In an educational session on Monday, called “Hidden Pitfalls of the Cloud, Mobile Technology and Mobile Data,” Lee Kim, director of privacy and security at HIMSS and Steven J. Fox, an attorney with Post & Schell, P.C., gave practical advice for provider organizations entering into agreements with cloud vendors. They spoke about the ins and outs of negotiating a vendor contract and questions to ask during the vetting process.
Kim noted that there regulations in the privacy and security space may vary on the state level; many states are what she termed “HIPAA-Plus,” with Health Insurance Portability and Accountability Act requirements that go beyond federal requirements. Pennsylvania, for example, has additional HIPAA requirements related to AIDS, mental health and alcohol use.
Fox used a general definition of the cloud service provider as a vendor that hosts data remotely, outside the direct control of the customer organization. “Data not under your direct control is where I get nervous, and you should be to,” he told the audience.
He cautioned provider organizations that considering entering into agreements that “that vendors are not your friends; they are your business partners.” A business relationship can be beneficial to both parties, but negotiating a solid contract requires a taking a hard look at the terms, he said. “That is the meat of what you are going to end up with,” he said. He advised against signing the initial contract with few or no changes, but instead of treating it as a point for negotiation. He said clients should pay special attention to pricing, and make sure that it reflects discussions it has had with the vendor.
When negotiating with a cloud service provider, it’s important to keep in mind that all cloud vendors are not equal, he said. He added that outsourcing data or applications does not mean hands off for the organization that owns the data.
Other advice he offered organizations includes:
- Make sure you understand what the deal is about, and that is reflected in the contract. He cautioned about generic contracts that don’t reflect what the client organization understands about the agreement. He added to make sure that vendor responses to the client’s questions are stipulated in the contract.
- Find out as much as possible about the cloud service provider: How long has it been in business; does it use state-of-the-art security protocols; is it a publicly traded or a wholly owned company and does it have financial resources to provide the service; and does it have a disaster recovery plan. “Check references,” he said.
- Know where the data will be stored, and if it will be kept inside U.S. borders.
- Know how easily you can access your data if the vendor goes bankrupt or out of business, or if you want to move the data to a different vendor.
- Check if the vendor has third-party certification.