BY: HENRY C. FADER
Summary
Healthcare managers must ensure their organizations are addressing Year 2000 (YK2) computer concerns, which can affect both internal and external operations, from patient monitoring to accreditation. Strong planning initiatives and legal counsel are necessary to resolve YK2 and computer vendor issues.
Directors and trustees should follow "prudent person" standards to avoid liability but must take an active role with managers to form a YK2 committee, retain professionals to prepare for operation failures, and explore insurance availability. As 2000 approaches, computer systems will start to malfunction on unpredictable dates. Catholic providers must act now or review their current efforts.
Although many healthcare managers are familiar with the "Year 2000" problem, they should review the potential concerns to ensure their organizations are prepared for worst-case scenarios involving internal computer failures and external compliance and litigation issues. This update reviews the problem and how to address it using legal counsel and new vendors.
Many computer programs, devices, and systems use only two digits to identify a year. Therefore, computers will be reading the numerals "00" as the year 1900 and not the year 2000, or "YK2" (K for kilo, 1,000). If this built-in problem is not corrected, many computer systems worldwide will fail or generate incorrect data.
Healthcare managers must first determine which systems within their organizations will or might fail. These may require operational backups to continue providing services without interruption. Institutions that have identified possible interrupted services need to address potential legal liability and other considerations.
Potential for Widespread Impacts
Both internal groups and outside parties associated with healthcare institutions may experience the YK2 problem.
Patients and Families
The potential failure of medical equipment (e.g., telemetry units in intensive and critical care units) and patient devices that contain computer-generated stimuli (e.g., pacemakers) presents the most serious risks. Patients and their families also may confront glitches in computer-controlled systems such as elevators, parking garages, and interactive software.
Physicians
Physicians primarily will be concerned about patient care issues. Computer system failure could endanger patients' health without warning. Monitoring devices, computerized operating rooms, and computer-dependent surgical procedures (e.g., cardiac catheterization) and scanning devices could be affected. Also, interactions between physicians' office practices and integrated delivery systems (e.g., computerized patient records, transmission of digitized images) may be severely interrupted.
Accounting/Reporting Departments
Internal financial and other organizational reports may be lost, delayed, or inaccurate. Interruptions may extend to managed care reports, staffing levels, and expenses and payroll systems.
Third-Party Payers
Medicare administrators and their fiscal intermediaries are extensively reviewing their respective systems to ensure YK2 compliance. Furthermore, managed care organizations and Blue Cross/Blue Shield organizations may deal selectively with organizations that can demonstrate compliance.
Regulatory Agencies
Reports from the Centers for Disease Control and Prevention, various state health departments, and other reporting agencies could be interrupted by failure of their computer databases and interfaces. Birth and death records, causes of death, and statistical analyses of physician and hospital procedures could be irretrievably lost.
Creditors, Accountants, Lawyers
Creditors (e.g., bondholders, banks) who do business with a healthcare organization that has borrowed funds will be concerned about the YK2 problem crippling the organization's operations. Professional standards will pressure accountants to report issues of noncompliance. Attorneys may be forced to report their clients' YK2 concerns to the accountants and in turn to the creditors.
Accreditation Organizations
Accrediting bodies want accredited healthcare organizations to resolve YK2 problems. Although the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has not issued specific guidelines or standards, its surveyors will ask whether an organization is prepared to deal with computer failure from any cause. The National Committee for Quality Assurance may also be assessing YK2 compliance when reporting to managed care organizations.
Taking the Initiative
Catholic healthcare organizations have a long tradition of using strong planning initiatives to solve strategic and operational problems, and must make time and take steps now to resolve the problem.
Organizations that demonstrate YK2 compliance may even gain competitive advantages by providing managed care organizations and the general public with a sense of security.
In planning initiatives for their institutions, healthcare managers should involve legal counsel in responding to three questions:
- How should the governing body and management react regarding the organization's internal structure and procedures?
- How should the organization deal with past vendors and present relationships?
- How should the organization deal with new vendors and future relationships?
Internal Structure and Procedures
The "prudent person" standard of care is generally applied to corporations in most jurisdictions when boards' actions (or inactions) are assessed. The Pennsylvania Non-Profit Corporation Law, for example, requires directors and trustees to carry out their duties in good faith, in a manner reasonably believed to be in the corporation's best interests, and with such care, including reasonable inquiry, skill, and diligence, as a person of ordinary prudence would exercise under similar circumstances in like positions.
In general, directors or trustees are not subject to liability for every corporate mishap or loss. However, Pennsylvania and many other states expect boards to take a questioning role and to establish practical goals, evaluate and monitor operational performance and effect change when required, provide for long-term financial stability, and protect the corporation's public image.
Healthcare leaders must ask their legal advisers what is required to achieve this standard in a hospital or integrated delivery network.
Steps to Meet Standards
Managers and directors must take the following steps to satisfy liability concerns and meet their states' standards:
- Form a task force, with an appointed chairperson, to study the YK2 problem and provide organization-wide leadership in this area.
- Retain, as needed, experienced outside professionals such as computer experts, legal counsel, accountants, and operations consultants, to assist in preparing for operation failures.
- Retain competent in-house personnel. Also, an organization should consider stricter confidentiality standards to protect against personnel revealing computer system weaknesses if they take a job at another organization.
- Explore the availability of insurance for YK2 risks.
Reporting Requirements
Healthcare managers should inventory sources of concern, with or without outside consultants, to isolate possible major system failures. They must comply with the accounting disclosure rules promulgated by the American Institute of Certified Public Accountants (AICPA). In accordance with accepted accounting principles, these rules require healthcare organizations to charge all YK2-incurred costs to the current year and not spread them over a period of years. This is an important area to monitor because of the potential to downplay expenses for YK2 problems and soften their impact on earnings in a particular year.
Healthcare organizations may be subject to Securities Exchange Commission (SEC) standards. SEC disclosure rules also apply to tax-exempt issuers, since brokers and dealers are SEC regulated and required to provide full disclosure to the public. The recently released Staff Bulletin No. 5 requires SEC reporting companies to determine whether a "materiality standard" has been met, which may require disclosure of the expenses to be incurred or the impact of those expenses on future operations and profits.
Managers must be able to respond to accreditation agencies' inquiries about how their organizations are preparing for YK2 issues. The JCAHO and others will especially be assessing compliance in terms of patient safety.
With Rev. Proc. 97-50, the Internal Revenue Service requires that current deductions be used for YK2-related expenses for any for-profit entities.
Past Vendors, Present Relationships
Legal counsel should examine an organization's relationships with past computer and other vendors. The organization should first seek cooperation from past vendors to solve YK2 problems. Some vendors may be unable to respond because they are no longer in business, are bankrupt, or do not have records. Others may hesitate to cooperate and incur further liability.
Legal Audits
Whether past vendors cannot or will not assist, a legal audit of each computer-related contract (hardware, software, or turnkey) that might be involved will be necessary. Managers should gather all sales and promotional materials (requests for proposals, invitations to bid) to document the project in question. If vendors knew particular requirements, such as purchasing equipment expected to operate 10 years beyond 2000, this could be significant in evaluating a third party's legal liability. The people who negotiated the contracts and were involved in the process must be found, even if they are no longer employees. This legal audit allows attorneys to determine the problem's seriousness and advise the organization before it commits resources to a litigation fight.
Contracts and Litigation
Actions against vendors fall into three general categories: breach of contract, breach of warranty, and fraud. The legal approach depends on the particular contract, the promises made, and the requirements implied. The statute of limitations is also a factor.
Healthcare contracting practices are traditionally uneven. Some institutions aggressively negotiate contracts and all their conditions, while others concentrate on price and terms rather than the fine print. Any contract subjected to review and litigation may hold surprises, as in the following examples:
- In a Uniform Commercial Code (UCC) action, items purchased from the vendor must be defined as "goods." Hardware is clearly goods, but software is sometimes classified outside the UCC.
- When the system went "on line," the vendor may have asked the organization to sign an "acceptance" of the system. This could become a problem when the vendor asserts that the organization "accepted" the system as presented without claims or exceptions.
- The purchase contract may contain an enforceable disclaimer regarding both expressed and implied warranties.
- Some contracts may contain limitations on liability, such as dollar amounts limited to the purchase price and consequential and incidental damages.
- Most contracts contain an integration and merger clause that excludes evidence produced outside the contract. This can be devastating to many actions because outside communications form the basis for the document.
- Antivirus and "force majeure" clauses attempt to limit liability for unforeseen actions.
All these issues affect the litigation analysis, and the defendant will certainly raise them in any actions that go to a court.
Attorneys must recruit expert witnesses. Many organizations will use a recently hired firm as an expert witness in vendor litigation. This can become a problem if the previous vendor asserts the new vendor's involvement materially interfered with the previous vendor's equipment and system.
New Vendors, Future Relationships
Legal counsel also can help establish new vendors for an organization's future computer and operating systems.
Healthcare entities now receiving "compliant 2000" letters from vendors, suppliers, payers, and others must take special care. Liabilities may arise from returning the compliance letters and indicating the organization is YK2 compliant when it may not be compliant. If this noncompliance interferes with electronic data interchange (EDI), others may have a cause of action for breach of warranty and for damages.
An appropriate team is needed to build compliance. Any vendor or consultant's financial strength and other background information must be verified. Agreements should include achievable time lines, and clear personnel commitments and goals. Organizations should not accept limits on damages. Some are considering having third parties confirm that the proposed solution works to avoid relying on contract language alone. Many consultants and vendors may not exist when an organization seeks compensation from them for a future problem. Also, since new vendors acknowledge the potential for errors in their data conversion, a mechanism should be in place to identify the responsible party if an error is made.
Complications will arise if past vendors are contacted. They may say the new vendor has destroyed the system's capabilities by changing codes and language. They may raise contractual copyright and confidentiality issues and block access by the new vendor. Using a new vendor or consultant as an expert witness may result in charges of conflicts of interest; the new vendor may ask for indemnification against liability, and the past vendor may claim interference with the original project.
Take Action Now
The YK2 problem will not necessarily occur only in the year 2000. Many consulting firms and large providers have indicated that as computer systems approach 2000, perhaps in 1999, they will start to malfunction on different and unpredictable dates. Only careful planning and prudent inquiry will prepare healthcare organizations for the potential major and minor
For more information, contact Mr. Fader at 215-751-2396; e-mail: [email protected].
Mr. Fader is a partner and chairman of the Health Law Department, Schnader Harrison Segal & Lewis, LLP, Philadelphia