How to choose Medical IT & Digital Health Systems
How to choose Medical IT & Digital Health Systems
EHR platforms, interoperability tools, clinical decision support, and remote patient monitoring: what procurement teams need to evaluate before signing anything.
What this is and who buys it
Medical IT and digital health is a broad procurement category that spans electronic health record (EHR) systems, clinical decision support (CDS) software, FHIR-based interoperability platforms, telehealth infrastructure, and remote patient monitoring (RPM) programs. These systems sit at the intersection of clinical operations and regulated software — which means getting the buying decision wrong carries both financial and compliance consequences that persist for years.
EHR adoption among U.S. hospitals has climbed from roughly 72% a decade ago to approximately 96% today [S6], so the typical purchase is no longer a greenfield installation. Most buyers — hospital CIOs, CMIOs, ambulatory practice administrators, ASC operators, and health-system procurement teams — are replacing aging platforms, bolting on AI or telehealth modules, or trying to meet new ONC/ASTP certification deadlines. That shift from "buying a system" to "optimizing an ecosystem" changes what questions matter most.
The stakes are high because these systems touch every clinical workflow, every billing transaction, and every privacy obligation the organization carries. A mismatch in interoperability standards, a CDS module with unresolved FDA classification questions, or a vendor contract that locks data behind migration fees can cost far more than the original implementation. Understanding the regulatory and technical landscape before issuing an RFP is not optional — it is the work.
Key decision factors
ONC/ASTP certification and FHIR readiness is the non-negotiable starting point. Any product under consideration should carry a current ONC Health IT Certification Program ID, verifiable on the Certified Health IT Products List (CHPL). Critically, certification to §170.315(g)(10) requires support for the FHIR R4-based US Core Implementation Guide, FHIR Bulk Data Access, and the SMART App Launch framework [S2]. Until FHIR R6 is finalized, R4 remains the baseline for all new implementations — vendors claiming "FHIR support" without a certification ID are making an unverifiable assertion.
Clinical decision support classification determines whether embedded AI features fall under FDA's medical device framework or sit outside it. Under Section 520(o)(1)(E) of the FD&C Act, software that meets all four statutory criteria — intended for administrative support, general wellness, or non-serious clinical situations with human override — is excluded from the device definition. If any single criterion is not met, the function is a software as a medical device (SaMD) subject to FDA oversight [S1]. Procurement teams should request explicit FDA classification documentation for every AI or predictive feature, including 510(k) clearance numbers where applicable.
Predictive DSI transparency under HTI-1 adds a disclosure layer for AI-driven tools embedded in certified Health IT modules. The HTI-1 Final Rule (December 13, 2023) requires developers to apply intervention risk management practices for each Predictive Decision Support Intervention and publish summary information — including source attributes and bias evaluation — via a publicly accessible hyperlink [S5]. Contracts should require these disclosures before execution, not as an afterthought.
Cybersecurity framework alignment is both a compliance issue and a financial risk management question. Insisting on documented adoption of NIST CSF 2.0 (released February 2024) and the HHS 405(d) Health Industry Cybersecurity Practices (HICP) is increasingly standard practice. Demonstrating HICP alignment for at least 12 months prior to a breach investigation may mitigate OCR fines and result in more favorable regulatory treatment [S3] — though this is not a formal safe harbor and does not relieve any HIPAA obligation [S4].
Hosting model and total cost of ownership shapes the long-term financial profile more than the initial contract value. Physician-hosted on-premises deployments carry full IT staffing burden and hardware refresh cycles every four to six years. Remote-hosted models use vendor servers over VPN. Cloud SaaS uses multitenant architecture to share infrastructure costs, typically shifting capital expenditure to predictable operating expenditure and offloading patch management to the vendor. Each model allocates risk differently — understanding where downtime liability and upgrade control sit is as important as the per-seat price.
Interoperability beyond the EHR core matters because the Cures Rule requires certified developers to publish FHIR service base URLs in machine-readable format at no charge [S2]. Before contracting, procurement teams should test endpoint accessibility using ONC's publicly available Lantern monitoring tool — not just accept vendor representations at face value.
Specialty and setting fit remains underweighted in many RFP processes. Acute-care enterprise platforms dominate on market share but are often mismatched for critical-access hospitals, behavioral health providers, or post-acute settings that have different workflow architectures and reimbursement structures [S7]. Matching the platform to care model, bed count, and acuity tier — rather than brand recognition — produces better long-run outcomes.
What it costs
Pricing in medical IT is highly variable and often opaque, with per-provider subscription fees, implementation charges, data migration costs, and interface fees all quoted separately. Third-party cost benchmarks exist for some platforms but are rarely disclosed by vendors in response to initial inquiries, making a five-year total cost of ownership model essential before any contract negotiation [S11].
- Entry tier ($20,000–$65,000 implementation; ~$100–$300/provider/month subscription): Cloud EHR platforms targeting solo practices and small clinics. Lower upfront cost but often limited interoperability, specialty workflows, and AI features.
- Mid tier ($65,000–$200,000 implementation; ~$485–$729/provider/month for full-featured platforms): Mid-sized group practices and ambulatory networks. Expect interface and data migration costs to add $20,000–$50,000 on top of license fees.
- Enterprise tier ($200,000 to multi-millions): Hospital and IDN deployments. Large health system contracts for major enterprise platforms routinely exceed $50 million, and implementation timelines run 18–36 months. The 2022 Oracle acquisition of Cerner — valued at $28.3 billion — illustrates the capital concentration in this segment [S7].
Common use cases
The platform category that fits depends heavily on the care setting and patient population. An ambulatory multispecialty group has fundamentally different workflow requirements than a 300-bed community hospital or a hospital-at-home program.
- Acute-care hospitals and IDNs: Enterprise EHRs dominating this segment hold approximately 37.7% (Epic) and 19% (Oracle Health) of the U.S. hospital market [S7], with large federal deployments — including the VA's 147 acute care sites — adding further concentration.
- Community and critical-access hospitals: Platforms traditionally targeting hospitals under 100–200 beds offer cloud-native options that reduce IT infrastructure burden for smaller organizations with limited biomed and IT staff.
- Behavioral health and post-acute: Specialty-focused vendors serve niches that enterprise platforms underserve, with workflow design oriented around care coordination, substance use disorder management, and long-term care billing.
- Chronic-care and hospital-at-home programs: RPM platforms in these settings must handle physiologic data that is electronically collected and automatically uploaded for clinical analysis, using FDA-defined medical devices [S8] — a regulatory bar that disqualifies consumer wellness apps from CMS reimbursement workflows.
Regulatory and compliance
FDA risk classification for clinical software follows a three-tier framework: low-risk functions (a steps counter, a symptom journal) are typically exempt; intermediate-risk SaMD — such as AI software identifying heart failure on echocardiograms — undergoes 510(k) premarket notification; high-risk AI, such as software identifying occult lesions on mammography, requires Investigational Device Exemption and Premarket Approval with clinical trial data [S9]. Approximately 9.4% of approved AI/ML devices have been recalled, with roughly a third later re-approved — a statistic that underscores why procurement teams should not treat "FDA cleared" as the end of due diligence [S9].
On the privacy and interoperability side, the HIPAA Security Rule (45 CFR §164.308–§164.312) requires an annual risk analysis as a mandatory implementation specification [S4]. The ONC HTI-1 Final Rule sets updated certification criteria effective from December 2023, with FHIR US Core IG (R4 + USCDI v1), FHIR Bulk Data Access, and SMART App Launch as baseline requirements [S5]. State-level overlays are proliferating — New York's hospital cybersecurity regulation (10 NYCRR §405.46) now mandates a designated CISO and specific email-threat controls for licensed hospitals [S10]. Procurement teams in regulated states should map state requirements against vendor capabilities before RFP issuance.
Service, training, and total cost of ownership
Implementation timelines for ambulatory EHRs typically run six to eighteen months; enterprise hospital deployments commonly require eighteen to thirty-six months. Data migration — converting discrete data, documents, and historical records from legacy systems — typically costs $20,000–$50,000 depending on volume and structural complexity, and is frequently underbudgeted. Staff training adds $1,000–$5,000 per staff member, a line item that grows significantly in large organizations and compounds if turnover is high during go-live.
For RPM programs, the cost stack includes the physical devices ($30–$100 each for basic units, $80–$200 or more for cellular-enabled devices), a software platform fee, clinical monitoring fees, and one-time EHR integration costs. Device service life runs three to five years for RPM hardware kits. Enterprise EHR platforms, by contrast, carry an expected useful life of eight to twelve years before replacement — meaning the total cost of a major system change includes the lost productivity and retraining costs of switching, not just the new contract value. Service agreements should specify SLAs with at minimum 99.9% uptime commitments, defined recovery time and recovery point objectives, 24/7 break-fix coverage, and source-code escrow provisions in the event of vendor insolvency.
Red flags to watch for
A vendor that refuses to publish FHIR endpoints or claims FHIR support without a verifiable ONC certification ID is likely in violation of the Cures Act API condition of certification — treat this as a disqualifying finding, not a negotiation point. Similarly, "AI-powered" clinical features marketed without clear FDA classification documentation (Non-Device CDS criteria met vs. 510(k)-cleared SaMD) expose the purchasing organization to liability for incorrect outputs with no regulatory backstop [S9].
Watch for information-blocking behaviors embedded in contract language — excessive fees for data export at contract end, proprietary formats that impede migration, or clauses that limit data sharing with third-party apps. These may constitute violations under 21st Century Cures Act §3022. Finally, hidden cost escalators — per-user fees that grow with headcount, integration charges for third-party systems billed separately, and customization costs that surface only during implementation — are among the most common sources of budget overrun in EHR procurement [S11]. Require fully unbundled, five-year pricing in writing before finalizing any term sheet.
Questions to ask vendors
- Provide your ONC certification ID and CHPL listing, and confirm certification to §170.315(g)(10) FHIR API, including the US Core IG version currently supported.
- Which of your software functions meet FDA Non-Device CDS criteria under §520(o)(1)(E), and which carry 510(k) clearance as SaMD? Provide K-numbers for all cleared functions.
- Submit your HTI-1 Predictive DSI source attribute disclosures and intervention risk management documentation for any AI or machine learning features included in this proposal.
- Have you maintained 405(d) HICP-aligned security practices for at least 12 months, and can you provide a current HITRUST i1/r2 certification or SOC 2 Type II report?
- Provide a fully itemized five-year TCO breakdown — license, implementation, data migration, training, interfaces, and annual maintenance escalators — with escalator caps confirmed in writing.
- What are our data-export rights at contract termination, including file formats, timelines, and any associated fees, and do you offer source-code escrow?
Alternatives
The binary of "buy new enterprise software vs. do nothing" understates the real option set. Legacy on-premises EHRs can be 30–50% cheaper than modern cloud-native equivalents in upfront cost, but they typically lack current FHIR/USCDI compliance, modern AI features, and vendor-managed security patching — creating a regulatory and operational debt that compounds over time. Used or transferred perpetual licenses are rarely practical for regulated healthcare software given certification dependencies.
The subscription vs. perpetual license question is now largely settled for new deployments: cloud SaaS eliminates hardware refresh cycles (every four to six years for on-premises infrastructure) and shifts upgrade cadence to the vendor, while perpetual on-premises licenses offer data sovereignty at the cost of dedicated IT staffing. Best-of-breed architectures — pairing separate RIS, LIS, RPM, and telehealth platforms — allow specialty optimization but impose an integration tax that requires a robust middleware engine (HL7 v2 for legacy connections, FHIR for modern APIs) and ongoing interface maintenance. For RPM specifically, fully managed subscription models (approximately $40–$80 per patient per month for turnkey service) are comparable to internally staffed programs when 24/7 clinical monitoring overhead is fully costed; providers billing CPT 99453/99454/99457/99458 can realize $40–$160 per patient per month in net margin under the subscription model, but only if device FDA clearance and EHR documentation workflows are correctly implemented [S8].
Sources
- FDA — Clinical Decision Support Software Final Guidance (2026)
- ONC/ASTP — HL7 FHIR & Federal FHIR Action Plan
- HHS 405(d) Health Industry Cybersecurity Practices (HICP)
- HHS.gov — Summary of the HIPAA Security Rule
- HIMSS — HTI-1 Final Rule Overview (Algorithm Transparency, DSI)
- ONC Health IT Playbook — Electronic Health Records
- Definitive Healthcare — Hospital EHR Market Share
- Telehealth.HHS.gov — Billing for Remote Patient Monitoring
- PMC/NIH — FDA Regulation of Clinical Software in the Era of AI/ML
- NY DOH — Hospital Cybersecurity Requirements (10 NYCRR §405.46)
- RXNT — EHR Software Cost Guide 2026
- Federal Register — ASTP/ONC Deregulatory Actions (Dec 2025)
Sources
- FDA — Clinical Decision Support Software Final Guidance (2026)
- ONC/ASTP — HL7 FHIR & Federal FHIR Action Plan
- HHS 405(d) Health Industry Cybersecurity Practices (HICP)
- HHS.gov — Summary of the HIPAA Security Rule
- HIMSS — HTI-1 Final Rule Overview (Algorithm Transparency, DSI)
- ONC Health IT Playbook — Electronic Health Records
- Definitive Healthcare — Hospital EHR Market Share
- Telehealth.HHS.gov — Billing for Remote Patient Monitoring
- PMC/NIH — FDA Regulation of Clinical Software in the Era of AI/ML
- NY DOH — Hospital Cybersecurity Requirements (10 NYCRR §405.46)
- RXNT — EHR Software Cost Guide 2026
- Federal Register — ASTP/ONC Deregulatory Actions (Dec 2025)
Browse vendors in
MedSource publishes neutral guidance. We do not accept payment from vendors to influence the content of articles. AI-generated articles are reviewed for factual accuracy but cited sources should be the primary reference for procurement decisions.