HIPAA Primary Concern with the Cloud
By Matt Fisher
Twitter: @matt_r_fisher
The “cloud” has entered into everyday conversations in many industries and our personal lives. People will often say that their information is stored in the cloud, or that software is run from the cloud. What this means is that the software or service is delivered over the internet and not stored locally on the user’s own servers or computers. The cloud can offer easy solutions for many users because it reduces physical hardware requirements and shifts operating responsibility to someone else. However, the convenience offered by the cloud does not come freely. Risks associated with cloud services may include loss of individual control and reliance on a vendor to help meet a user’s requirements and obligations.
For healthcare users, as would be expected, HIPAA is one of the primary concerns. As is well known at this point, healthcare users need to receive certain assurances from their vendors that the vendor meets and complies with HIPAA privacy and security requirements. Those assurances are typically (and arguably should be) in the form of a business associate agreement. With the move toward cloud-based services, pressure has been put onto cloud vendors to enter into business associate agreements and not balk at regulatory requirements. In a major move for the industry, Google and Microsoft both acknowledged this reality and finally, in the not too distant past (i.e. the end of 2013), agreed to sign business associate agreements (for certain services).
While HIPAA is and should be a paramount focus for healthcare users, other important aspects of an agreement with a cloud services provider also need to be considered. These additional considerations include, but are not limited to: (i) pre-agreement due diligence; (ii) service availability; (iii) service levels; (iv) data security (v) data ownership; (vi) insurance; (vii) warranties; (viii) term; and (ix) fees. What follows is a brief discussion of each of these nine issues. Each issue can involve a significant amount of negotiation when contracts are being reviewed and each situation will call for different provisions. As I am often reminded, knowing what each contract needs takes experience and will often be driven by gut feelings as to what is needed for a particular arrangement.
Pre-Agreement Due Diligence
Before a healthcare user enters into an agreement with a cloud service provider, the user should do some background research on the provider. As the adage goes, know who you’re getting into bed with. Pre-agreement due diligence can help avoid surprises down the road by potentially uncovering concerns ahead of time. How do you do the diligence? One option may be to submit a questionnaire to the potential vendor and require completion before any agreement will be contemplated. The ability to obtain answers will likely depend upon each party’s relative bargaining power though. If a questionnaire is not feasible, the user can poke around on its own and maybe reach out to other users. There are a variety of options. Bottom line, do not get into a relationship blind.
Service Availability
When contracting for services, clearly one of the main concerns is the ability to keep receiving those services. With that in mind, a user will want to know will happen in the event the provider stops delivering services for one reason or another. Of utmost importance to a healthcare user is what happens to their data, since it will most likely consist of medical records or other protected information. Ways of addressing these concerns are the inclusion of a disaster recovery plan and/or preventing a provider from withholding services.
Service Levels
A user will typically try to make the provider commit to certain service level standards. In the cloud services context, the service level will typically address the uptime commitments of the provider. When negotiating a service level commitment, there should be more than just a set uptime, but penalties in the event that the standard is not met. A penalty could be monetary or the ability to terminate immediately if service level commitment are routinely not met. However, these commitments must be included in the initial agreement to apply. The standards can be an afterthought, but have the potential to greatly influence on the arrangement works out.
Data Security
Given that this article is in the healthcare context, data security obviously is meant to convey compliance with HIPAA. As indicated above, cloud-based providers, almost universally, will handle protected health information on behalf of a healthcare user. Accordingly, the cloud-based provider must comply with the privacy and security requirements of HIPAA, as applicable for the particular arrangement. As companies that have not traditionally provided services in the healthcare industry begin to contract with healthcare user, it will be up to the healthcare users to ensure that their cloud-based providers meet and satisfy HIPAA standards. Even though business associates may be directly liable under HIPAA, a covered entity (the healthcare user) cannot hide its head in the sand.
Data Ownership
A user may assume that any data used in an application is owned by the user because the user collects and inputs the data. However, a careful read of an agreement may disprove this assumption; or the user may retain ownership, but grant a license to the provider to use the data. Regardless of what a form agreement may say, it is advisable for a user to retain full ownership and control over their data. For example, a healthcare user may sign up for a cloud based electronic medical record. If the healthcare user does not retain ownership over their data, then the healthcare user may be effectively held hostage by the agreement.
Insurance
With the rise in security breaches, insurance for all parties has become both increasingly common and necessary. The damages for a data breach can be very hard to calculate, which means it is even harder to reserve sufficient funds for a breach. Cyber liability policies can now be obtained by most entities and are often carried as part of standard coverage. However, it should not be assumed that such a policy is in place. From the perspective of the healthcare user, a provision requiring such insurance should be included in an agreement. The cloud-based provider may also want to require its customer to carry insurance depending upon the circumstances.
Warranties
A warranty provision commonly shows up in agreements and just as often there is a severe restriction on what warranties are provided. Examples of warranties include: conformance to specifications stated by either the user or provider; performance standards; appropriate training; compliance with laws; non-infringement; and no viruses or other defects in the software. Obtaining a warranty can make it easier for a user to obtain damages in the result of a problem or otherwise hold a provider accountable. For this reason, it is difficult to get a provider to agree that a warranty can be included. However, it will likely be difficult to obtain specific warranties from any service provider.
Term
The length of an agreement by itself is not so important. The manner in which an agreement may be terminated though is important. Can a party terminate without cause, meaning that the agreement can be terminated for any reason at any time. Conversely, can the agreement only be terminated in the event of a breach, for cause, that is not cured in a specified period of time. It is up to the parties to determine what works in a particular circumstance, though a user will often want to retain flexibility, which means having the ability to terminate without cause. Since termination without cause effectively means the agreement is only for the length of the notice period, costs under the agreement may be increased to protect the provider’s investment.
Fees
Lastly, fees are always a hotly contested item. Users want to pay the least amount of money possible, while providers need fees to actually make money. From this perspective, the fee level is purely a business negotiation, but fees can be locked in for set periods of time or tied to certain price indexes. Additionally, the parties should clearly specify what is included in the fee and what will result in extra charges. If expectations are not clearly set at the start, fights can be expected.
As this quick summary demonstrates, cloud-based service contracts, like any contract, require careful attention to the details. Hurdles will come up frequently, but can be overcome with good planning and negotiation. Each side will need to compromise, but that is just the nature of doing business.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.