Contracts for cloud-based information technology services should reflect the changing way IT services are being purchased for health care organizations and focus on specific issues inherent to how cloud services are delivered, attorneys advised during a recent web conference.
The growing trend toward cloud services in the health care industry means contracts must shift from a focus on how software and hardware are configured, implemented, and licensed to ensuring the availability of services provided via the cloud, how well the cloud systems perform, and data security and control in the cloud, Matthew Karlyn, a partner with Foley & Lardner LLP in Boston, said.
Traditional IT contracts cover licensing matters for software, vendor installation of hardware and software, and customization options for hardware and software. But, those issues are less important--if at all--in contracts for cloud services, Karlyn said.
Instead, he explained, contracts should be designed around such issues as the criticality of a software application to a health care organization's operations, the consequences of a cloud-based application or system being unavailable to a health care organization, the sensitivity of data being stored via a cloud provider, and the type of data being used in a cloud-based application.
“I need that background before starting a deal,” Karlyn said.
For example, contracts should have provisions addressing service availability, and not just ensuring applications and systems are online, but also access to services, Karlyn said.
While downtime, or offline time, is standard for cloud-based services to perform routine maintenance and upgrades, contracts should cover when such downtime--meaning systems and applications would not be available--are not acceptable for the health care organization's operations, Karyln advised. Contracts should note the critical times when services must be available.
The security and privacy of health care data either stored in the cloud or used in cloud-based applications has been of growing concern.
Leeann Habte, an associate with Foley & Lardner in Los Angeles, said data security and privacy issues related to cloud services could be addressed in contracts, but also in business associate agreements that cover obligations under Health Insurance Portability and Accountability Act rules.
She stressed the importance of pre-agreement due diligence that addresses issues such as corporate responsibility, history of data breaches, the location of and access to disaster recovery facilities for data, cloud services providers' use of subcontractors, and recourse for the health organization in the event of a problem.
Habte also advised that contracts be clear about ownership of data and each parties' responsibility with respect to data they own or for which they have custodial duties.
Daniel Orenstein, general counsel for the health care firm Athenahealth Inc., similarly cautioned health care organizations to understand which parties own what data involved in cloud services contract.
He said, for example, that data in electronic health records increasingly come from multiple sources, raising questions about ownership and responsibility as well as access and how the data can be used.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).