Workshop on Health Information in the Cloud: Business Strategy,

Security and Deployment

NC Healthcare Information and Communications Alliance

March 2011

Randy Whitmeyer

Whitmeyer Tuffin PLLC

www.whit-law.com

Contracting with the Healthcare Cloud

Service Provider

Topics • Legal Backdrop

• Cloud Computing v. Traditional IT Structures

• The “Contract Circle”:

• Selecting a Health Care IT Vendor

• Negotiating Key Contract Terms

• Dealing with Vendor Non-Performance

Legal Backdrop

• HIPAA/HITECH Privacy and Security Rules

• HITECH Meaningful Use

• NC and other State Identity Theft Rules

• NC Destruction of Personal Information Records Law

• EU Data Protection Directive and Cross-Border Data Flows

• PCI Rules

• Electronic Discovery

Cloud Computing

v.

Traditional I.T. Structures

Graphic Courtesy of Hosted Solutions

Graphic Courtesy of Hosted Solutions

Cloud Computing Services

• Software as a Service (SaaS)

• Platform as a Service (PaaS)

• Infrastructure as a Service (IaaS)

Cloud Computing and Security

Disadvantages

• Lack of Transparency

• Lack of Responsiveness

• “Trading Market” of

Subcontractors

• Vendor Lock-In

• Lack of Security Details

Advantages

• Data Dispersal

• Data Fragmentation

• “Tier 1” Data Centers

• Multiple Customer Demands

• Easier Patching and Updates

Cloud Computing Contract Structures

• Typically service-based, not licensed

• OPEX, not CAPEX

• Often offered via “click and accept” agreements

• Sometimes incorporate by reference other terms of use

and policies

• Sometimes purport to be changeable without notice by the

vendor

Selecting the Cloud

Computing Vendor: Due

Diligence and Key Contract

Terms

Keys to Selecting a Cloud Computing Vendor

• Approach project realistically, in light of personnel, time and budget

• Document your requirements

• Obtain consultant as necessary

• Remember the need for training on new systems and new processes

• More realistic to adapt process to system than adapt system to process, in most cases

• Perform due diligence on vendor. Rigorously check with other similar users on their experiences. Check certifications

• Last but not least: enter into a good contract!!

Negotiation Ideas

• Early on in discussions, alert vendor that you want certain key

adjustments to contract terms, identifying the issues

• If possible, use your own form of contract rather than vendor’s

form

• Try to keep multiple vendors in the process as long as possible to

keep competitive pressure on both price and terms

• Consider a formal RFP/response process for larger systems

Security and Privacy Terms

• Confidentiality

• Third-Party security audits

• Right to review detailed security/disaster recovery policies

• Obligation to maintain security and security policies

• Right to audit and test security

• Notification in the case of breach

• Indemnification for breaches/payment of costs of required notices to

customers

• Encryption

Business Associate Agreement

• Whose form of BAA?

• NCHICA form, of course!

• How much embellished?

• How does it relate to other confidentiality, security and

privacy provisions in contract?

Regulatory Issues

• Certification by ONC-ATCB, such as CCHIT

• Meaningful use criteria

• Cooperation with certification and attestation

• Timing of implementation

Other Key Data Issues

• Ownership of Data

• Disposition of Data on Termination

• Location of Data

• Legal / Government Request to Access Data

Service Level Agreements

• Uptime

• Performance & Response Time

• Error Correction Time

• Infrastructure / Security

• Performance Credits

• Use of Measurement Technology

• Notice/Reporting Obligations

Pricing Terms • Monthly service fees

• Per user or provider, or based on transactions?

• When does it start?

• Implementation fees

• Commitment to start date?

• Add-on pricing

• Payment terms

• Caps on increase in fees

Term & Termination • Length

• Termination Penalties

• Data Rights upon Termination

• Vendor Termination or Suspension

• Automatic Renewal

Warranties

• Warranty to specifications and requirements

• Avoid limited warranty to just documentation

• Include key functional specifications as an appendix to the document. Sometimes can pull these straight from vendor’s web site

• Warranty against noninfringement

• Anti-virus warranty

• Warranty that documentation is complete and gets updated with new releases in a timely fashion

• Services warranty – vendor should use reasonable skill in accordance with industry standards, and supply qualified and experienced personnel

Third-Party Software/Services

• Vendor will want to disclaim responsibility (e.g., for performance or

IP issues) for third party software components of solution, especially

open source

• Buyer’s perspective:

• I’m buying a solution, and it shouldn’t matter to me whether vendor

chose to implement parts of the solution with third-party pieces

• Resolution varies and is often fact-specific:

• Well-known, off the shelf components more likely to be excluded

Support and Maintenance

• Rights to new versions

• Timeframes for responding to and fixing problems

• Target/efforts versus commitment with financial

repercussions

Intellectual Property • Proprietary software company will jealously guard ownership of its products

• Dispute often arises over ownership of any custom developed IP, such as interfaces

• Buyer’s argument:

• I paid for it, I should own it

• Vendor’s argument:

• You are paying for accelerated development

• I would never be able to have a product if each piece of custom IP was owned by the

buyer

• Possible compromises:

• Exclusive use for a period of time

• Sharing in royalties

Other Terms

• Acceptance

Terms/Procedures

• Limitations of Liability

• Indemnification

• Insurance

• Modification of Contract

• Assignability

• Choice of Law/Jurisdiction

• Subcontractor approval

• Source Code escrow

Project Failure

(The typical scenario)

• Buyer: The service is late, has not been delivered at all, or

has excessive errors

• Vendor: Buyer unilaterally expanded the scope of the

project, or failed to understand the service and its effect on

the practice.

Project Failure

(Buyer’s Perspective) • Strategies:

• Document problems early and often, and communicate to Vendor

• Avoid unduly flattering emails; always come back to haunt in dispute situations

• Send formal notice of breach

• Provide opportunity to cure

• Withholding payment: must be done carefully

Project Failure

(Vendor’s Perspective)

• Document changes in scope/obtain agreement

• Document unforeseen technical issues

• Consider when/if to withhold software/services, if unpaid

Key Takeaways

• Due Diligence is critical when choosing Cloud Computing

Vendors . This includes not only direct questioning but

also third-party review such as dun and bradstreet reports,

ongoing litigation review, and merger activity.

• Insist on transparency

• Risk can vary depending on type of data involved and type

of cloud

• Form contracts rarely handle key issues satisfactorily

Randy Whitmeyer

Whitmeyer - Tuffin PLLC

randy@whit-law.com

919-880-6880

Any questions?