cloud computing in healthcare: hipaa and state law...
TRANSCRIPT
Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
THURSDAY, JUNE 7, 2012
Presenting a live 90-minute webinar with interactive Q&A
Matthew A. Karlyn, Partner, Foley & Lardner, Boston
M. Leeann Habte, Foley & Lardner, Los Angeles
Conference Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
FOR LIVE EVENT ONLY
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-927-5568 and enter your PIN -when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
©2012 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Cloud Computing in Healthcare: HIPAA and State Law Challenges
Matt Karlyn Partner Foley & Lardner LLP (617) 502-3231 [email protected]
Leeann Habte Associate Foley & Lardner LLP (213) 972-4679 [email protected]
June 7, 2012
4833-2149-3519.1
©2012 Foley & Lardner LLP
6
PART 1 – WELCOME TO THE CLOUD
©2012 Foley & Lardner LLP
7
CDW Tracking Trends 84 percent of IT professionals from a cross-
section of industries say their organization has at least one cloud application
30 percent of health care organizations report implementing cloud computing – Electronic health records – Medical imaging – Telemedicine – Patient management – Traditional business and financial functions
©2012 Foley & Lardner LLP
8
What is Cloud Computing? Delivery over the Internet (i.e., the “cloud”) Software, platform or infrastructure
resources provided as services Scalability on-demand Utility and/or subscription billing (i.e.,
based on the customer’s actual use and/or a period of time)
©2012 Foley & Lardner LLP
9 Types of Cloud Computing Services Cloud computing has generally been broken down
into three types of services – Software-as-a-Service (SaaS) refers to the provider’s
software being delivered over the cloud to the customer as a service (e.g., electronic health record systems)
– Platform-as-a-Service (PaaS) refers to the providers software development platforms being delivered over the cloud to the customer as a service (e.g. Interface development). For example, a customer may use the service to develop, test, and deploy applications that are then hosted on the provider’s infrastructure.
– Infrastructure-as-a- Service (IaaS) refers to virtual servers, memory, processors, storage, network bandwidth, and other types of infrastructure resources, being delivered over the cloud to the customer as a service (e.g., Amazon, Google Rackspace, IBM computing on demand).
©2012 Foley & Lardner LLP
10
Models of Cloud Deployment Public Clouds
– Owned and operated by a cloud provider Private Clouds
– Computing environment operated exclusively for one organization
Community Clouds – Computing environment exclusive to 2+ organizations
with similar considerations Hybrid Clouds
– Composition of 2 or more clouds
©2012 Foley & Lardner LLP
11
Benefits of the Cloud Cost reduction Service flexibility Lower upfront risks and complexity with
realizing the benefits of new technology Reduction in capital costs
©2012 Foley & Lardner LLP
12
That all sounds great…
BUT There are risks…
What are the risks that health care
organizations evaluating cloud computing solutions should
consider?
©2012 Foley & Lardner LLP
13
Part 2 – Is that a storm cloud ahead?
©2012 Foley & Lardner LLP
14
Compliance Risks – Privacy and Security
Health care organizations are required to maintain health care data subject to numerous and differing federal and state laws
©2012 Foley & Lardner LLP
15
Federal Laws: HIPAA, HITECH, and Others HIPAA, as amended by the HITECH Act
– Requires health plans, health care clearinghouses, and covered health care providers to safeguard protected health information (PHI)
– Establishes 22 separate technology-neutral security standards
Gramm-Leach-Bliley Act (GLB Act) – Requires a written security plan
FTC laws and regulations, PCI DSS
©2012 Foley & Lardner LLP
16
State Privacy and Security Laws All states have state-specific privacy laws
– A handful have comprehensive medical privacy laws
– The rest have separate laws that govern the privacy of medical records and/or sensitive health information
Some states also mandate security controls – Personal information – Electronic health records
©2012 Foley & Lardner LLP
17
State Breach Reporting Laws Almost all states have specific
requirements for reporting breaches of medical or other personal information
Data breaches are costly – Average cost of $6.75 million, ranging from
$750,00 to $31 million in 2010 $204 per compromised record
– Most expensive data breach increased to $66 million in 2011
©2012 Foley & Lardner LLP
18
Compliance Not Delegable Accountability for the security and privacy
of health information cannot simply be delegated to a cloud provider.
HITECH holds Business Associates responsible for civil penalties – Notification costs, mitigation of harm,
damages
State law/FTC differ – Organizations are responsible for the actions
of their subcontractors
©2012 Foley & Lardner LLP
19
Cloud Computing Risks Heightened compliance risks
– Location of data if hosted by vendor Jurisdiction and laws governing data Security/breach notification requirements Scope of liability
– Vendor’s subcontracts with third parties Scope of control, responsibilities involved,
recourses/remedies
©2012 Foley & Lardner LLP
20
Cloud Computing Security Risks Multi-tenancy environment
– Data may be stored on a server with other customer’s data = increased risk of unauthorized disclosure
Security risks particular to cloud computing – Risks associated with services being
delivered over web browser (Adobe Flash, etc.)
©2012 Foley & Lardner LLP
21
Evaluating the Risk of Cloud Computing The sensitivity of the data that will be
stored in the cloud The criticality of the business process
being supported by the cloud computing solution
Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure contractual protections and operational precautions are taken
©2012 Foley & Lardner LLP
22
Data Sensitivity and the Criticality of the Service High Risk = mission critical processes utilizing
highly sensitive data Medium Risk = generally available data that
requires high service levels; non-confidential enterprise data
Low Risk = not mission critical and generally available data; can accept outages and variable performance
Individually identifiable health information is high-risk data
©2012 Foley & Lardner LLP
23
Part 3 – Speaking of Contracts… Cloud computing agreements have some
similarity to licensing agreements, but have more in common with hosting or ASP agreements
©2012 Foley & Lardner LLP
24
Licensing vs. the Cloud Traditional licensing/hardware purchase
– Vendor installs the software or equipment in the customer’s environment
– Customer has ability to have the software or hardware configured to meet its needs
– Customer retains control of the data In the cloud…
– Software, hardware and customer data are hosted by the provider typically in a shared environment (e.g., many customers per server)
– Software and hardware configuration much more homogeneous across all customers
©2012 Foley & Lardner LLP
25
Licensing vs. the Cloud (cont’d)
Shift of top priorities – From configuration, implementation and
acceptance (in the licensing world) to service availability, performance, service levels, data security and control (in the cloud)
Traditional provisions retain importance, in particular – Insurance, indemnity, intellectual property,
limitations of liability, warranties
©2012 Foley & Lardner LLP
26
Cloud Customers Must Make Important Decisions There are no standard forms that work for every
customer, for every product, in every deal – Some commonly used outsourcing and software licensing terms
may be useful, but cannot be uniformly applied to cloud computing transactions
More robust contractual protection and provisions that address issues unique to the cloud are likely needed – For the “low risk” deals, a low risk solution may outweigh the
need for contractual protections – For “high risk” deals, better to take a closer look and include the
provisions that will protect your company – Note that robust contractual protections may have an impact on
price and eliminate certain providers altogether
©2012 Foley & Lardner LLP
27
The Focus of Cloud Computing Transactions Focus should be on:
– The criticality of the software, data and services to the enterprise
– The unique issues presented by a cloud computing environment (e.g., data security)
– The service levels and pricing offered by different suppliers and for different services
– Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point
©2012 Foley & Lardner LLP
28
Part 4 – Key Contractual Issues in Cloud Computing Note that these slides and this presentation contain
several examples of language that is commonly found in cloud computing agreements. These slides and this presentation are not a substitute for legal advice. The language to be used in your transactions depends on a variety of factors and the particular circumstances. You are strongly advised to engage knowledgeable legal counsel to access and help minimize your legal liabilities based on the particular requirements of your organization. Like any presentation or article, this is not meant to be a substitute for knowledgeable legal counsel.
©2012 Foley & Lardner LLP
29
Pre-Agreement Due Diligence Can the provider meet your organization’s
expectations? Require provider to complete a due diligence
questionnaire – Provider’s financial condition – Insurance – Existing service levels – Capacity – Data security – Disaster recovery and business continuity – Redundancy – Ability to comply with applicable regulations
©2012 Foley & Lardner LLP
30 Pre-Agreement Due Diligence (cont’d)
Pay particular attention to: – Vendor’s financial condition and corporate
responsibility – The provider’s subcontracts with third parties – The location of the data center(s) where the
data will be physically stored and who may have access to the data
©2012 Foley & Lardner LLP
31
Service Availability If the provider stops delivering services, the
customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the customer’s data stored on the provider’s systems
A customer must be able to continue to operate and have access to its data at all times
©2012 Foley & Lardner LLP
32
Service Availability (cont’d) What do you need?
– If provider is maintaining PHI, a disaster recovery plan and an emergency mode operation plan
– Disaster recovery and business continuity assurances For example, “Provider shall maintain and implement disaster
recovery and emergency mode operation procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Customer with a copy of its current disaster recovery plan and emergency mode operations plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security policies, workforce screening and termination, training, and due diligence shall apply to the Provider disaster recovery site.”
– Provider’s agreement not to withhold services (even if there is a dispute) For example, “Provided Customer continues to timely make all
undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold services provided hereunder, for any reason, including, but not limited to, a dispute between the parties arising under this Agreement.”
©2012 Foley & Lardner LLP
33
Service Availability (cont’d)
Protections against provider’s financial instability – Enable customer to identify issues in advance
For example, “Quarterly, during the Term, Provider shall provide Customer with all information reasonably requested by Customer to assess the overall financial strength and viability of Provider and Provider’s ability to fully perform its obligations under this Agreement. In the event Customer concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Customer may terminate this Agreement without further obligation or liability by providing written notice to Provider.”
– In-house software solution: consider requiring the provider to make available or develop an in-house solution to replacing software services if it stops providing those services
©2012 Foley & Lardner LLP
34
Service Levels Uptime service level
– Services must be available to customer at all times to support operations Outage window Measurement period Remedies Require provider to monitor servers by automatic
pinging “Unavailability” should include severe performance
degradation Service response time
©2012 Foley & Lardner LLP
35
Service Levels (cont’d)
Uptime – an example – For example, “Provider will make the Services
Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the “Availability Percentage”). “Available” means the Services shall be available for access and use by Customer. For purposes of calculating the Availability Percentage, the following are “Exceptions” to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Customer’s acts or omissions; or (ii) Customer’s Internet connectivity.”
©2012 Foley & Lardner LLP
36
Service Levels (cont’d)
Response Time – an example – Maximum latencies and response times for the
customer’s use of the services For example, “The average download time for
each page of the Services, including all content contained therein, shall be within the lesser of (i) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index (“KB40”), or (ii) two (2) seconds. In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.”
©2012 Foley & Lardner LLP
37
Service Levels (cont’d)
Other common service level issues that customers should address are: – Simultaneous visitors – Problem response time and resolution time – Data return and periodic delivery – Remedies for failure to meet service levels
Should include financial penalties and termination
©2012 Foley & Lardner LLP
38
Service Levels (cont’d)
Why are they so important? – Assure the customer that it can rely on the
services and provide appropriate remedies if the provider fails to meet the agreed service levels
– Provide incentives that encourage the provider to be diligent in addressing issues
©2012 Foley & Lardner LLP
39
Data Security The security of a customer’s data in a
cloud computing environment has been recognized as one of the largest areas of concern for a customer – The customer is ultimately responsible for
complying with privacy and security regulations, and data security breaches are costly
©2012 Foley & Lardner LLP
40
Data Security (cont’d) Business Associate Agreements
– Required with cloud provider, if it hosts data or software containing PHI on its own server, or accesses PHI, even if only for troubleshooting software function (OCR, FAQ)
– BAA provisions may be incorporated in End User License Agreements, particularly by software companies (e.g., EHR software) EULA must be valid under State law for
BAA to be enforceable
©2012 Foley & Lardner LLP
41
Data Security (cont’d) Business Associate Agreements
– HIPAA standards may not address data security risks associated with cloud computing environment
– In addition to requiring the cloud provider to provide physical, technical, and administrative safeguards, as required by the HITECH Act, BAA or contract should expressly address the provider’s policies and procedures related to: Security protections unique to cloud Control of subcontracting arrangements Location of data Data redundancy Data ownership and use rights E-discovery Data conversion/data return
©2012 Foley & Lardner LLP
42
Data Security (cont’d) Security protections in provider’s policies:
– Compare with own policies and legal requirements – Ensure that providers’ policies address:
Baseline security measures, including physical controls over data storage facilities
Security incident management Hardware, software and security policies Information access and authorization procedures Security issues particular to cloud computing and services
being provided over the internet
– Some providers won’t show customer their security policies but will permit onsite access
©2012 Foley & Lardner LLP
43
Data Security (cont’d)
Security protections in contract should: – Address State law requirements – Define customer’s vs. providers’ responsibilities for
security – Include method to monitor performance of security
controls and procedures (e.g., third party audit) – Include administrative, technical, and physical
safeguards, in accordance with applicable laws – Expressly establish requirements for storage of
customer information – Provide for customer’s audit rights
©2012 Foley & Lardner LLP
44
Data Security (cont’d)
Subcontracting arrangements – Third party relationships should be disclosed
in advance of reaching an agreement
HIPAA compliance – BAA must ensure that any subcontracts to
whom the Covered Entity provides PHI agree in writing to the same restrictions and conditions that apply to the Business Associate in its agreement with the Covered Entity
©2012 Foley & Lardner LLP
45
Data Security (cont’d)
Subcontracting arrangements – Who is operating the data center – the provider
or a third party? Ensure third party hosts comply with your agreement Provider should accept all responsibility for the third
party host Provider should be jointly and severally liable with the
third party host for any breach of the agreement by the third party host
Consider entering a separate confidentiality agreement with the third party host
Advance notice if any change of the host
©2012 Foley & Lardner LLP
46
Data Security (cont’d) Location of Data
– May determine the jurisdiction and the governing law Overseas data may present practical difficulties Other state laws may impose additional compliance
requirements – Should include prohibition on off-shore work and
restrictions on data transfer – For example,
“In performing the functions, activities or services for, or on behalf of, Customer, Provider shall not, and shall not permit any of its subcontractors, to transmit or make available any PHI to any entity or individual outside the continental United States without the prior written consent of Customer. All activities and services shall be performed and rendered at the locations set forth in Attachment __. The Parties may mutually agree to authorize Provider’s use of additional locations in an amendment to this Agreement.”
©2012 Foley & Lardner LLP
47
Data Security (cont’d)
Breach notification – Agreement should establish:
The procedures and timeframe for reporting a breach to the Covered Entity
The procedures and role of the parties with respect to investigation of the breach and notification of individuals
Liability of the Business Associate
©2012 Foley & Lardner LLP
48
Data Security (cont’d)
In the event of a security breach: – Customer should have sole control over the
timing, content, and method of customer notification (if it is required)
– If the provider is responsible for the breach, then the provider should reimburse the customer for its reasonable out-of-pocket expenses in providing the notification, mitigating the harm, and otherwise complying with the law
©2012 Foley & Lardner LLP
49
Data Security (cont’d) Data redundancy
– Agreement should contain explicit provisions regarding Provider’s duty for regular backups and frequency of back
ups Below is a sample data redundancy provision: “Provider will: (i) execute (A) nightly database backups to a
backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.”
©2012 Foley & Lardner LLP
50
Data Security (cont’d)
Data ownership and use rights – Agreement must contain:
Clear language regarding customer’s ownership of data
Specific language (i) regarding the provider’s obligations to maintain the confidentiality of such information and (ii) placing appropriate limitations on the provider’s use of such customer information
Strict limitations on provider’s use of data in aggregated, de-identified form
– Use of aggregate data must be for health care operations purpose permissible under HIPAA
©2012 Foley & Lardner LLP
51
Data Security (cont’d) E-discovery
– Agreement must require provider to retain meta-data
Data conversion/return of data – Must ensure that the customer is not “locked in” to the provider’s solution and
provider can return or destroy data at termination of agreement – A sample data conversion provision is provided below: – “At Customer’s request, Provider will provide a copy of Customer
Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer’s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.”
©2012 Foley & Lardner LLP
52
Insurance Customer should self-insure against IT risks by
obtaining a cyber-liability policy Provider should be required to carry:
– Technology errors and omissions liability insurance – Commercial blanket bond, using Electronic &
Computer Crime or Unauthorized Computer Access insurance
Most data privacy and security laws will hold the customer liable for security breaches whether it was the customer’s fault or the provider’s fault
©2012 Foley & Lardner LLP
53
Indemnification Third party claims relating to the provider’s
breach of its confidentiality and security obligations, and claims relating to infringement of third party intellectual property rights – Limitation to copyright is not acceptable – Limitation to US IP rights may be acceptable,
but consider whether use of the services will occur overseas
©2012 Foley & Lardner LLP
54
Limitation of Liability Scrutinize limitation of liability provisions
carefully If you can’t eliminate the limitation of
liability in its entirety, seek the following protections: – Mutual protection – Appropriate carve-outs (e.g., confidentiality,
data security, indemnity) – A reasonable liability cap for direct damages
©2012 Foley & Lardner LLP
55
Intellectual Property Provider’s IP may be embedded in the
customer’s business process You should obtain ownership of any “work
product” and a very broad license to use any provider IP incorporated into any work product
©2012 Foley & Lardner LLP
56
Warranties The following warranties are common in these
types of agreements: – Conformance to specifications – Performance of services – Appropriate training – Compliance with laws – No sharing / disclosure of data – Services will not infringe – No viruses / destructive programs – No pending or threatened litigation – Sufficient authority to enter into agreement
©2012 Foley & Lardner LLP
57
Implementation When there will be significant implementation
services, the customer should consider establishing a broad definition of “services” in the cloud computing agreement – E.g., extensive software or hardware
implementation, configuration, customization) This is useful in limiting provider claims for
“out of scope” activity and request for additional money
©2012 Foley & Lardner LLP
58
Fees Ability to add and remove resources with a
corresponding upward or downward adjustment in the service fees
Identify all potential revenue streams and make sure that the identified fees are inclusive of such revenue streams
Lock in recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or another index
©2012 Foley & Lardner LLP
59
Term The customer should be able to terminate the
agreement at any time upon notice (14 to 30 days) and without penalty – The software and infrastructure are being provided as a
service and should be treated as such – The provider may request a minimum commitment from
the customer to recoup the provider’s “investment” in securing the customer as a customer If you agree to this, limit to no more than one year and
the provider should be required to provide evidence of its up front costs to justify such a requirement
HIPAA requires covered entities to terminate the agreement upon knowledge of a material breach by a subcontractor unless the breach can be cured
©2012 Foley & Lardner LLP
60
Publicity Agreement should contain a provision
relating to announcements and publicity in connection with the transaction.
Provider should be prohibited from: – Making any media releases or other public
announcements relating to the agreement – Using your name and trademarks without
your prior written consent
©2012 Foley & Lardner LLP
61
Assignment You should be able to assign your rights
under the agreement to your affiliates You should obtain assurance that any
provider assignee will agree to be bound by all the terms and conditions of the agreement
©2012 Foley & Lardner LLP
62
Exclusivity In order for customers to obtain the best pricing,
providers are asking customer to contractually commit to an exclusive arrangement
Before entering into such an arrangement, ensure your company has the proper protections in the agreement – Excellent service levels – Appropriate exceptions to exclusivity – Right to transition in anticipation of termination
You don’t want to be bound to a poorly performing provider!
Weigh pricing advantages with performance commitments and reliability of the provider
©2012 Foley & Lardner LLP
63
Post-Execution Ongoing Provider Assessment Regular program of evaluating a provider’s
performance – Provider required to supply the requisite
information to access the services – Notify the customer of any changes with
regard to the provider – Provide recommendations to improve the
services
©2012 Foley & Lardner LLP
64
Negotiation Leverage is important – you may not be
able to obtain all of the protections you want
Evaluate the business risks – Do the services support a critical business
function? – Do the services involve sensitive data? – Are the services customer facing?
©2012 Foley & Lardner LLP
65
Negotiation (cont’d)
If you can’t get the protections you want in the most significant areas of risk, consider walking away
If walking away is not an acceptable option, focus on risk mitigation – For example, if the provider refuses to modify its
uptime service level (arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level
©2012 Foley & Lardner LLP
66
Part 5 -- Additional Issues to Consider Ability to audit Lack of transparency and control Subcontracting and flow down of
provisions IP issues Change management and governance/
oversight
©2012 Foley & Lardner LLP
67
QUESTIONS?
Matt Karlyn Partner
Foley & Lardner LLP 111 Huntington Avenue
Boston, MA 02199
(617) 502-3231
Leeann Habte Associate
Foley & Lardner LLP 555 S. Flower Street
Los Angeles, CA 90071
(213) 972-4679