SCGhealth Blog

Is Your EHR Causing Legal and Financial Headaches? Don’t Expect Your Vendor to Bail You Out

Wednesday, March 14, 2018

By Marla Durben Hirsch

In the market for an electronic medical records (EMR) upgrade or even a new system? Be forewarned: EMR vendor contracts are more onerous than ever, with vendors limiting their liability if their software causes users problems - conveniently just as several problems are coming to light. 

EMRs have been maligned for their usability and functionality problems for years. But in recent months bigger issues have been surfacing. 

For instance, it has been discovered that some systems default to particular billing functions when they shouldn’t, causing providers to bill improperly. The bills are now being denied and the providers are being required to return the ensuing overpayments, according to attorney Robert Markette, with Hall, Render, Killian, Heath & Lyman in Indianapolis.

Other snafus have garnered more media attention. eClinicalWorks paid $155 million several months ago to settle claims that it misrepresented the capabilities of its software and falsely obtained certification in the EMR Meaningful Use incentive program. Allscripts was hit by a ransomware attack in January, causing 1,500 providers to suffer service outages, some lasting a week. 

“It’s especially bad when their software screws up,” says Markette.

Physician practices have filed class action lawsuits against both vendors for their respective transgressions. 

However, these lawsuits may not do much good, since the vendor contracts the practices signed could leave the practices with little recourse if something goes wrong, according to attorney Elizabeth Litten, with the law firm of Fox Rothschild in Princeton, New Jersey. 

“You may be on the hook for their failures,” warns Litten.

Just a quick search on the Internet bears this out. Here is a paragraph from a form contract between Yale New Haven Health Services Corporation and its hospitals with a physician practice that enables the practice to access Yale’s Epic Systems EMR: 

“Limitation on Liability. Neither YNHHSC nor Hospital shall have any liability for any damages whatsoever (including loss of profits or loss of goodwill) resulting from, arising out of or in connection with the use or inability to use or the performance or non-performance of the EMR System or any items or services provided under or in connection with such EMR System or this Agreement or the Practice Equipment, even if it has been advised of the possibility of such damages or should have known of the possibility of such damages, and whether such liability is based on contract, tort, negligence, strict liability, products liability or otherwise. Practice agrees that YNHHSC’s and Hospital’s aggregate liability for damages arising under this agreement, regardless of the form of action and irrespective of fault or negligence, shall in no event exceed an amount equal to the aggregate Practice Payments made by Practice under this Agreement during the immediately preceding 12-month period. The limitations of liability and disclaimers of warranty stated in this Agreement form an essential basis of the bargain between the parties.”

In essence, the most the practice can obtain – according to the contract -- is what it paid for the privilege of access in the past year. 

“This will be a frequently debated issue,” says attorney Michael Kline, also with Fox Rothschild. 

Know where you stand

Practices may not have a lot of negotiation leverage regarding their EMRs, but some contracts are more fair than others, so if you’re in the market shop around. If you find a system you like but the contract is onerous, it can’t hurt to try to negotiate better terms. 

At the very least, read the fine print of any new, existing or renewal contract and know what the vendor is willing to be on the hook for should its software adversely affect you. You probably won’t be made whole but at least you won’t be blindsided.

We Fired Amazon's Alexa

Wednesday, February 21, 2018

By Clay Dubberly, Intern 

Amazon’s Alexa is being criticized by the healthcare industry, not because of a design error, but because of its passive listening ability. This function led Jennifer Searfoss, CEO of SCG Health to ban Alexa from its premises.

Alexa is an “intelligent personal assistant” capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks, and offering other real-time information.

The way Alexa works is by listening for its wake word (its name) which prepares it to analyze a command. It then listens and responds to everything that it hears afterward. You can ask it questions about the weather, converting measurements, or even for help shopping. It can even be used as an intercom.

In a medical environment, it can be used to help physicians take notes, remotely monitor patients, or allow them to ask health-related questions.

Passive listening and hacking: The Downsides to Alexa

The problem is that Alexa is listening to its surroundings at all times. This means that 24/7, she can be picking up personal information, which is sent back to Amazon or a potential hacker.

“There’s too much risk to be hacked,” Jen Searfoss says. “SCG Health used to have the device in its building,” but “We kicked Alexa out of our office after considering the vulnerabilities of the passive listening technology.”

There isn’t just a “possibility” of being hacked; it’s a reality. There are already several documented instances of Alexa being compromised. One way is through a “Dolphin Attack,” which is when it picks up frequencies which humans are unable to hear.

In this type of attack, hackers increase the frequency of a voice command to over 20,000hz and can play it through another phone’s speaker. While humans can’t hear this, smartphones will pick it up. Another concern for users is that a device that’s been compromised looks no different from one that hasn’t been compromised.

After picking up the frequencies, Alexa can carry out the command without the user’s permission. All that’s needed to do this is a battery, a smartphone, an ultrasonic transducer and an amplifier. All of this is readily sold online for a low price.

After a successful attempt, invaders can open your garage door (granted the right technology is installed) or make calls.

Another way Alexa can be hacked involves pre-installing software onto the device which transforms it into a wiretap that records any sound picked up onto a computer at another location.

Forbes successfully tested this out. One of the disadvantages (to the hacker) is that it takes several hours of installation on the hacker’s part, but this still poses a threat to anyone that buys Alexa from a secondhand source.

In one of those less-concerning instances when hacking is used for something good (or at least something funny), Alexa was hacked into a Big Mouth Billy Bass -- one of those wall-mounted fish that sings songs like “Don’t Worry Be Happy” or “Take Me To The River.”

Alexa isn’t HIPAA compliant. Here is how Amazon plans to fix it.

Another big concern for Amazon’s Alexa (as if being hacked wasn’t big enough) is that it’s not HIPAA compliant. As such, its use in healthcare is extremely limited.

The idea of having a device which could be recording patient data presents a clear threat: “It’s collecting info that has PII,” Ms. Searfoss says.

To help Alexa reach HIPAA compliance guidelines, Amazon recently hired a HIPAA Compliance Agent to help them reach legal requirements, including Business Associate Agreements (BAA), federal and state laws, and standards and regulations. The Compliance Agent is expected to help ensure that “technology and business processes meet [Amazon’s] HIPAA BAA requirements, as well as all applicable federal and state laws, regulations and standards.”

Some healthcare organizations have begun testing the device’s capabilities despite the risk. WebMD allowed Alexa to deliver its web content to users at their own homes for example. The Beth Israel Deaconness Medical Center (BIDMC) ran a successful pilot study in an inpatient setting (without actual patient data). It eventually plans to use it in a clinical setting, but not until Amazon signs a BAA.

The Boston’s Children’s Hospital (BCH) also experimented with using Alexa to give info to its clinical staff, but because it didn’t have a BAA only non-identifiable health information was used. The BCH also created an Alexa skill called KidsMD, which allows users to ask advice for when their kids have a fever.

SCG Health will continue to stand strong and enforce its ban on Alexa -- at least until Amazon approves a business associate agreement.

Winter Liabilities- It’s Not Too Late to Keep Yourselves and Your Customers Safe

Monday, February 19, 2018

By Audrey Landers

On February 2nd, the famed meteorologist Punxsutawney Phil declared that we would be having a long winter. After seeing the snow and freezing rain that has struck our office since then, we certainly believe him. 

With winter weather comes ice and with ice come falls, slips and all kinds of accidents. Our clients tell us stories all the time! Several years ago a delivery man slipped on the ice in front of a two-story medical center and slid under his truck! The poor guy was stuck on the freezing ground for nearly an hour before someone on the second story saw his arm waving from underneath the vehicle. This same story played out again this year, when our own CEO Jen Searfoss heard a woman crying for help as she was walking into a store. The woman had fallen on the icy parking lot and, just like the delivery man, slid under her car.

The idea that a patient could hurt themselves on your property may seem like bad luck. But beyond their injury, there is another issue: liability. 

It is all too common for businesses to focus only on employee liability, completely ignoring the risks seen by customers and delivery people. While many businesses do well with day-to-day liability prevention, for some reason that all tends to go out the window when winter hits. This is even more true for lesser-prepared businesses located in the south. 

You can help decrease your liability in these dangerous conditions by making sure you keep your property safe, and by clearly marking anything that may be a danger. As the winter season continues and snow continues to melt and refreeze, here are a few things you can do to make sure you have done your due diligence in maintaining the safety of your property:

  • Spread salt in the parking lot
  • Keep walkways shoveled and clear of snow
  • Place cones around the most dangerous areas of icy parking lots to redirect traffic
  • Place “drive slow” and “slippery” signs outside
  • Place “wet floor” signs inside
  • Place mats or carpet tiles at the entrance to allow patients, customers and employees to dry their shoes
  • Remain aware of the conditions so you can take additional action as necessary

While some of these may seem like a lot of work, it’s less work than fighting a lawsuit from a patient, third party or staff. It is better to overprepare than to be caught unprepared.

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.