nchica - contracts with healthcare cloud computing vendors
DESCRIPTION
TRANSCRIPT
Workshop on Health Information in the Cloud: Business Strategy,
Security and Deployment
NC Healthcare Information and Communications Alliance
March 2011
Randy Whitmeyer
Whitmeyer Tuffin PLLC
www.whit-law.com
Contracting with the Healthcare Cloud
Service Provider
Topics • Legal Backdrop
• Cloud Computing v. Traditional IT Structures
• The “Contract Circle”:
• Selecting a Health Care IT Vendor
• Negotiating Key Contract Terms
• Dealing with Vendor Non-Performance
Legal Backdrop
• HIPAA/HITECH Privacy and Security Rules
• HITECH Meaningful Use
• NC and other State Identity Theft Rules
• NC Destruction of Personal Information Records Law
• EU Data Protection Directive and Cross-Border Data Flows
• PCI Rules
• Electronic Discovery
Cloud Computing
v.
Traditional I.T. Structures
Graphic Courtesy of Hosted Solutions
Graphic Courtesy of Hosted Solutions
Cloud Computing Services
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
Cloud Computing and Security
Disadvantages
• Lack of Transparency
• Lack of Responsiveness
• “Trading Market” of
Subcontractors
• Vendor Lock-In
• Lack of Security Details
Advantages
• Data Dispersal
• Data Fragmentation
• “Tier 1” Data Centers
• Multiple Customer Demands
• Easier Patching and Updates
Cloud Computing Contract Structures
• Typically service-based, not licensed
• OPEX, not CAPEX
• Often offered via “click and accept” agreements
• Sometimes incorporate by reference other terms of use
and policies
• Sometimes purport to be changeable without notice by the
vendor
Selecting the Cloud
Computing Vendor: Due
Diligence and Key Contract
Terms
Keys to Selecting a Cloud Computing Vendor
• Approach project realistically, in light of personnel, time and budget
• Document your requirements
• Obtain consultant as necessary
• Remember the need for training on new systems and new processes
• More realistic to adapt process to system than adapt system to process, in most cases
• Perform due diligence on vendor. Rigorously check with other similar users on their experiences. Check certifications
• Last but not least: enter into a good contract!!
Negotiation Ideas
• Early on in discussions, alert vendor that you want certain key
adjustments to contract terms, identifying the issues
• If possible, use your own form of contract rather than vendor’s
form
• Try to keep multiple vendors in the process as long as possible to
keep competitive pressure on both price and terms
• Consider a formal RFP/response process for larger systems
Security and Privacy Terms
• Confidentiality
• Third-Party security audits
• Right to review detailed security/disaster recovery policies
• Obligation to maintain security and security policies
• Right to audit and test security
• Notification in the case of breach
• Indemnification for breaches/payment of costs of required notices to
customers
• Encryption
Business Associate Agreement
• Whose form of BAA?
• NCHICA form, of course!
• How much embellished?
• How does it relate to other confidentiality, security and
privacy provisions in contract?
Regulatory Issues
• Certification by ONC-ATCB, such as CCHIT
• Meaningful use criteria
• Cooperation with certification and attestation
• Timing of implementation
Other Key Data Issues
• Ownership of Data
• Disposition of Data on Termination
• Location of Data
• Legal / Government Request to Access Data
Service Level Agreements
• Uptime
• Performance & Response Time
• Error Correction Time
• Infrastructure / Security
• Performance Credits
• Use of Measurement Technology
• Notice/Reporting Obligations
Pricing Terms • Monthly service fees
• Per user or provider, or based on transactions?
• When does it start?
• Implementation fees
• Commitment to start date?
• Add-on pricing
• Payment terms
• Caps on increase in fees
Term & Termination • Length
• Termination Penalties
• Data Rights upon Termination
• Vendor Termination or Suspension
• Automatic Renewal
Warranties
• Warranty to specifications and requirements
• Avoid limited warranty to just documentation
• Include key functional specifications as an appendix to the document. Sometimes can pull these straight from vendor’s web site
• Warranty against noninfringement
• Anti-virus warranty
• Warranty that documentation is complete and gets updated with new releases in a timely fashion
• Services warranty – vendor should use reasonable skill in accordance with industry standards, and supply qualified and experienced personnel
Third-Party Software/Services
• Vendor will want to disclaim responsibility (e.g., for performance or
IP issues) for third party software components of solution, especially
open source
• Buyer’s perspective:
• I’m buying a solution, and it shouldn’t matter to me whether vendor
chose to implement parts of the solution with third-party pieces
• Resolution varies and is often fact-specific:
• Well-known, off the shelf components more likely to be excluded
Support and Maintenance
• Rights to new versions
• Timeframes for responding to and fixing problems
• Target/efforts versus commitment with financial
repercussions
Intellectual Property • Proprietary software company will jealously guard ownership of its products
• Dispute often arises over ownership of any custom developed IP, such as interfaces
• Buyer’s argument:
• I paid for it, I should own it
• Vendor’s argument:
• You are paying for accelerated development
• I would never be able to have a product if each piece of custom IP was owned by the
buyer
• Possible compromises:
• Exclusive use for a period of time
• Sharing in royalties
Other Terms
• Acceptance
Terms/Procedures
• Limitations of Liability
• Indemnification
• Insurance
• Modification of Contract
• Assignability
• Choice of Law/Jurisdiction
• Subcontractor approval
• Source Code escrow
Project Failure
(The typical scenario)
• Buyer: The service is late, has not been delivered at all, or
has excessive errors
• Vendor: Buyer unilaterally expanded the scope of the
project, or failed to understand the service and its effect on
the practice.
Project Failure
(Buyer’s Perspective) • Strategies:
• Document problems early and often, and communicate to Vendor
• Avoid unduly flattering emails; always come back to haunt in dispute situations
• Send formal notice of breach
• Provide opportunity to cure
• Withholding payment: must be done carefully
Project Failure
(Vendor’s Perspective)
• Document changes in scope/obtain agreement
• Document unforeseen technical issues
• Consider when/if to withhold software/services, if unpaid
Key Takeaways
• Due Diligence is critical when choosing Cloud Computing
Vendors . This includes not only direct questioning but
also third-party review such as dun and bradstreet reports,
ongoing litigation review, and merger activity.
• Insist on transparency
• Risk can vary depending on type of data involved and type
of cloud
• Form contracts rarely handle key issues satisfactorily
Randy Whitmeyer
Whitmeyer - Tuffin PLLC
919-880-6880
Any questions?