nchica - contracts with healthcare cloud computing vendors
DESCRIPTION
TRANSCRIPT
![Page 1: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/1.jpg)
Workshop on Health Information in the Cloud: Business Strategy,
Security and Deployment
NC Healthcare Information and Communications Alliance
March 2011
Randy Whitmeyer
Whitmeyer Tuffin PLLC
www.whit-law.com
Contracting with the Healthcare Cloud
Service Provider
![Page 2: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/2.jpg)
Topics • Legal Backdrop
• Cloud Computing v. Traditional IT Structures
• The “Contract Circle”:
• Selecting a Health Care IT Vendor
• Negotiating Key Contract Terms
• Dealing with Vendor Non-Performance
![Page 3: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/3.jpg)
Legal Backdrop
• HIPAA/HITECH Privacy and Security Rules
• HITECH Meaningful Use
• NC and other State Identity Theft Rules
• NC Destruction of Personal Information Records Law
• EU Data Protection Directive and Cross-Border Data Flows
• PCI Rules
• Electronic Discovery
![Page 4: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/4.jpg)
Cloud Computing
v.
Traditional I.T. Structures
![Page 5: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/5.jpg)
Graphic Courtesy of Hosted Solutions
![Page 6: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/6.jpg)
Graphic Courtesy of Hosted Solutions
![Page 7: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/7.jpg)
Cloud Computing Services
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
![Page 8: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/8.jpg)
Cloud Computing and Security
Disadvantages
• Lack of Transparency
• Lack of Responsiveness
• “Trading Market” of
Subcontractors
• Vendor Lock-In
• Lack of Security Details
Advantages
• Data Dispersal
• Data Fragmentation
• “Tier 1” Data Centers
• Multiple Customer Demands
• Easier Patching and Updates
![Page 9: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/9.jpg)
Cloud Computing Contract Structures
• Typically service-based, not licensed
• OPEX, not CAPEX
• Often offered via “click and accept” agreements
• Sometimes incorporate by reference other terms of use
and policies
• Sometimes purport to be changeable without notice by the
vendor
![Page 10: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/10.jpg)
Selecting the Cloud
Computing Vendor: Due
Diligence and Key Contract
Terms
![Page 11: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/11.jpg)
Keys to Selecting a Cloud Computing Vendor
• Approach project realistically, in light of personnel, time and budget
• Document your requirements
• Obtain consultant as necessary
• Remember the need for training on new systems and new processes
• More realistic to adapt process to system than adapt system to process, in most cases
• Perform due diligence on vendor. Rigorously check with other similar users on their experiences. Check certifications
• Last but not least: enter into a good contract!!
![Page 12: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/12.jpg)
Negotiation Ideas
• Early on in discussions, alert vendor that you want certain key
adjustments to contract terms, identifying the issues
• If possible, use your own form of contract rather than vendor’s
form
• Try to keep multiple vendors in the process as long as possible to
keep competitive pressure on both price and terms
• Consider a formal RFP/response process for larger systems
![Page 13: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/13.jpg)
Security and Privacy Terms
• Confidentiality
• Third-Party security audits
• Right to review detailed security/disaster recovery policies
• Obligation to maintain security and security policies
• Right to audit and test security
• Notification in the case of breach
• Indemnification for breaches/payment of costs of required notices to
customers
• Encryption
![Page 14: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/14.jpg)
Business Associate Agreement
• Whose form of BAA?
• NCHICA form, of course!
• How much embellished?
• How does it relate to other confidentiality, security and
privacy provisions in contract?
![Page 15: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/15.jpg)
Regulatory Issues
• Certification by ONC-ATCB, such as CCHIT
• Meaningful use criteria
• Cooperation with certification and attestation
• Timing of implementation
![Page 16: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/16.jpg)
Other Key Data Issues
• Ownership of Data
• Disposition of Data on Termination
• Location of Data
• Legal / Government Request to Access Data
![Page 17: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/17.jpg)
Service Level Agreements
• Uptime
• Performance & Response Time
• Error Correction Time
• Infrastructure / Security
• Performance Credits
• Use of Measurement Technology
• Notice/Reporting Obligations
![Page 18: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/18.jpg)
Pricing Terms • Monthly service fees
• Per user or provider, or based on transactions?
• When does it start?
• Implementation fees
• Commitment to start date?
• Add-on pricing
• Payment terms
• Caps on increase in fees
![Page 19: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/19.jpg)
Term & Termination • Length
• Termination Penalties
• Data Rights upon Termination
• Vendor Termination or Suspension
• Automatic Renewal
![Page 20: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/20.jpg)
Warranties
• Warranty to specifications and requirements
• Avoid limited warranty to just documentation
• Include key functional specifications as an appendix to the document. Sometimes can pull these straight from vendor’s web site
• Warranty against noninfringement
• Anti-virus warranty
• Warranty that documentation is complete and gets updated with new releases in a timely fashion
• Services warranty – vendor should use reasonable skill in accordance with industry standards, and supply qualified and experienced personnel
![Page 21: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/21.jpg)
Third-Party Software/Services
• Vendor will want to disclaim responsibility (e.g., for performance or
IP issues) for third party software components of solution, especially
open source
• Buyer’s perspective:
• I’m buying a solution, and it shouldn’t matter to me whether vendor
chose to implement parts of the solution with third-party pieces
• Resolution varies and is often fact-specific:
• Well-known, off the shelf components more likely to be excluded
![Page 22: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/22.jpg)
Support and Maintenance
• Rights to new versions
• Timeframes for responding to and fixing problems
• Target/efforts versus commitment with financial
repercussions
![Page 23: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/23.jpg)
Intellectual Property • Proprietary software company will jealously guard ownership of its products
• Dispute often arises over ownership of any custom developed IP, such as interfaces
• Buyer’s argument:
• I paid for it, I should own it
• Vendor’s argument:
• You are paying for accelerated development
• I would never be able to have a product if each piece of custom IP was owned by the
buyer
• Possible compromises:
• Exclusive use for a period of time
• Sharing in royalties
![Page 24: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/24.jpg)
Other Terms
• Acceptance
Terms/Procedures
• Limitations of Liability
• Indemnification
• Insurance
• Modification of Contract
• Assignability
• Choice of Law/Jurisdiction
• Subcontractor approval
• Source Code escrow
![Page 25: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/25.jpg)
Project Failure
(The typical scenario)
• Buyer: The service is late, has not been delivered at all, or
has excessive errors
• Vendor: Buyer unilaterally expanded the scope of the
project, or failed to understand the service and its effect on
the practice.
![Page 26: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/26.jpg)
Project Failure
(Buyer’s Perspective) • Strategies:
• Document problems early and often, and communicate to Vendor
• Avoid unduly flattering emails; always come back to haunt in dispute situations
• Send formal notice of breach
• Provide opportunity to cure
• Withholding payment: must be done carefully
![Page 27: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/27.jpg)
Project Failure
(Vendor’s Perspective)
• Document changes in scope/obtain agreement
• Document unforeseen technical issues
• Consider when/if to withhold software/services, if unpaid
![Page 28: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/28.jpg)
Key Takeaways
• Due Diligence is critical when choosing Cloud Computing
Vendors . This includes not only direct questioning but
also third-party review such as dun and bradstreet reports,
ongoing litigation review, and merger activity.
• Insist on transparency
• Risk can vary depending on type of data involved and type
of cloud
• Form contracts rarely handle key issues satisfactorily
![Page 29: NCHICA - Contracts with Healthcare Cloud Computing Vendors](https://reader033.vdocument.in/reader033/viewer/2022051616/553913f5550346bb318b4942/html5/thumbnails/29.jpg)
Randy Whitmeyer
Whitmeyer - Tuffin PLLC
919-880-6880
Any questions?