Important Considerations when Breaking Up with Healthcare Customers

When a technology developer terminates its relationship with a hospital, medical group, or other healthcare organization, there are several issues it needs to manage. As a developer, your legal obligations are going to arise from three sources:

1. HIPAA;
2. The 21^st Century Cures Act and its implementing obligations; and,
3. Your contract(s), including and especially your Business Associate Agreement.

Depending on what kind of healthcare technology developer you are, you will have potentially work through:

1. What happens to protected health information (“PHI”) and the customer’s data;
2. Managing the transition of any relevant services to avoid interrupting patient access to their records or care; and,
3. Getting paid for any outstanding services.

First, a developer needs to return the customer’s data and destroy any copies of it. This obligation is a legal requirement of HIPAA but also usually commercially advantageous. Medical records belong to the customer, who maintains ongoing access rights to them. Patients have a right to access and amend these records. Business Associates have to support both of these rights should they continue to retain data. This represents an ongoing cost for somebody who is no longer paying you for your primary services. In addition, business associates are directly liable to HHS for certain HIPAA violations, including a failure to disclose a copy of PHI to the covered entity or a patient. Refusing to return PHI at the end of a commercial agreement would absolutely fall inside of that liability. In the event that the developer is a covered actor under the 21^st Century Cures Act, such a practice would constitute information blocking and could lead to a fine of up to $1 million in addition to consequences under the ONC Health IT Certification Program. Finally continuing to maintain the health records of potentially millions of individuals who are unrelated to your current customers will factor into your insurance. The more PHI you have, the more expensive your insurance will be.

Next, many developers perform mission critical services for their customers, in addition to providing software and/or technology. Submitting insurance claims and managing their payment, clinical data exchange, and e-prescribing are common services that the customer will try to maintain continuity of service for. Running down insurance claims can take anywhere from ninety (90) days to a full year depending on the customer’s sophistication and payer mix. Be prepared to work with your customers, hopefully at the time of contracting, on how much time they need to clean up their payer AR and how long they will need residual access to any other services in your platform. Not only is it good business, it will provide you with the only leverage you legally have to get fully paid from the customer at the end of the relationship without resorting to collections of legal action.

If the customer does not pay you, you cannot assert a lien on medical records. HIPAA and the 21^st Century Cures Act mandate this outcome: if a customer wants their data, you have to give it to them because it is PHI. However, refusing to provide services is quite different. It is one thing to refuse to give back records. It is quite different to refuse to change those records with your software. It is quite another to submit insurance claims on behalf of a customer who will not pay you. Those are actions that the providers, with possession of the records, can still take. However, it gives you a lot of leverage because running down outstanding claims is critical to healthcare organizations’ cash flow.