June 9th, 2015

I find your posts educational, informative, helpful and high impact for those of us practicing in today's environment. 
I was hoping you could comment on the legal ramifications of using a new EMR that has recently been gaining momentum. I am referring to practice fusion which touts itself as free and is based on delivering content based advertisements (like Google or gmail) as well as selling deidentified patient data to third parties conducting research (unclear who these groups are). What happens when phi inadvertently gets sold to a third party? Am I responsible? what if it's a medicare pt? 
on the face of it, practice fusion seems like a very reasonable system for me, I just don't want to get burned legally. 

Dr. C


Whew, loaded question and a great one!  Let me start by saying I have not researched Practice Fusion and I am not going to address the many avenues of potential exposure and compliance required for EMR systems, but limit this answer to the specifics here - can the Client get in trouble where the software provider is not HIPAA compliant?  Especially where the Client knows or has reason to know the software provider intends to utilize PHI for marketing purposes, even if "de-identified".  

This is exactly why you are required to enter into a business associate agreement - limiting the EMR software providers right to utilize PHI transmitted through their software (incidental to their "services"), so that it is clear who is responsible for maintaining what.  In this case, the EMR software provider is responsible for maintaining, without breach, the practice's protected health information.  I recommend engaging with this EMR software vendor only if the EMR vendor agrees to limit its use of any PHI to the minimum necessary needed for the EMR to perform its function (legal requirement), and for the EMR vendor to take complete responsibility (meaning financial responsibility) for any breach or failure to maintain properly.  You do this by contract.  Your business associate agreement should be air tight assigning responsibility and clearly defining who is responsible for paying upon breach.  The latter concept, who pays for breach, would be cleared up in the indemnification paragraph in the BAA, which not all BAAs have.  The recommended statutory form that is free on the OCR website, for instance, lacks an indemnification provisions, and therefore, is inadequate to protect you properly.  

When engaging with a third party with access to your PHI, disclosing they intend to utilize your PHI for a non-necessary reason, be sure to have a proper BAA in place, and further, you may wish to think twice taking the risk because at the end of the day, you are the responsible "covered entity" as defined by HIPAA (view our HIPAA webinars on our site for a primer), and also, an indemnification provision may shift liability, but you do not want to be stuck enforcing....

Need a proper BAA with indemnification?  Click here. 

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.