Digital health is a growing and rapidly changing sector of the technology industry. It consists of a variety of technology applications such as telehealth, personalized medicine, health tracking, health information technology, software, and software as a service solutions (“SaaS”) intended to help with patient care, and wearables. Offerings in the digital health space often involve use of emerging technologies like artificial intelligence and machine learning to assist healthcare providers in better diagnosing and treating disease. The objective is to provide more efficient care, assist patients and consumers to better manage and track their own health and wellness, and create a more interconnected healthcare system.

Pandemic-related challenges have increased the adoption of such innovative technologies by hospital systems, patients, and consumers alike. Adoption of these technologies is accompanied by digital health contracts, which can take many forms depending on the parties involved and the particular offering at issue. In this article, we explore three of the key issues with SaaS offerings in the digital health space: (1) intellectual property rights and ownership; (2) data use and rights; and (3) cybersecurity.

First off, these contracts often take the form of a subscription agreement between a SaaS digital health vendor and a hospital system, sometimes called a Master Subscription Agreement. Typically, the subscription agreements include a Service Level Agreement, Support Policy, and Business Associate Agreement, as applicable. It can take months to negotiate as digital health vendors are working with hospital systems that have slow moving procedures and processes for vendor onboarding, as well as in-house attorneys who may not understand the vendor technology and technology-related legal issues raised.

Intellectual Property Rights and Ownership

Which form is used can be an issue. Hospital system customers may push to use their form as the starting point for negotiations. Vendors may consent in an attempt to close the deal, but should be aware of problems with doing so. Customers’ standard vendor agreements are usually poor fits for SaaS solutions. They are often set up to for performance of services and, as a result, include provisions assigning ownership of intellectual property to the customer, which are inappropriate in this case as the vendor is not providing software development services to the customer and is instead providing the customer with only a right to access and use the vendor’s SaaS solution. As a result, the vendor will need to undertake substantial revision of the customer’s vendor agreement to include provisions to, among other things, establish the subscription model for their solution, preserve intellectual property rights and retain ownership to their solution, and to ensure the customer is subject to appropriate restrictions on their access and use of the solution such as prohibitions on reverse engineering and creation of derivative works.

Data Use and Rights

These days it is not uncommon for vendors to use artificial intelligence/machine learning in their offerings. Use of this technology creates its own unique issues around data, including the need for the vendor to use customer data for product improvement. However, customers often will try to prevent vendors from using customer data for product improvement, particularly as there is personal health information (“PHI”) involved that triggers issues arising from the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). When faced with this issue, vendors using artificial intelligence in their SaaS solution should consider pushing back; artificial intelligence requires training on data in order to be adaptive and better perform for customers. This self-improving functionality is often a key reason customers are purchasing a subscription to an offering with artificial intelligence. To reach a resolution between customers and vendors over such data issues, vendors can agree to not monetize such data and/or limit the data used for artificial intelligence training purposes to de-identified data. Vendors also need to be cognizant of the fact that data use and rights are addressed not only in the SaaS Agreement/Master Subscription Agreement, but also in the Business Associate Agreement between the parties. Terms in the Business Associate Agreement often conflict with the underlying SaaS Agreement/Master Subscription Agreement so vendors should take care to review both documents together to ensure appropriate rights for access, use, and retention of de-identified data.

Cybersecurity

Vendors engaging in activities that involve creating, receiving, maintaining, or transmitting PHI from or on behalf of customers are subject to privacy and security considerations stemming from HIPAA and other applicable laws. Given the highly sensitive nature of PHI and the legal exposures under these laws, customers will often push vendors for unlimited liabilities and indemnities for items such as breach of confidentiality, breach of the Business Associate Agreement, data breach, and breach of privacy/security. Vendors need to consider the value of the deal and their own insurance coverage. Offering higher secondary caps for such expanded liabilities and indemnities rather than uncapped labilities are options to consider. Customers also may push to have vendors adopt detailed security policies and procedures and to reserve security audit rights. Such provisions are overly burdensome on vendors and allow customers to exert too much control on the vendor’s business operations. As a result, vendors should consider compromise offerings like becoming SOC2-compliant and offering SOC2 reports to customers. Additionally, customers will generally require vendors to have cybersecurity insurance. Vendors should make sure that they have appropriate coverage in place as an initial matter to avoid unnecessary delays in deal negotiations.

The three issues discussed above offer only a flavor of some of the key issues that digital health vendors face. Savvy vendors will realize digital health contract negotiations are chockfull of legal and commercial pitfalls that require counsel experienced in the digital health space to help navigate the negotiations in a manner that appropriately protects proprietary intellectual property, limits liabilities, and maximizes revenue generation.