Upload
hangoc
View
236
Download
0
Embed Size (px)
Citation preview
Current Options for EHRCurrent Options for EHRCurrent Options for EHR Current Options for EHR Implementation: Implementation: pp
Cloud or No Cloud?Cloud or No Cloud?
Regina SharrowRegina SharrowIsaac WillettApril 5, 2011
IntroductionIntroductionIntroductionIntroduction
Health Information Technology forHealth Information Technology for Economic and Clinical Health Act (“HITECH Act”) passed in 2009( HITECH Act ) passed in 2009─ Goal: to increase provider efficiency and
improve quality of care for patients through p q y p gthe use of electronic health records (EHRs)
2
IntroductionIntroductionIntroductionIntroduction Health Care Providers required to adoptHealth Care Providers required to adopt
and “meaningfully use” health information technology, BUTinformation technology, BUT─ Costly to implement─ Technology still evolving─ Relatively new concept for many smaller health
care providersI ti f d ti EHR t i t d d─ Incentives for adopting EHR turn into reduced Medicare reimbursement in 2015 for those failing to adopt and use health information technologyp gy
3
Could Cloud Computing Could Cloud Computing b h S l i ?b h S l i ?be the Solution?be the Solution?
4
What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?
Using the WWW or the internet to access computer applications
Three service models─ Software as a service (SaaS)─ Platform as a service (PaaS) (e.g., web server,
database, programming language)─ Infrastructure as a service (IaaS) (networks,
visualization, storage)
5
What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?
Cloud computing delivery methods─ Private cloud – the resources used to provide
the services are dedicated to one specific customerP bli l d th h d─ Public cloud – the resources are shared generally with the vendor’s other customers
─ Hybrid cloud – multiple clouds are─ Hybrid cloud – multiple clouds are interconnected
6
Pros and Cons of Cloud Pros and Cons of Cloud C tiC tiComputingComputing
ProsPros─ Cost effective (hardware, software, personnel)─ Scalable
Flexible─ Flexible─ Pay only for services used – “on demand”─ Outsource non-medical functions/focus on practice
C Cons─ May be slower─ Loss of control (normal operating and in emergency situations)─ Privacy concerns─ Long-term operating costs may exceed cost of ownership─ Regulatory complications
7
Early Experiences in Early Experiences in Cloud AdoptionCloud Adoption
Health care companies have begun experimenting with taking business-p g gcritical operations to the cloud
Two general issuesHow to ensure regulatory compliance─ How to ensure regulatory compliance
─ How to limit legal liability
8
Early Experiences in Early Experiences in Cloud AdoptionCloud Adoption
Early struggles trying to achieve these goals due to:─ Complexity of regulatory landscape 50 U.S. state laws, federal U.S. law, EU
directives, other international law─ Hesitancy of cloud vendors to “customize”
th i itheir service “one size fits all” mentality to privacy and
security; however health care companies facesecurity; however, health care companies face unique challenges 9
Early Experiences in Early Experiences in Cl d Ad tiCl d Ad tiCloud AdoptionCloud Adoption
Three strategies:─ Limit the types of data going to the cloud to yp g g
non-sensitive and unregulated data─ Require cloud vendors to limit data centers
to U.S. only─ Solve regulatory and liability challenges up
front via due diligence and detailed contract provisions
10
Early Experiences in Early Experiences in Cl d Ad tiCl d Ad tiCloud AdoptionCloud Adoption
Limit the types of data going to the cloud to non-sensitive and unregulated datag- Only allow non-sensitive or non-health
information to be used on the cloud- This diminishes the benefit of broad
implementation of cloud solutions
11
Early Experiences in Early Experiences in Cl d Ad tiCl d Ad tiCloud AdoptionCloud Adoption
Require cloud vendors to limit dataRequire cloud vendors to limit data centers to U.S. only- Some companies also require strict oversight of p q g
any downstream cloud vendors (e.g., cloud vendor using Amazon for storage)
Require consent; require downstream vendor to abide by- Require consent; require downstream vendor to abide by same privacy/security requirements; require indemnification and liability for downstream vendor’s breachesbreaches
- This simplifies the regulatory challenge but ignores how some cloud vendors actually operate
12
Standard Position of Standard Position of U S Cl d V dU S Cl d V dU.S. Cloud VendorsU.S. Cloud Vendors
Legal Liability:Legal Liability:─ Limited liability for breach of privacy/security
requirements Usually limited to a dollar cap If not capped, limited to gross negligence or intentional
misconduct
─ Limited ability to retrieve data Sometimes only upon termination Will usually charge a fee for return of data Will usually charge a fee for return of data
─ Limited transition assistance Sometimes none Will usually charge a fee 13
Standard Position of Standard Position of U S Cl d V dU S Cl d V dU.S. Cloud VendorsU.S. Cloud Vendors
Regulatory Compliance:─ Will often not consider customer’s standard
privacy/security policies and will not modify their standard privacy/security policiesSometimes this is not a problem, but if a cloud
vendor is not accustomed to health care-based customers then this is often a non-startercustomers, then this is often a non starter
14
Negotiate Up FrontNegotiate Up FrontNegotiate Up FrontNegotiate Up Front
Healthcare companies must do their “due diligence” on potential cloud vendors and
ibl d t l d d llpossibly down-stream cloud vendors as well─ Consider a site visit to the cloud vendor’s facilities
to ensure vendor’s employees’ understanding ofto ensure vendor s employees understanding of applicable laws
─ Consider transparency/cloud vendor’s willingness to allow one or more visits
─ Request an initial “pilot” to test the system
15
Negotiate Up FrontNegotiate Up FrontNegotiate Up FrontNegotiate Up Front
Thorny issues must be addressed and detailed provisions must be included in the contract─ Specify vendor as responsible party for monitoring and─ Specify vendor as responsible party for monitoring and
implementing additional regulatory requirements and include time frames for implementation
─ Require cloud vendor to specify who will have access to the data at remotely hosted environment and confirm they are trained in HIPAA compliance
─ Incorporate detailed transition provisions and processes to ensure th d i th d t d d i l diyou or the successor vendor receive the data needed, including
timing, format of data, etc.─ Include detailed provisions re: data sanitation process upon
termination of contract (or failure of vendor’s business)termination of contract (or failure of vendor s business)16
Negotiate Up FrontNegotiate Up FrontNegotiate Up FrontNegotiate Up Front
Thorny issues (con’t)─ Ensure you have multiple paths to data center hosting to avoid loss
of access to dataof access to data─ Include in the contract how often vendor will back-up data and in
what format─ Discuss maintenance (how often duration of each maintenanceDiscuss maintenance (how often, duration of each maintenance
and process) and alternative data access during maintenance─ Ensure standards and important technical terms/definitions are
agreed upon and detailed in the contract─ Ensure you maintain ownership of and access to all of your data -
ALWAYS
17
RREGULATORYEGULATORY CCHALLENGESHALLENGESFORFOR HHEALTHEALTH CCAREARE AADOPTERSDOPTERSFORFOR HHEALTHEALTH CCAREARE AADOPTERSDOPTERS
OFOF CCLOUDLOUD CCOMPUTINGOMPUTINGOFOF CCLOUDLOUD CCOMPUTINGOMPUTING
18
HEALTHHEALTH CARECARE REGULATORYREGULATORYCHALLENGESCHALLENGES OFOF CLOUDCLOUDCHALLENGESCHALLENGES OFOF CLOUDCLOUD
COMPUTINGCOMPUTING Ensuring regulatory compliance presents
one of the most difficult challenges toone of the most difficult challenges to health care companies’ ability to leverage the advantages of cloud computingthe advantages of cloud computing
19
SSUMMARYUMMARY OFOF RREGULATORYEGULATORYRREQUIREMENTSEQUIREMENTSRREQUIREMENTSEQUIREMENTS
The primary federal legal requirements U.S. Health Care companies must follow pare:─ Health Insurance Portability and y
Accountability Act of 1996 (“HIPAA”)─ HITECH Act
20
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HIPAAHIPAA
Two basic parts to HIPAA: Privacy Rule and Security Ruley
Privacy Rule:─ How and when may protected healthHow and when may protected health
information (“PHI”) be disclosed Security Rule: Security Rule:
─ Implement specified administrative, physical and technical safeguards to keepphysical, and technical safeguards to keep PHI secure 21
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HIPAAHIPAA
HIPAA Privacy Rule:HIPAA Privacy Rule:─ Originally only applied to Covered Entities
Covered Entity = health plans, health care clearinghouses, and h lth idhealthcare providers
─ Permits disclosure of PHI only as required or permitted
─ Requires CE to enter into “Business Associate Agreement” with Business Associates Business Associate = parties to whom a CE may disclose PHI Business Associate = parties to whom a CE may disclose PHI
so BA can perform service on its behalf If a CE transmits PHI to a cloud vendor, the cloud vendor (and
any downstream cloud vendor to which the CE’s PHI isany downstream cloud vendor to which the CE s PHI is transmitted) will be BAs 22
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HIPAAHIPAA
HIPAA Security Rule:─ Four specific safeguards are required:p g q Integrity, Confidentiality, and availability of
electronic PHI (“e-PHI”)P t t i t th t d h dProtect against threats and hazardsProtect against reasonably anticipated
disclosuresdisclosuresEnsure that workforce complies with the Rule
23
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECHHITECHHITECH
HITECH expands the definition of a “Business Associate” to include certain organizations that provide data transmission of PHI and that require access on a routine basisrequire access on a routine basis─ This would include cloud vendor with access to
PHIPHI HITECH creates a statutory obligation of BAs
to comply with HIPAA’s privacy and security p y p y yrequirements─ Prior to HITECH, the obligation was only a
contractual commitment24
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECHHITECHHITECH
Under HITECH, BAs, including cloud providersUnder HITECH, BAs, including cloud providers acting as BAs, are required to:─ Maintain written policies/procedures addressing the
HIPAA S it R l i tHIPAA Security Rule requirements─ Maintain adequate training programs for employees─ Designate a security officer for the companyDesignate a security officer for the company─ Conduct “adequate and thorough” risk assessments of
security methodsL l d d l d ti f th Larger cloud vendors may already satisfy these requirements, but small companies may struggle
25
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECHHITECHHITECH
Perhaps most important aspect of HITECH is p p pthe breach notification requirements:─ CE (reminder: this would be a cloud vendor’s
) f (customer) is required to notify its customers (the owners of the PHI) of any breach of unsecuredPHI
─ BA (the cloud vendor) is also required to notify the CE of a breach “without unreasonable delay” and
ithi 60 dwithin 60 days max The BA is also required to identify the individual
whose PHI was breached, if possible26
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECH
HITECH breach notification requirements, cont:─ “Unsecured PHI” means PHI that is not rendered
unusable, unreadable, or indecipherable to unauthorized individuals through use of gtechnology or methodology specified by Secretary of Dept. Health & Human Services
27
RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECH
Patients or other owners of PHI have the right to grequest an accounting of all disclosures of their PHI for the prior 3 years
This includes the use of any downstream cloud vendors who─ This includes the use of any downstream cloud vendors who have hosted the data
─ Requires the disclosure of the identity of these partiesTh h ll i l d d ith ’t d ’t─ The challenge is many cloud vendors either can’t or don’t want to track these disclosures
Patients or other owners of PHI may also demand the return of their PHI at any time─ This requires the ability for customers to access the data at
any timey28
LLIABILITYIABILITY FORFOR FFAILUREAILURE TOTOCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORYCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORY
RREQUIREMENTSEQUIREMENTS
If the CE has demonstrated a pattern of non-compliance with the BA Agreement and the BA knowscompliance with the BA Agreement and the BA knows of it, both the CE and the BA could be liable under HIPAA / HITECH
HIPAA / HITECH imposes certain criminal and civil penalties on CEs and BAs that fail to comply─ No longer merely a breach of contract with the CENo longer merely a breach of contract with the CE
29
LLIABILITYIABILITY FORFOR FFAILUREAILURE TOTOCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORYCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORY
RREQUIREMENTSEQUIREMENTS
Two recent cases indicate that the government is taking a aggressive approach to enforcing HIPAA /taking a aggressive approach to enforcing HIPAA / HITECH─ Cignet Health of Prince George's County, Md., ordered to
pay a $4 3 million civil monetary penalty for violating thepay a $4.3 million civil monetary penalty for violating the HIPAA privacy rule – February 2011
─ The General Hospital Corporation and Massachusetts General Physicians Organization Inc agreed to pay the U SGeneral Physicians Organization Inc. agreed to pay the U.S. government $1 million to settle potential violations of the HIPAA Privacy Rule
30
Contractual Responses to Contractual Responses to Regulatory RequirementsRegulatory RequirementsRegulatory RequirementsRegulatory Requirements
31
CCONTRACTUALONTRACTUAL RRESPONSESESPONSESCCONTRACTUALONTRACTUAL RRESPONSESESPONSES
In light of the new HITECH requirements, CEsIn light of the new HITECH requirements, CEs have begun requiring some or all of the following legal protections in their contracts with cloud vendors:─ Indemnification of damages arising from cloud
d ’ b h f HITECH i tvendor’s breach of HITECH requirements─ Reimbursement of costs associated with
notification of breacheso ca o o b eac es─ Expressly allowing the cloud customer to seek
equitable relief (e.g., injunctions) against the cloud dvendor
32
CCONTRACTUALONTRACTUAL RRESPONSESESPONSESCCONTRACTUALONTRACTUAL RRESPONSESESPONSES Legal protections in light of HITECH, cont:Legal protections in light of HITECH, cont:
─ Not only requiring the cloud vendor to abide by HITECH and the BA Agreement, but also abide by any amendments to the relevant laws/regulations as well asamendments to the relevant laws/regulations as well as guidance from the Dept. Health & Human Services
─ Permit the cloud customer to audit the security of the cloud vendor
─ Require consent and/or allow control over any downstream cloud vendors that might be used, g ,including the right to audit
─ Indemnify the cloud customer for all breaches by any downstream cloud vendors that may be useddownstream cloud vendors that may be used
33
THANK YOU!THANK YOU!Regina Sharrow and Ike WillettB k & D i l LLPBaker & Daniels LLP600 East 96th Street, Suite 600Indianapolis IN 46240Indianapolis, IN 46240
[email protected](317) 569-4604
[email protected] ett@ba e d co(317) 569-4640 34