Reviewing vendor contracts can be a tedious and time-consuming process for healthcare provider organizations. Taking the time to decipher complex, small-print legalese in a contract can seem like a thankless job without much benefit. However, signing an unfavorable vendor contract can put a provider organization at significant risk of potential liability. Below are a few key terms in vendor contracts that should be reviewed before a signature is provided. Please note that this list does not include all of the important terms in a vendor contract, but it can be used as a starting point for contract review.
TERM AND TERMINATION
When reviewing a vendor contract, the first questions to ask are: (1) what is the term of the contract, and (2) how can it be terminated? Many contracts include terms that span multiple years and only allow a provider organization to terminate the contract upon the vendor’s breach of the contract or prior to the renewal of a contract’s term.
Indemnification refers to the responsibility of a party to a contract (known as the “indemnifying party”) to compensate the other contracted party for damages, including losses, attorneys’ fees, and other costs, caused by the indemnifying party. For example, if a vendor causes a breach of a provider organization’s confidential information, a vendor contract should require the vendor to compensate the organization for any damages related to the breach. Indemnification provisions can be very complicated, so it is important to review them closely to ensure that they are broad enough to cover the most likely damages that the organization could sustain from the acts or omissions of the vendor. Especially in contracts between healthcare providers, great care should be taken to ascertain whether one of the contracting providers is obligated to pay damages and costs in situations involving alleged malpractice.
LIMITATION OF LIABILITY
A provider organization’s negotiation of a strong indemnification provision means very little if the contract has an extensive “limitation of liability” clause that limits the potential liability of the vendor to the organization. For example, many vendors attempt to limit their total liability under a contract to the fees paid by the provider organization within the twelve-month period preceding the incident giving rise to the claim. Depending on the amount of fees payable under the contract, this type of language can pose significant risks to the organization if the vendor engages in conduct that causes the organization to incur damages.
A warranty is a guarantee that the services performed by the vendor will meet certain conditions. Vendors commonly try to disclaim all warranties, but depending on the scope of services, provider organizations should push for the vendor to warrant that its services will be performed in accordance with certain standards, including that the vendor will perform the services: (1) in a “workmanlike manner,” (2) in a manner consistent with industry standards and applicable law, and (3) in accordance with the terms of the contract and any documentation provided to the organization by the vendor. Additional warranties that are important in the context of information-technology services include warranties that the services will not infringe on the intellectual property rights of other third parties and that any software provided by the vendor will be free from viruses and other malware.
GOVERNING LAW AND VENUE
If the vendor fails to perform under the contract, the provider organization needs to have an efficient way to obtain relief from a court or an arbitrator. For example, in Washington State a provider organization should push for contractual language requiring the governing law and venue for any dispute to be Washington State. It is common for out-of-state vendors to propose their home state as the governing law and venue, but a provider organization’s obligation to bring a claim in a venue located outside of Washington State can significantly increase litigation costs and time spent in the venue litigating the matter.
When reviewing a proposed contract with a vendor, it is critical that provider organizations understand the requirements of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that “covered entities,” including certain healthcare providers, enter into a special type of contract known as a “Business Associate Agreement” if they engage a vendor to provide a service requiring the use or disclosure of protected health information, as defined in HIPAA. For example, a provider organization likely needs to enter into a Business Associate Agreement with a vendor who performs medical-billing services.
To reduce potential risks, Business Associate Agreements should be reviewed to ensure that they contain strong privacy and security obligations by the vendor. The Business Associate Agreement should include the ability for the provider organization to terminate the Business Associate Agreement upon the vendor’s breach of the Agreement, notification obligations on the vendor where there has been an incident involving a possible breach of security or privacy, and requirements for the return or destruction of healthcare information after the underlying contract terminates.
Reviewing vendor contracts is not anyone’s idea of a good time. However, taking a moment to read the contractual language and propose necessary modifications can help to reduce the risk of significant future liability for provider organizations.