Your CIO calls to tell you that the IT group has been working with a vendor to purchase and implement a new software system that will handle an important business function of your health system. The board must approve the agreement before the end of the calendar quarter, which occurs in three days, or the special pricing the vendor has offered will no longer be available. Not only do you need to review the agreement quickly, but you also need to be able to provide a risk assessment for the board.

THE FOLLOWING QUESTIONS CAN BE USED TO ASSIST YOU.

  1. Is your definition of licensee and license grant broad enough to cover your intended use in your health system? Not only will you look for a perpetual license grant without server, CPU or geographic restrictions, the software license should specify what parties and entities are authorized to use the software (i.e., affiliates) and cover all of the health system’s intended users, including physicians, nurses, medical staff, consultants and patients. Also, pricing for the license should take into consideration what happens with new affiliates or divestitures.
  2. Does the software implementation include a detailed implementation plan and are the bulk of the fees paid once the implementation is completed? Every software implementation should follow the vendor’s stated methodology and contain a detailed implementation plan, including a test plan with performance criteria for each party and a milestone schedule with time periods for delivery of deliverables, or should ask the vendor to produce one by a certain date subject to the client’s review and acceptance before commencement of the project. The client should make payments based upon the milestone schedule, with the greater percentage due at the end of the project after the software has been accepted.
  3. Does payment for maintenance and support begin only after the software has been accepted and tested in a production environment?
  4. Has the vendor provided a warranty on the performance of the software and are the remedies for failure to meet the warranty adequate? While many vendors will not provide clients with a warranty that an entire system (i.e., hardware, software, interfaces, data conversions) will perform, a vendor will provide a warranty that the software itself will function in all material respects with any provided product documentation. A client should avoid the statement that the sole remedy for a breach of this warranty is that the vendor should repair or replace the software, but give itself the right to all remedies under the law. Other warranties to request are that the vendor will follow its stated methodology for implementing the system, the vendor has the right to license the software, the software does not contain any viruses or disabling code ("malicious code") and the vendor will follow any client rules when accessing the client’s system.
  5. Is the vendor’s initial maintenance services period an adequate period of time to ensure that the client will receive the support that it needs based upon the amount that it has invested in the software? Any annual increases in payment for maintenance services should also be addressed.
  6. Are maintenance response times for critical issues appropriate, and if an issue is not resolved at one level, is it quickly escalated to the next level within the vendor’s organization?
  7. Is the vendor providing updates to the software so that, where required, it is compliant with HIPAA?
  8. Does the vendor say that it will not provide support for any version of the software that is more than a few versions behind such that the client may find that it must either pay for any new release or lose support for the software that it originally licensed?
  9. Does the agreement include indemnification obligations on the part of the vendor for IP infringement, personal injury and property damage, breach of warranty for malicious code and third-party claims arising from failure to comply with HIPAA?
  10. Is the limitation on the amount of damages and the type of damages (i.e., no consequential, incidential, special damages) mutual, and are there exceptions (i.e., fraud, gross negligence or willful misconduct, breach of confidentiality [including misuse of PHI by vendor], breach of warranty for no malicious code and indemnification obligations) to address areas where limits may not be appropriate?
  11. Does the business associate agreement provide adequate assurance that the vendor will safeguard PHI?
  12. Is there a provision stating that the vendor’s employees or agents are not sanctioned persons under any federal or state program or law?
  13. Is there a provision where the vendor agrees to make available its books, documents or records in order to comply with Section 1861(v)(I)(1) of the Social Security Act?
  14. Does the agreement provide access to source code if maintenance services are not being performed? Also, upon an escrow release, does the client have the right to hire third-party consultants to assist it with this work?
  15. Does the agreement include a provision that the vendor will cooperate with transition to a new vendor when requested? Of course, the above list does not address all of the issues that one should consider, but it should provide a good place to start in assessing your risk.

Of course, the above list does not address all of the issues that one should consider, but it should provide a good place to start in assessing your risk.

John M. Neclerio is a partner in the Corporate Practice Group and Intellectual Property Practice Group of Duane Morris LLP

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, one of the 100 largest law firms in the world, is a full-service firm of more than 650 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets in the United States and internationally, Duane Morris represents clients across the U.S. and around the world.