With pressure on reimbursements and efforts by all provider organizations to cut their operating costs, the cloud is rapidly becoming an attractive option. To be sure, the various models of the cloud—including data storage as part of software-as-a-service (SaaS) agreements—are becoming viewed as viable options for an increasing number of hospitals and medical groups.
Yet the cloud includes legal and financial risks for provider organizations as well. After all, cloud service providers and SaaS vendor are business associates of the provider organization that are being entrusted with very important data, both for the patient’s health and the organization’s financial wellbeing. What should provider organizations be doing to protect their interests and their clinical and business/financial data?
For insight, Healthcare Informatics recently interviewed Daniel F. Gottlieb, a partner in the law firm McDermott Will & Emery, based in the firm’s Chicago office, who leads its health information technology and data protection practice.
Gottlieb says he is seeing a significant number of provider organization clients moving their data to cloud service providers—including “public” cloud service providers such as Amazon—or entering into SaaS agreements with software vendors.
In general, Gottlieb says, policy changes such as the Health Insurance Portability and Accountability Act (HIPAA) Final Rule has put greater emphasis on privacy and security than in the past. Added to that, press accounts of hackers and data breaches have also raised awareness of the issue on the part of the hospital’s management and boards of directors.
“In general, on privacy and security matters, we are seeing a higher level of managers in the organizations being involved. For example, the audit and compliance committee of the board, or the full board, is asking the CIO to do periodic presentation or regular presentation regarding security issues,” he says. “Likewise, at CEO level, and the c-suite in general, folks realize that there are costs associated with not only breach of confidentiality, but also downtime from system downtime. It interferes with patient care, and it can slow down the revenue cycle process.”
Here’s his advice to provider organizations considering use of the cloud:
1. Check references. Call other provider organizations that have used a service, and ask them if they have been satisfied with uptime, customer service and other issues. “Broadly speaking, due diligence is very important on the front end before entering into a service agreement,” he says.
Gottlieb cautions provider organizations not to overlook due diligence when working with software vendors under SaaS agreements that include hosting their data. He says that an over-eagerness to move forward with a particular solution runs the risk of not doing adequate due diligence or spending enough time on the implementation plan or making sure that there are adequate protections in the contract. He observes that under SaaS agreements, it could be more difficult to migrate to different software as well as a different vendor to host the data if things go awry.
2. Have a solid contract. “The contract is super important,” he says. “You don’t want to get stuck in a bad situation, and while you may have remedies under contract, it’s not desirable to be in dispute, particularly with a company that has all of your confidential data.”
3. Make sure the vendor has a comprehensive set of security policies and procedures. Those policies should at a minimum be compliant with Health Insurance Portability and Accountability Act (HIPAA) security standards. He also recommends that the vendor has type of third-party vendor certification, such as Service Organization Control (SOC) 2 or compliance with a security framework such as the HITRUST Alliance, which offers the Common Security Framework. “Various organizations provide certification; and there are various security consultants that will do audits,” he notes.
He suggests hiring a reputable security consultant who will review under an agreed-upon set of standards, such as HIPAA, Health Information Technology for Economic and Clinical Health (HITECH) standards for secure protected health information (PHI), International Organization for Standardization (ISO) standards, or proprietary standards of the consultant.
Gottlieb advises that these requirements can be included in an agreement with the service provider or vendor, either at the front end, or as part of an annual or bi-annual re-certification. “Some cloud vendors will agree to periodic re-certification; others will agree to it only if the customer is willing to pay for it; so that can be an issue in the negotiation of the contract,” he says.
4. Obtain a provider’s security policies. Gottlieb notes that vendors may be reluctant to share their security policies, because they consider them proprietary; but he advises requesting at least a summary of the security measures.