E-News Exclusive

Understanding PACS Agreements — Key Points Health Care Providers Need to Consider

By Deeksha Shukla

A PACS environment consists of varied technologies, integrations, and workflows. Throughout the health care sector, PACS can represent different things for different parties. It may be a “product” for a lawyer, “technology” for the PACS provider, software in the radiology machine for the health care facility, and a facilitator for an image or report for a patient.

With multiple parties involved and the vulnerabilities attached to the broad threat landscape, it is crucial for the potential parties to consider assorted legal, technological, and commercial aspects including safeguards built into their agreements—for both PACS vendors and health care facilities. Health care organizations planning a shift from an on-premises hosted application to a cloud-based software-as-a-solution as part of a future-proofing initiative should be mindful of a fundamental fact: Conventional clauses should be replaced, and new items must be considered.

Let’s get started on examining what you need to know when evaluating a PACS agreement: 

1. Compliance and Regulatory Requirements 

More than a year ago, the FDA changed the classification of PACS, and software functions in the PACS for storage and display of medical images no longer fell within the definition of a “device” under section 520(o)(1)(D) of the Federal Food, Drug, and Cosmetic Act, with the exception of specific software functions for complex image processing, including those for image manipulation, enhancement, or quantification. Title of the classification changed from “Picture Archiving and Communications Systems” to “Medical Image Management and Processing System.” The industry needs to understand such changes by regulatory authorities to identify products and their required registrations for different jurisdictions.

What does this mean? Any distinctive certification/compliance should be spelled out as an annual requirement in the vendor agreement such as MDSAP, ISO 13485, SOC, GDPR, HIPAA, and PCI. Though they may not be mandatory, these endorsements do serve to verify the PACS vendor’s commitment.

It’s also important to note that any third-party suppliers or integration partners engaged by the PACS vendor should be required to comply. The agreement must clearly cite the scope of work, access to protected health information, impact of their performance on service level availability, etc. This is especially required for white-labeled software integrations. Currently, many in the industry are not attentive to the privacy- and security-related clauses, despite engaging in PACS reseller agreements and cloud agreements.

Lastly, keep in mind these essential considerations:

  • Who is hosting the data?
  • Where is it being hosted?
  • Who can access customer data?
  • Are data being used/retained?

All of the above may depend on geography and the applicable laws.

2. Warranty, Indemnity, Availability

A limited warranty on a PACS is similar to a warranty on any other product, equal to the fee paid by customers. This is fair for PACS vendors. As an additional remedy, health care providers can ask for insurance covering errors and omissions or indemnity for infringement of intellectual property rights. These terms are often complicated and should be plainly defined within the agreement.

Additionally, PACS vendors should indicate clearly that their product is only a software and, although it helps with diagnosis and eventual treatment, it does not provide any medical advice. It is for this reason that PACS vendors cannot be sued for the output that is generated from the software. 

Furthermore, the vendor’s commitment to service availability levels needs to be taken seriously, as service levels have financial implications and consequences, apart from other risks. Service availability or uptime is the amount of time that the software is available for clinical use. Service availability of 99.9% means that the software will not be available for use for eight hours, 45 minutes, and 56 seconds in a year; even 99.99% means 52 minutes and 35 seconds of annual downtime. Downtime of the software is lost time for the radiology department, along with other departments that depend on radiology.

While PACS vendors have made significant improvements in their service commitments and assurances, downtime can sometimes be unplanned and unexpected. Based on risk assessment, mitigation measures must be adopted. Lack of planning puts the organization at risk of not only financial but also reputational loss, not to mention potential litigation for unliquidated damages. 

3. Migration of Data 

Even if a new vendor is engaged or a health care facility is switching between hosting platforms, the cost and medium of data storage should form a part of your agreement. As with onboarding a PACS vendor, even the cost of termination (which includes data migration) should be considered and documented within the agreement. Inclusively, PACS vendors should outline the number of days after which they would not be obligated to retain or host data due to cost-effectiveness considerations. 

4. Loss of Data — To Budget or Not to Budget? 

A PACS failure and subsequent loss of images constitutes more than a breach of contract and requires a well-defined strategy. It’s costly and impractical to redo patient studies. Depending on the risk appetite of the facility, risks would be accepted, transferred, or mitigated. Provisions for data backup, staff training, and business continuity planning should be documented. Therefore, setting aside a budget for your PACS infrastructure can be an excellent safeguard.

There are several cases in various jurisdictions where patients and/or their families sued the health care facility for medical negligence/malpractice; however, lost data could not be retrieved for the defense of the case. In several judgments, courts have held that lost data are not only a loss of evidence in the case but also a violation of the country/state statutes covering retention of medical records and radiographs that have essentially been drafted for the benefit of this industry. In the face of ongoing advancements in technology, PACS vendors have solutions available, and this must be addressed in your agreement.

5. Choosing the Right PACS Solution

Technology has evolved significantly, creating a dynamic arena for software developers. Existing health care IT solutions are designed to improve overall workflow efficiency, seamlessly integrate with other systems, and advance automation. However, in recent years, innovative cloud-native VNA platforms, alongside intuitive patient portals and “future-proofing” technologies, enable organizations to securely transcend typical operational silos towards smooth interoperability and superlative enterprise imaging, resulting in optimized patient care.

In my opinion, any PACS vendor who is well known yet does not negotiate their legal terms and conditions nor tailor their solution to the needs of the industry could open their customers to a tremendous risk of liability. The scope of this liability can neither be assessed nor budgeted by the health care facilities.

To avoid encountering such liability, it is recommended that health care providers connect with seasoned PACS vendors who have a consistently recognized track record of providing reliable solutions in a manner that effectively addresses the items outlined in this article, facilitate honest communications and negotiations with their customers, and ensure everything is accurately documented within the PACS agreement.

Deeksha Shukla is a law professional, a certified ISO 13485 auditor, and an ISO 9001 lead auditor. She currently works as the compliance and legal officer for RamSoft Inc.