By Kendra Casey Plank
Contracts for cloud-based information technology services should reflect the changing way IT services are being purchased for health care organizations and focus on specific issues inherent to how cloud services are delivered, attorneys advised during a recent web conference.
The growing trend toward cloud services in the health care industry means contracts must shift from a focus on how software and hardware are configured, implemented, and licensed to ensuring the availability of services provided via the cloud, how well the cloud systems perform, and data security and control in the cloud, Matthew Karlyn, a partner with Foley & Lardner LLP in Boston, said.
Traditional IT contracts cover licensing matters for software, vendor installation of hardware and software, and customization options for hardware and software. But, those issues are less important--if at all--in contracts for cloud services, Karlyn said.
Instead, he explained, contracts should be designed around such issues as the criticality of a software application to a health care organization's operations, the consequences of a cloud-based application or system being unavailable to a health care organization, the sensitivity of data being stored via a cloud provider, and the type of data being used in a cloud-based application.
“I need that background before starting a deal,” Karlyn said.
For example, contracts should have provisions addressing service availability, and not just ensuring applications and systems are online, but also access to services, Karlyn said.
While downtime, or offline time, is standard for cloud-based services to perform routine maintenance and upgrades, contracts should cover when such downtime--meaning systems and applications would not be available--are not acceptable for the health care organization's operations, Karyln advised. Contracts should note the critical times when services must be available.
The security and privacy of health care data either stored in the cloud or used in cloud-based applications has been of growing concern.
Leeann Habte, an associate with Foley & Lardner in Los Angeles, said data security and privacy issues related to cloud services could be addressed in contracts, but also in business associate agreements that cover obligations under Health Insurance Portability and Accountability Act rules.
She stressed the importance of pre-agreement due diligence that addresses issues such as corporate responsibility, history of data breaches, the location of and access to disaster recovery facilities for data, cloud services providers' use of subcontractors, and recourse for the health organization in the event of a problem.
Habte also advised that contracts be clear about ownership of data and each parties' responsibility with respect to data they own or for which they have custodial duties.
Daniel Orenstein, general counsel for the health care firm Athenahealth Inc., similarly cautioned health care organizations to understand which parties own what data involved in cloud services contract.
He said, for example, that data in electronic health records increasingly come from multiple sources, raising questions about ownership and responsibility as well as access and how the data can be used.