is sent for a new EMR vendor. Anyone know anything about ElationEMR?

Speaking of new EMR vendors…


I’ve seen some financial statements for the EMR business model. There’s certainly a great investment opportunity available to those who are able to get a reasonable amount of EMR sales.