Cloud Computing in Healthcare: HIPAA and State Law …media.straffordpub.com/products/cloud-computing-in...Jun 07, 2012 · in Cloud Computing Note that these slides and this presentation

Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, JUNE 7, 2012

Presenting a live 90-minute webinar with interactive Q&A

Matthew A. Karlyn, Partner, Foley & Lardner, Boston

M. Leeann Habte, Foley & Lardner, Los Angeles

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the SEND button beside the box

FOR LIVE EVENT ONLY

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-927-5568 and enter your PIN -when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

©2012 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Cloud Computing in Healthcare: HIPAA and State Law Challenges

Matt Karlyn Partner Foley & Lardner LLP (617) 502-3231 [email protected]

Leeann Habte Associate Foley & Lardner LLP (213) 972-4679 [email protected]

June 7, 2012

4833-2149-3519.1

mailto:[email protected]�


©2012 Foley & Lardner LLP

6

PART 1 – WELCOME TO THE CLOUD


7

CDW Tracking Trends 84 percent of IT professionals from a cross-

section of industries say their organization has at least one cloud application

30 percent of health care organizations report implementing cloud computing – Electronic health records – Medical imaging – Telemedicine – Patient management – Traditional business and financial functions


8

What is Cloud Computing? Delivery over the Internet (i.e., the “cloud”) Software, platform or infrastructure

resources provided as services Scalability on-demand Utility and/or subscription billing (i.e.,

based on the customer’s actual use and/or a period of time)


9 Types of Cloud Computing Services Cloud computing has generally been broken down

into three types of services – Software-as-a-Service (SaaS) refers to the provider’s

software being delivered over the cloud to the customer as a service (e.g., electronic health record systems)

– Platform-as-a-Service (PaaS) refers to the providers software development platforms being delivered over the cloud to the customer as a service (e.g. Interface development). For example, a customer may use the service to develop, test, and deploy applications that are then hosted on the provider’s infrastructure.

– Infrastructure-as-a- Service (IaaS) refers to virtual servers, memory, processors, storage, network bandwidth, and other types of infrastructure resources, being delivered over the cloud to the customer as a service (e.g., Amazon, Google Rackspace, IBM computing on demand).


10

Models of Cloud Deployment Public Clouds

– Owned and operated by a cloud provider Private Clouds

– Computing environment operated exclusively for one organization

Community Clouds – Computing environment exclusive to 2+ organizations

with similar considerations Hybrid Clouds

– Composition of 2 or more clouds


11

Benefits of the Cloud Cost reduction Service flexibility Lower upfront risks and complexity with

realizing the benefits of new technology Reduction in capital costs


12

That all sounds great…

BUT There are risks…

What are the risks that health care

organizations evaluating cloud computing solutions should

consider?


13

Part 2 – Is that a storm cloud ahead?


14

Compliance Risks – Privacy and Security

Health care organizations are required to maintain health care data subject to numerous and differing federal and state laws


15

Federal Laws: HIPAA, HITECH, and Others HIPAA, as amended by the HITECH Act

– Requires health plans, health care clearinghouses, and covered health care providers to safeguard protected health information (PHI)

– Establishes 22 separate technology-neutral security standards

Gramm-Leach-Bliley Act (GLB Act) – Requires a written security plan

FTC laws and regulations, PCI DSS


16

State Privacy and Security Laws All states have state-specific privacy laws

– A handful have comprehensive medical privacy laws

– The rest have separate laws that govern the privacy of medical records and/or sensitive health information

Some states also mandate security controls – Personal information – Electronic health records


17

State Breach Reporting Laws Almost all states have specific

requirements for reporting breaches of medical or other personal information

Data breaches are costly – Average cost of $6.75 million, ranging from

$750,00 to $31 million in 2010 $204 per compromised record

– Most expensive data breach increased to $66 million in 2011


18

Compliance Not Delegable Accountability for the security and privacy

of health information cannot simply be delegated to a cloud provider.

HITECH holds Business Associates responsible for civil penalties – Notification costs, mitigation of harm,

damages

State law/FTC differ – Organizations are responsible for the actions

of their subcontractors


19

Cloud Computing Risks Heightened compliance risks

– Location of data if hosted by vendor Jurisdiction and laws governing data Security/breach notification requirements Scope of liability

– Vendor’s subcontracts with third parties Scope of control, responsibilities involved,

recourses/remedies


20

Cloud Computing Security Risks Multi-tenancy environment

– Data may be stored on a server with other customer’s data = increased risk of unauthorized disclosure

Security risks particular to cloud computing – Risks associated with services being

delivered over web browser (Adobe Flash, etc.)


21

Evaluating the Risk of Cloud Computing The sensitivity of the data that will be

stored in the cloud The criticality of the business process

being supported by the cloud computing solution

Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure contractual protections and operational precautions are taken


22

Data Sensitivity and the Criticality of the Service High Risk = mission critical processes utilizing

highly sensitive data Medium Risk = generally available data that

requires high service levels; non-confidential enterprise data

Low Risk = not mission critical and generally available data; can accept outages and variable performance

Individually identifiable health information is high-risk data


23

Part 3 – Speaking of Contracts… Cloud computing agreements have some

similarity to licensing agreements, but have more in common with hosting or ASP agreements


24

Licensing vs. the Cloud Traditional licensing/hardware purchase

– Vendor installs the software or equipment in the customer’s environment

– Customer has ability to have the software or hardware configured to meet its needs

– Customer retains control of the data In the cloud…

– Software, hardware and customer data are hosted by the provider typically in a shared environment (e.g., many customers per server)

– Software and hardware configuration much more homogeneous across all customers


25

Licensing vs. the Cloud (cont’d)

Shift of top priorities – From configuration, implementation and

acceptance (in the licensing world) to service availability, performance, service levels, data security and control (in the cloud)

Traditional provisions retain importance, in particular – Insurance, indemnity, intellectual property,

limitations of liability, warranties


26

Cloud Customers Must Make Important Decisions There are no standard forms that work for every

customer, for every product, in every deal – Some commonly used outsourcing and software licensing terms

may be useful, but cannot be uniformly applied to cloud computing transactions

More robust contractual protection and provisions that address issues unique to the cloud are likely needed – For the “low risk” deals, a low risk solution may outweigh the

need for contractual protections – For “high risk” deals, better to take a closer look and include the

provisions that will protect your company – Note that robust contractual protections may have an impact on

price and eliminate certain providers altogether


27

The Focus of Cloud Computing Transactions Focus should be on:

– The criticality of the software, data and services to the enterprise

– The unique issues presented by a cloud computing environment (e.g., data security)

– The service levels and pricing offered by different suppliers and for different services

– Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point


28

Part 4 – Key Contractual Issues in Cloud Computing Note that these slides and this presentation contain

several examples of language that is commonly found in cloud computing agreements. These slides and this presentation are not a substitute for legal advice. The language to be used in your transactions depends on a variety of factors and the particular circumstances. You are strongly advised to engage knowledgeable legal counsel to access and help minimize your legal liabilities based on the particular requirements of your organization. Like any presentation or article, this is not meant to be a substitute for knowledgeable legal counsel.


29

Pre-Agreement Due Diligence Can the provider meet your organization’s

expectations? Require provider to complete a due diligence

questionnaire – Provider’s financial condition – Insurance – Existing service levels – Capacity – Data security – Disaster recovery and business continuity – Redundancy – Ability to comply with applicable regulations


30 Pre-Agreement Due Diligence (cont’d)

Pay particular attention to: – Vendor’s financial condition and corporate

responsibility – The provider’s subcontracts with third parties – The location of the data center(s) where the

data will be physically stored and who may have access to the data


31

Service Availability If the provider stops delivering services, the

customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the customer’s data stored on the provider’s systems

A customer must be able to continue to operate and have access to its data at all times


32

Service Availability (cont’d) What do you need?

– If provider is maintaining PHI, a disaster recovery plan and an emergency mode operation plan

– Disaster recovery and business continuity assurances For example, “Provider shall maintain and implement disaster

recovery and emergency mode operation procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Customer with a copy of its current disaster recovery plan and emergency mode operations plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security policies, workforce screening and termination, training, and due diligence shall apply to the Provider disaster recovery site.”

– Provider’s agreement not to withhold services (even if there is a dispute) For example, “Provided Customer continues to timely make all

undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold services provided hereunder, for any reason, including, but not limited to, a dispute between the parties arising under this Agreement.”


33

Service Availability (cont’d)

Protections against provider’s financial instability – Enable customer to identify issues in advance

For example, “Quarterly, during the Term, Provider shall provide Customer with all information reasonably requested by Customer to assess the overall financial strength and viability of Provider and Provider’s ability to fully perform its obligations under this Agreement. In the event Customer concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Customer may terminate this Agreement without further obligation or liability by providing written notice to Provider.”

– In-house software solution: consider requiring the provider to make available or develop an in-house solution to replacing software services if it stops providing those services


34

Service Levels Uptime service level

– Services must be available to customer at all times to support operations Outage window Measurement period Remedies Require provider to monitor servers by automatic

pinging “Unavailability” should include severe performance

degradation Service response time


35

Service Levels (cont’d)

Uptime – an example – For example, “Provider will make the Services

Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the “Availability Percentage”). “Available” means the Services shall be available for access and use by Customer. For purposes of calculating the Availability Percentage, the following are “Exceptions” to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Customer’s acts or omissions; or (ii) Customer’s Internet connectivity.”


36


Response Time – an example – Maximum latencies and response times for the

customer’s use of the services For example, “The average download time for

each page of the Services, including all content contained therein, shall be within the lesser of (i) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index (“KB40”), or (ii) two (2) seconds. In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.”


37


Other common service level issues that customers should address are: – Simultaneous visitors – Problem response time and resolution time – Data return and periodic delivery – Remedies for failure to meet service levels

Should include financial penalties and termination


38


Why are they so important? – Assure the customer that it can rely on the

services and provide appropriate remedies if the provider fails to meet the agreed service levels

– Provide incentives that encourage the provider to be diligent in addressing issues


39

Data Security The security of a customer’s data in a

cloud computing environment has been recognized as one of the largest areas of concern for a customer – The customer is ultimately responsible for

complying with privacy and security regulations, and data security breaches are costly


40

Data Security (cont’d) Business Associate Agreements

– Required with cloud provider, if it hosts data or software containing PHI on its own server, or accesses PHI, even if only for troubleshooting software function (OCR, FAQ)

– BAA provisions may be incorporated in End User License Agreements, particularly by software companies (e.g., EHR software) EULA must be valid under State law for

BAA to be enforceable


41

Data Security (cont’d) Business Associate Agreements

– HIPAA standards may not address data security risks associated with cloud computing environment

– In addition to requiring the cloud provider to provide physical, technical, and administrative safeguards, as required by the HITECH Act, BAA or contract should expressly address the provider’s policies and procedures related to: Security protections unique to cloud Control of subcontracting arrangements Location of data Data redundancy Data ownership and use rights E-discovery Data conversion/data return


42

Data Security (cont’d) Security protections in provider’s policies:

– Compare with own policies and legal requirements – Ensure that providers’ policies address:

Baseline security measures, including physical controls over data storage facilities

Security incident management Hardware, software and security policies Information access and authorization procedures Security issues particular to cloud computing and services

being provided over the internet

– Some providers won’t show customer their security policies but will permit onsite access


43

Data Security (cont’d)

Security protections in contract should: – Address State law requirements – Define customer’s vs. providers’ responsibilities for

security – Include method to monitor performance of security

controls and procedures (e.g., third party audit) – Include administrative, technical, and physical

safeguards, in accordance with applicable laws – Expressly establish requirements for storage of

customer information – Provide for customer’s audit rights


44


Subcontracting arrangements – Third party relationships should be disclosed

in advance of reaching an agreement

HIPAA compliance – BAA must ensure that any subcontracts to

whom the Covered Entity provides PHI agree in writing to the same restrictions and conditions that apply to the Business Associate in its agreement with the Covered Entity


45


Subcontracting arrangements – Who is operating the data center – the provider

or a third party? Ensure third party hosts comply with your agreement Provider should accept all responsibility for the third

party host Provider should be jointly and severally liable with the

third party host for any breach of the agreement by the third party host

Consider entering a separate confidentiality agreement with the third party host

Advance notice if any change of the host


46

Data Security (cont’d) Location of Data

– May determine the jurisdiction and the governing law Overseas data may present practical difficulties Other state laws may impose additional compliance

requirements – Should include prohibition on off-shore work and

restrictions on data transfer – For example,

“In performing the functions, activities or services for, or on behalf of, Customer, Provider shall not, and shall not permit any of its subcontractors, to transmit or make available any PHI to any entity or individual outside the continental United States without the prior written consent of Customer. All activities and services shall be performed and rendered at the locations set forth in Attachment __. The Parties may mutually agree to authorize Provider’s use of additional locations in an amendment to this Agreement.”


47


Breach notification – Agreement should establish:

The procedures and timeframe for reporting a breach to the Covered Entity

The procedures and role of the parties with respect to investigation of the breach and notification of individuals

Liability of the Business Associate


48


In the event of a security breach: – Customer should have sole control over the

timing, content, and method of customer notification (if it is required)

– If the provider is responsible for the breach, then the provider should reimburse the customer for its reasonable out-of-pocket expenses in providing the notification, mitigating the harm, and otherwise complying with the law


49

Data Security (cont’d) Data redundancy

– Agreement should contain explicit provisions regarding Provider’s duty for regular backups and frequency of back

ups Below is a sample data redundancy provision: “Provider will: (i) execute (A) nightly database backups to a

backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer’s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.”


50


Data ownership and use rights – Agreement must contain:

Clear language regarding customer’s ownership of data

Specific language (i) regarding the provider’s obligations to maintain the confidentiality of such information and (ii) placing appropriate limitations on the provider’s use of such customer information

Strict limitations on provider’s use of data in aggregated, de-identified form

– Use of aggregate data must be for health care operations purpose permissible under HIPAA


51

Data Security (cont’d) E-discovery

– Agreement must require provider to retain meta-data

Data conversion/return of data – Must ensure that the customer is not “locked in” to the provider’s solution and

provider can return or destroy data at termination of agreement – A sample data conversion provision is provided below: – “At Customer’s request, Provider will provide a copy of Customer

Information to Customer in an ASCII comma-delimited format on a CD-ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider’s or its agents’ or subcontractors’ possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer’s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.”


52

Insurance Customer should self-insure against IT risks by

obtaining a cyber-liability policy Provider should be required to carry:

– Technology errors and omissions liability insurance – Commercial blanket bond, using Electronic &

Computer Crime or Unauthorized Computer Access insurance

Most data privacy and security laws will hold the customer liable for security breaches whether it was the customer’s fault or the provider’s fault


53

Indemnification Third party claims relating to the provider’s

breach of its confidentiality and security obligations, and claims relating to infringement of third party intellectual property rights – Limitation to copyright is not acceptable – Limitation to US IP rights may be acceptable,

but consider whether use of the services will occur overseas


54

Limitation of Liability Scrutinize limitation of liability provisions

carefully If you can’t eliminate the limitation of

liability in its entirety, seek the following protections: – Mutual protection – Appropriate carve-outs (e.g., confidentiality,

data security, indemnity) – A reasonable liability cap for direct damages


55

Intellectual Property Provider’s IP may be embedded in the

customer’s business process You should obtain ownership of any “work

product” and a very broad license to use any provider IP incorporated into any work product


56

Warranties The following warranties are common in these

types of agreements: – Conformance to specifications – Performance of services – Appropriate training – Compliance with laws – No sharing / disclosure of data – Services will not infringe – No viruses / destructive programs – No pending or threatened litigation – Sufficient authority to enter into agreement


57

Implementation When there will be significant implementation

services, the customer should consider establishing a broad definition of “services” in the cloud computing agreement – E.g., extensive software or hardware

implementation, configuration, customization) This is useful in limiting provider claims for

“out of scope” activity and request for additional money


58

Fees Ability to add and remove resources with a

corresponding upward or downward adjustment in the service fees

Identify all potential revenue streams and make sure that the identified fees are inclusive of such revenue streams

Lock in recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or another index


59

Term The customer should be able to terminate the

agreement at any time upon notice (14 to 30 days) and without penalty – The software and infrastructure are being provided as a

service and should be treated as such – The provider may request a minimum commitment from

the customer to recoup the provider’s “investment” in securing the customer as a customer If you agree to this, limit to no more than one year and

the provider should be required to provide evidence of its up front costs to justify such a requirement

HIPAA requires covered entities to terminate the agreement upon knowledge of a material breach by a subcontractor unless the breach can be cured


60

Publicity Agreement should contain a provision

relating to announcements and publicity in connection with the transaction.

Provider should be prohibited from: – Making any media releases or other public

announcements relating to the agreement – Using your name and trademarks without

your prior written consent


61

Assignment You should be able to assign your rights

under the agreement to your affiliates You should obtain assurance that any

provider assignee will agree to be bound by all the terms and conditions of the agreement


62

Exclusivity In order for customers to obtain the best pricing,

providers are asking customer to contractually commit to an exclusive arrangement

Before entering into such an arrangement, ensure your company has the proper protections in the agreement – Excellent service levels – Appropriate exceptions to exclusivity – Right to transition in anticipation of termination

You don’t want to be bound to a poorly performing provider!

Weigh pricing advantages with performance commitments and reliability of the provider


63

Post-Execution Ongoing Provider Assessment Regular program of evaluating a provider’s

performance – Provider required to supply the requisite

information to access the services – Notify the customer of any changes with

regard to the provider – Provide recommendations to improve the

services


64

Negotiation Leverage is important – you may not be

able to obtain all of the protections you want

Evaluate the business risks – Do the services support a critical business

function? – Do the services involve sensitive data? – Are the services customer facing?


65

Negotiation (cont’d)

If you can’t get the protections you want in the most significant areas of risk, consider walking away

If walking away is not an acceptable option, focus on risk mitigation – For example, if the provider refuses to modify its

uptime service level (arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level


66

Part 5 -- Additional Issues to Consider Ability to audit Lack of transparency and control Subcontracting and flow down of

provisions IP issues Change management and governance/

oversight


67

QUESTIONS?

Matt Karlyn Partner

Foley & Lardner LLP 111 Huntington Avenue

Boston, MA 02199

[email protected]

(617) 502-3231

Leeann Habte Associate

Foley & Lardner LLP 555 S. Flower Street

Los Angeles, CA 90071

[email protected]

(213) 972-4679



Documents

Cloud Computing in Healthcare: HIPAA and State Law …media.straffordpub.com/products/cloud-computing-in...Jun 07, 2012 · in Cloud Computing Note that these slides and this presentation