For limitations on liability clauses, careful attention must be paid to not unduly, or unfairly, limit a telehealth software vendor’s liability. For example, many standard contracts are one-sided, with vendors carving out liability for incidental, consequential or punitive damages. Other standard clauses may limit liability to a dollar amount that is way too small to properly reflect responsibility or expectations under the agreement. There has to be a way to compromise and make sure that vendors not overly limit their liability to leave providers stranded when there is negligence by the vendor, or, say, a cyber or data leak that could cost millions of dollars in HIPAA fines and penalties for an unsuspecting healthcare provider.
Healthcare providers should consider reasonably revising these clauses to even the playing field when it comes to telehealth liability issues. Reasonable carve outs to these sections are, therefore, warranted.
For indemnification provisions, similar carve outs should be negotiated to allow providers to be indemnified for certain acts or omissions of a vendor. These negotiations will vary on the telehealth product offered, and the scope of services, as well as the provider size and capabilities. Again, carve outs that allow the indemnification to apply and work in conjunction with the limitation of liability provisions should be negotiated carefully.
As for data security, everyone knows that with all the mountains of data utilized in a telehealth platform, comes all that much more responsibility to protect that healthcare data. As such, special attention should be paid to cybersecurity issues: what limits are placed on liability for a data breach, how much liability should be footed by the vendor, and what is the process for mitigating/fixing a HIPAA breach that may occur or worse yet, a hacking or cybercriminal event?
Asking these questions will also allow the provider to understand, and allow them to tout, the vendor ’s experience and readiness to combat hacking incidents, giving both parties comfort in the contracting process. Lastly, don’t forget to ask about cyber liability insurance and whether its adequate to protect both parties in the event of a breach.
Finally, when negotiating these agreements, many providers and vendors focus most of their attention on the terms and conditions, rather than a Scope of Work document that may be attached as an exhibit. This is a mistake. To the contrary, providers and their counsel should pay close attention to the Scope of Work, and negotiate that vigorously to meet important expectations on timelines, modalities, implementation, support, maintenance, and problem solving techniques of the telehealth vendor. Often we see providers that fail to focus on the “service levels” referenced or buried in the Scope of Work, which could require an inordinately small or unreasonable amount of “uptime” for a platform, when the provider would want or expect telehealth service uptime levels to be closer to 100%. Paying close attention to the Scope of Work is just as important as the basic underlying contract itself.
Similarly, vendors also need to pay close attention to these provisions when contracting on their side. The proliferation of telehealth is a two-way street. Making sure the vendor is protected can be just as important as making sure the provider is protected. With reasonable negotiation, the parties can strike an agreement that will not only solidify the relationship between the parties, but also allow the service to flourish.
Neville M. Bilimoria is a partner in the health law practice group, in the Chicago office of Duane Morris.
Reprinted with permission of Chicago Lawyer.
Neville M. Bilimoria
+1 312 499 6758
NMBilimoria@duanemorris.com