Contributor: Lisa W. Clark, JD’89
To learn more about Lisa, click here.
Cloud-based services are revolutionizing the healthcare industry and providing significant business opportunities. Consider the following: globally, the revenue generated for healthcare cloud services purchased by healthcare providers is predicted to reach roughly $10 billion by 2021. The cloud offers remote access to data, exponentially more storage, data analysis tools, and other applications and content on a worldwide basis. But cloud services typically are commodity services with little differentiation between them, and are offered on a ‘take it or leave it’ basis, leaving healthcare purchasers with little or no opportunity to negotiate a cloud service contract that suits their specific needs, including, in particular, with respect to the privacy of healthcare data and the security of the cloud service that is being purchased. However, depending on factors such as size, prestige, and type of data being stored, some purchasers may have negotiating leverage. And although the cloud services offered by the brand companies are well known, there are an increasing number of smaller vendors that may be more willing to negotiate terms. This article provides some additional background of cloud services in healthcare and addresses the data privacy, system security, and other contract issues that are important for purchasers to consider.
On average, companies can utilize anywhere from 900 to 1,200 different cloud-based services for different business needs such as back-office support, like email and data storage (including data in electronic health records); ongoing support for the secure exchange of patient information; analysis of big data; assisting with virtual care or telemedicine services; and supporting patient empowerment tools. The pooled resources of networks, servers, and storage applications supporting these services can be delivered through private, public, and hybrid cloud environments. With the private cloud, a single healthcare provider, such as a hospital, owns the servers and other computing resources and retains exclusive control over resource utilization, whereas the public cloud is typically a multi-tenant infrastructure environment available to a number of different healthcare provider customers that use the same hardware, storage, and network devices through an internet connection. The public cloud infrastructure exists solely within the premises of the cloud services vendor and can be paid for by organizations on an as-needed basis. The hybrid cloud is characterized as some combination of both the public and private cloud environments where healthcare providers can house their more sensitive, critical data and applications in the private cloud and manage higher-volume assets in the public cloud. Healthcare providers can use existing infrastructure and data storage capabilities, but as they outgrow their private cloud space they can buy space from colocation partners or from the public cloud to house additional data and free up private cloud space as needed, relieving burdens associated with purchasing additional hardware and software.
The varying levels of control under these different models affect the contract terms that are appropriate to address each party’s responsibility for data security. Since IT infrastructure can be designed in a number of ways to adequately address each company’s specific needs, healthcare providers have much to consider when deciding how and where to store their data. Naturally, cost is an essential component in making these decisions. Cloud-based solutions can cost significantly less than traditional on-premises solutions, because organizations can acquire and pay for services as needed while avoiding the burdens of owning and managing their own hardware. Given that purchasers are only responsible for monthly or yearly fees based on the services used, healthcare providers can benefit from the scalability of cloud-based systems as they continue to grow and collect more data over time.
However, healthcare businesses should proceed with caution when entering into cloud services agreements because not all cloud services and cloud service vendors are created equally. For instance, some cloud service companies, including the large ones, may offer multiple products and a range of support of other resources, but they may not always be well-suited for the healthcare space. These vendors may have little or no experience with the laws and ethical obligations regarding data faced by healthcare providers, and their products and systems may not be sufficiently agile to address these specific needs. For instance, a contract research organization (CRO) supporting clinical trials for opioid treatment may require more comprehensive security controls and safeguards to guarantee the protection of the data and achieve full regulatory compliance since substance abuse data is subject to higher security standards under the law. Is the vendor aware of these legal requirements and can it accommodate them?
Other related concerns include privacy and notification provisions related to an individual’s health data known as protected health data (PHI). In response to the widespread adoption of cloud computing solutions, the Department of Health and Human Services’ Office of Civil Rights, the government entity that oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA), clarified that when a HIPAA covered entity engages a cloud services vendor to create, maintain, or transmit PHI on its behalf, the cloud services vendor is a business associate under HIPAA. This is true even if the cloud services vendor processes or stores only encrypted PHI and lacks an encryption key for the data. The healthcare provider and the cloud services vendor must enter into a HIPAA-compliant business associate agreement under which the cloud services vendor is both contractually liable for meeting the terms of the business associate agreement and directly liable for complying with requirements under HIPAA. Therefore, legal responsibility under HIPAA is shared between the cloud service vendor and the healthcare organization, and the vendor is obligated to provide security controls that satisfy HIPAA requirements, offering healthcare organizations an opportunity to negotiate for more extensive controls.
When healthcare providers rely on cloud services vendors to store their data, they are sacrificing some control over where and how such information will be stored and healthcare providers will want to negotiate strong cloud service agreements with detailed provisions relating to security and privacy. Healthcare providers will want to stay informed of where and how ePHI is moved, handled and stored by their cloud services vendor, especially since moving data internationally is an increasingly common way for cloud services vendors to cut costs. Additionally, since it is impossible to fully guarantee privacy and security, providers would be wise to purchase adequate insurance.
As healthcare providers continue adopting and relying upon cloud-based services, it is imperative that they understand key terms in their agreements with cloud services vendors. The primary concerns will be related to privacy and security, but other critical concerns include fee increases based on updates in services or products provided by the vendor and termination rights based on said charges or data breaches. Cloud services agreements should include robust security and audit terms that require vendors to perform regular security audits and require that the cloud services vendor communicate the results of any audits back to the healthcare provider. In addition, these terms should permit healthcare providers to perform security audits on their own. Healthcare providers should also make sure to carefully protect any negotiated terms from being overridden by click-wrap agreements (a type of contract used with software licenses and on-line transactions in which a user must agree to terms and conditions prior to using the product or service) containing indemnity, arbitration, or governing law provisions that conflict with the service agreement. Healthcare providers with specific concerns related to cloud service agreements should contact a qualified healthcare attorney.
Contact Lisa at: LWClark@duanemorris.com
Disclaimer: This article is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this article are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.