Health Care IT contracts are rarely just about technology. They govern access to patient data, compliance with complex regulatory obligations, and the systems that keep day-to-day operations running. Yet these agreements are often dense, highly technical, and drafted on vendor-friendly terms, making it easy for critical risks to go unnoticed until something goes wrong.
As health care organizations continue to invest heavily in IT solutions, understanding where these contracts commonly fail (and how to address those weaknesses up front) is essential.
Here are eight pitfalls that consistently create problems in health care IT agreements, along with practical guidance gleaned from years of negotiating these deals:
1. The Ordering Documents: Where Deals Quietly Go Off the Rails
Here is where most problems actually start, and it is not where you would expect. The foundation of any IT contract is the ordering document, also known as an order form, scope of work, or project proposal. These documents define what you are actually buying, what services will be provided, how and when they will be delivered, and what you are expected to pay.
The problem? These documents typically get routed to legal for a quick review, when what they really need is serious attention from the operational people who will actually use the system. We have seen too many situations where, six months into implementation, a hospital’s IT director discovers that data migration was not included in the scope, or that “training” means a single webinar rather than onsite support during go-live.
Even the strongest legal terms cannot fix a scope of work that does not reflect reality. If your ordering documents say the vendor will “provide implementation services” without spelling out what that means, you are setting yourself up for expensive change orders and finger-pointing when things do not go as expected. Get your project managers and clinical stakeholders involved early – have them read the scope line by line. It is tedious, but it is a lot less tedious than litigating over what “turnkey solution” was supposed to mean.
2. Service Level Agreements: The Illusion of Accountability
SLAs in health care IT contracts often look impressive until you actually need to enforce them. A vendor might promise “99.9% uptime” but then define “downtime” so narrowly that maintenance, third-party failures, and “system degradation” do not count. We have reviewed an SLA where the vendor’s idea of a “critical” issue requiring a four-hour response was essentially limited to the data center being on fire.
The real question is this: what happens when the vendor misses its SLA targets? In many contracts, the answer is the vendor will either use reasonable efforts to correct the problem or provide service credits that amount to pennies on the dollar compared to your actual losses. One health system we worked with negotiated for meaningful termination rights if uptime fell below thresholds for consecutive months. The vendor resisted but ultimately agreed because they were confident in their infrastructure. Termination clauses for persistent outages are not just legal protections, they are litmus tests for infrastructure stability. When a vendor balks at these terms, they are effectively signaling that their network may not be as robust as their marketing suggests.
Also, read the “force majeure” provisions carefully. Some vendors have drafted these so broadly that everything from internet outages to vague “supply chain disruptions” excuse performance. If a provision would let the vendor off the hook for problems they should reasonably anticipate and plan for, push back firmly.
3. Intellectual Property: Who Actually Owns the Custom Work?
This issue often trips up even the most sophisticated buyers. Health care IT projects almost always involve some degree of customization, whether it is custom reports, workflow configurations, interface builds, or integration scripts. Without clear contractual language, the vendor retains ownership of it all.
We have seen this play out badly more than once. A regional hospital network spent substantial funds on custom dashboards for their electronic medical record. When the time came to switch vendors, they discovered they had no rights to those dashboards and would need to rebuild everything from scratch. The vendor offered to license the dashboards back to them for an annual fee that was, unsurprisingly, not cheap.
The principle here is straightforward: if you’re paying for custom development that is specific to your organization, you should own it or, at a minimum, have a perpetual license to use it. Your contract should explicitly state what happens to customizations, configurations, and any code written specifically for your implementation in the event of termination. This is not just about ownership; it is about maintaining flexibility and avoiding vendor lock-in down the road.
4. Data Protection and Security: Where the Contract Meets Compliance Reality
In health care, data protection is not optional. Yet we continually see many IT contracts treat HIPAA compliance as almost an afterthought, with vague language about the vendor agreeing to “comply with applicable laws.”
That is not enough. Your contract needs to be specific about the details, including how patient data is handled, where it’s stored (including any offshore locations), who has access to it, how it is encrypted both in transit and at rest, and what happens to it when the contract ends. Prior to signing, you should require the vendor to answer a security questionnaire with build-in audit rights so you can verify compliance.
One negotiation we handled involved a vendor promising they conducted annual SOC 2 audits, however when we demanded that it be a requirement added to the contract, the vendor balked. Suddenly it was a problem. That told the customer everything they needed to know, and they walked away from that deal. Remember, if the vendor will not put it in writing, then assume what they are saying is false.
5. Limitation of Liability: When a Cap Does Not Fit the Risk
Standard IT vendor contracts often cap liability at the fees paid in the preceding 12 months. That means for cloud based software that costs $50,000 annually, your maximum recovery for a catastrophic data breach affecting hundreds of thousands of patient records is $50,000. Does that seem proportionate to the risk? Of course not, and vendors know this.
Negotiation here requires understanding what you are actually concerned with. For data breaches involving PHI, many organizations insist on higher caps or carve-outs from the limitation entirely. For IP infringement (where a vendor’s software infringes a third party’s patent and you get sued), uncapped liability is standard.
The vendor will resist, particularly on data breach liability, but there is usually room to negotiate. We have also routinely negotiated compromise solutions such as making the limitation of liability cap refresh after a certain number of years or requiring the vendor to maintain cybersecurity insurance with specific coverage limits, which at least ensures there is a pool of funds available if something goes wrong.
6. Termination Rights and Exit Planning: Hope for the Best, Plan for the Worst
Vendor relationships that start with enthusiasm and optimism can sour quickly. We have seen it happen because of acquisitions, product end-of-life decisions, poor support, or simply because better technology is now available. When that happens, you need an exit ramp.
Termination for convenience gives you maximum flexibility, but vendors hate it (understandably, since they’ve made investments expecting multi-year revenue). If you cannot get it, at least negotiate for performance warranties, right to dispute fees in good faith, and termination rights if the vendor misses SLAs, is acquired, materially changes the product, or materially breaches the agreement.
Another key negotiation point that is often overlooked is transition assistance. We cannot overstate how important this is. Your contract should require the vendor to cooperate with data extraction, provide data in standard formats, assist with migration to a replacement system, and continue providing support during the transition period at the same pricing or some other mutually agreed upon price. Without these provisions, you’re at the vendor’s mercy, and mercy is expensive.
We worked with one hospital that discovered, during a contested termination, that their contract had no transition provisions at all. The vendor offered to help with data migration for $150,000 and an eight-month timeline. The hospital had to pay because their clinical operations depended on getting that data out. Do not let this happen to you.
7. Artificial Intelligence: New Technology, Old Problems (Plus Some New Ones)
AI is everywhere in health care IT now, from clinical decision support to revenue cycle optimization to patient communication tools. The legal frameworks are still catching up, which means your contract needs to address questions that do not yet have settled answers.
Start with the basics: Is AI being used? How? Is your patient data being used to train AI models, and if so, what controls are in place? Who owns the outputs generated by AI systems? What happens if the AI produces biased or erroneous results?
For any AI tool that touches clinical decision-making or billing, we strongly recommend contractual requirements for human oversight, quality assurance, and intervention capabilities. The FDA is still figuring out how to regulate AI medical devices, and CMS is developing policies around AI in clinical documentation. Your contract should have enough flexibility to adapt as these regulatory frameworks develop.
We advised one physician group who almost signed a contract for an AI-powered coding assistant without realizing the vendor was using their documentation to train models that would then be sold to other customers, including competitors. We added language requiring explicit consent for any use of their data beyond providing the contracted services. The vendor agreed without pushback and commented that other customers never asked for that right. You need to ask the appropriate questions in order to protect your organization.
8. Offshore Services: Out of Sight Should Not Mean Out of Mind
Many IT vendors use offshore development teams or support centers, which is fine from an efficiency standpoint but creates real risks if not managed properly. One of the biggest risks is the lack of visibility and accountability that often comes with offshore personnel.
Your contract should require disclosure of where services are performed and where data is stored or accessed. If patient data is accessed offshore, you need to understand what safeguards are in place. Critically, the vendor should remain 100% responsible for all services regardless of where they are performed.
We have seen situations where vendors tried to disclaim responsibility for offshore subcontractors or claimed that certain privacy laws did not apply to overseas operations. Neither position is acceptable. One vendor, one point of accountability, one set of contractual obligations – that is it. If the vendor wants to use offshore resources, that is their business decision, but they must remain accountable for those agents.
Final Thoughts
None of this suggests that health care IT vendors are acting in bad faith. However, their agreements are strategically drafted by legal teams to prioritize the vendor’s protection, not the customer’s. Since your incentives are not aligned, it is essential to have your own legal counsel review these contracts to rebalance the scales and ensure your interests are equally protected.
The areas we have outlined above are where we consistently see problems emerge. Addressing them upfront will not eliminate all risk but will put you in a substantially better position when (not if) something goes wrong. Especially in health care, where system failures can affect patient care and regulatory compliance, that better position might make all the difference.
The attorneys at Garfunkel Wild, P.C. regularly advise health care clients on negotiating and structuring IT agreements to align with operational realities and regulatory requirements. Whether reviewing a new contract or addressing challenges in an existing relationship, we are prepared to help you in all aspects to position your organization for long-term success.
Should you have any questions or needs regarding the above, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or contact us at [email protected].
