Current Options for EHRCurrent Options for EHR ... · Current Options for EHRCurrent Options for EHR Implementation: Cloud or No ... Health Care Providers required to adoptHealth

Current Options for EHRCurrent Options for EHRCurrent Options for EHR Current Options for EHR Implementation: Implementation: pp

Cloud or No Cloud?Cloud or No Cloud?

Regina SharrowRegina SharrowIsaac WillettApril 5, 2011

IntroductionIntroductionIntroductionIntroduction

Health Information Technology forHealth Information Technology for Economic and Clinical Health Act (“HITECH Act”) passed in 2009( HITECH Act ) passed in 2009─ Goal: to increase provider efficiency and

improve quality of care for patients through p q y p gthe use of electronic health records (EHRs)

2

IntroductionIntroductionIntroductionIntroduction Health Care Providers required to adoptHealth Care Providers required to adopt

and “meaningfully use” health information technology, BUTinformation technology, BUT─ Costly to implement─ Technology still evolving─ Relatively new concept for many smaller health

care providersI ti f d ti EHR t i t d d─ Incentives for adopting EHR turn into reduced Medicare reimbursement in 2015 for those failing to adopt and use health information technologyp gy

3

Could Cloud Computing Could Cloud Computing b h S l i ?b h S l i ?be the Solution?be the Solution?

4

What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?

Using the WWW or the internet to access computer applications

Three service models─ Software as a service (SaaS)─ Platform as a service (PaaS) (e.g., web server,

database, programming language)─ Infrastructure as a service (IaaS) (networks,

visualization, storage)

5

What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?What is Cloud Computing?

Cloud computing delivery methods─ Private cloud – the resources used to provide

the services are dedicated to one specific customerP bli l d th h d─ Public cloud – the resources are shared generally with the vendor’s other customers

─ Hybrid cloud – multiple clouds are─ Hybrid cloud – multiple clouds are interconnected

6

Pros and Cons of Cloud Pros and Cons of Cloud C tiC tiComputingComputing

ProsPros─ Cost effective (hardware, software, personnel)─ Scalable

Flexible─ Flexible─ Pay only for services used – “on demand”─ Outsource non-medical functions/focus on practice

C Cons─ May be slower─ Loss of control (normal operating and in emergency situations)─ Privacy concerns─ Long-term operating costs may exceed cost of ownership─ Regulatory complications

7

Early Experiences in Early Experiences in Cloud AdoptionCloud Adoption

Health care companies have begun experimenting with taking business-p g gcritical operations to the cloud

Two general issuesHow to ensure regulatory compliance─ How to ensure regulatory compliance

─ How to limit legal liability

8

Early Experiences in Early Experiences in Cloud AdoptionCloud Adoption

Early struggles trying to achieve these goals due to:─ Complexity of regulatory landscape 50 U.S. state laws, federal U.S. law, EU

directives, other international law─ Hesitancy of cloud vendors to “customize”

th i itheir service “one size fits all” mentality to privacy and

security; however health care companies facesecurity; however, health care companies face unique challenges 9

Early Experiences in Early Experiences in Cl d Ad tiCl d Ad tiCloud AdoptionCloud Adoption

Three strategies:─ Limit the types of data going to the cloud to yp g g

non-sensitive and unregulated data─ Require cloud vendors to limit data centers

to U.S. only─ Solve regulatory and liability challenges up

front via due diligence and detailed contract provisions

10


Limit the types of data going to the cloud to non-sensitive and unregulated datag- Only allow non-sensitive or non-health

information to be used on the cloud- This diminishes the benefit of broad

implementation of cloud solutions

11


Require cloud vendors to limit dataRequire cloud vendors to limit data centers to U.S. only- Some companies also require strict oversight of p q g

any downstream cloud vendors (e.g., cloud vendor using Amazon for storage)

Require consent; require downstream vendor to abide by- Require consent; require downstream vendor to abide by same privacy/security requirements; require indemnification and liability for downstream vendor’s breachesbreaches

- This simplifies the regulatory challenge but ignores how some cloud vendors actually operate

12

Standard Position of Standard Position of U S Cl d V dU S Cl d V dU.S. Cloud VendorsU.S. Cloud Vendors

Legal Liability:Legal Liability:─ Limited liability for breach of privacy/security

requirements Usually limited to a dollar cap If not capped, limited to gross negligence or intentional

misconduct

─ Limited ability to retrieve data Sometimes only upon termination Will usually charge a fee for return of data Will usually charge a fee for return of data

─ Limited transition assistance Sometimes none Will usually charge a fee 13

Standard Position of Standard Position of U S Cl d V dU S Cl d V dU.S. Cloud VendorsU.S. Cloud Vendors

Regulatory Compliance:─ Will often not consider customer’s standard

privacy/security policies and will not modify their standard privacy/security policiesSometimes this is not a problem, but if a cloud

vendor is not accustomed to health care-based customers then this is often a non-startercustomers, then this is often a non starter

14

Negotiate Up FrontNegotiate Up FrontNegotiate Up FrontNegotiate Up Front

Healthcare companies must do their “due diligence” on potential cloud vendors and

ibl d t l d d llpossibly down-stream cloud vendors as well─ Consider a site visit to the cloud vendor’s facilities

to ensure vendor’s employees’ understanding ofto ensure vendor s employees understanding of applicable laws

─ Consider transparency/cloud vendor’s willingness to allow one or more visits

─ Request an initial “pilot” to test the system

15


Thorny issues must be addressed and detailed provisions must be included in the contract─ Specify vendor as responsible party for monitoring and─ Specify vendor as responsible party for monitoring and

implementing additional regulatory requirements and include time frames for implementation

─ Require cloud vendor to specify who will have access to the data at remotely hosted environment and confirm they are trained in HIPAA compliance

─ Incorporate detailed transition provisions and processes to ensure th d i th d t d d i l diyou or the successor vendor receive the data needed, including

timing, format of data, etc.─ Include detailed provisions re: data sanitation process upon

termination of contract (or failure of vendor’s business)termination of contract (or failure of vendor s business)16


Thorny issues (con’t)─ Ensure you have multiple paths to data center hosting to avoid loss

of access to dataof access to data─ Include in the contract how often vendor will back-up data and in

what format─ Discuss maintenance (how often duration of each maintenanceDiscuss maintenance (how often, duration of each maintenance

and process) and alternative data access during maintenance─ Ensure standards and important technical terms/definitions are

agreed upon and detailed in the contract─ Ensure you maintain ownership of and access to all of your data -

ALWAYS

17

RREGULATORYEGULATORY CCHALLENGESHALLENGESFORFOR HHEALTHEALTH CCAREARE AADOPTERSDOPTERSFORFOR HHEALTHEALTH CCAREARE AADOPTERSDOPTERS

OFOF CCLOUDLOUD CCOMPUTINGOMPUTINGOFOF CCLOUDLOUD CCOMPUTINGOMPUTING

18

HEALTHHEALTH CARECARE REGULATORYREGULATORYCHALLENGESCHALLENGES OFOF CLOUDCLOUDCHALLENGESCHALLENGES OFOF CLOUDCLOUD

COMPUTINGCOMPUTING Ensuring regulatory compliance presents

one of the most difficult challenges toone of the most difficult challenges to health care companies’ ability to leverage the advantages of cloud computingthe advantages of cloud computing

19

SSUMMARYUMMARY OFOF RREGULATORYEGULATORYRREQUIREMENTSEQUIREMENTSRREQUIREMENTSEQUIREMENTS

The primary federal legal requirements U.S. Health Care companies must follow pare:─ Health Insurance Portability and y

Accountability Act of 1996 (“HIPAA”)─ HITECH Act

20

RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HIPAAHIPAA

Two basic parts to HIPAA: Privacy Rule and Security Ruley

Privacy Rule:─ How and when may protected healthHow and when may protected health

information (“PHI”) be disclosed Security Rule: Security Rule:

─ Implement specified administrative, physical and technical safeguards to keepphysical, and technical safeguards to keep PHI secure 21


HIPAA Privacy Rule:HIPAA Privacy Rule:─ Originally only applied to Covered Entities

Covered Entity = health plans, health care clearinghouses, and h lth idhealthcare providers

─ Permits disclosure of PHI only as required or permitted

─ Requires CE to enter into “Business Associate Agreement” with Business Associates Business Associate = parties to whom a CE may disclose PHI Business Associate = parties to whom a CE may disclose PHI

so BA can perform service on its behalf If a CE transmits PHI to a cloud vendor, the cloud vendor (and

any downstream cloud vendor to which the CE’s PHI isany downstream cloud vendor to which the CE s PHI is transmitted) will be BAs 22


HIPAA Security Rule:─ Four specific safeguards are required:p g q Integrity, Confidentiality, and availability of

electronic PHI (“e-PHI”)P t t i t th t d h dProtect against threats and hazardsProtect against reasonably anticipated

disclosuresdisclosuresEnsure that workforce complies with the Rule

23

RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECHHITECHHITECH

HITECH expands the definition of a “Business Associate” to include certain organizations that provide data transmission of PHI and that require access on a routine basisrequire access on a routine basis─ This would include cloud vendor with access to

PHIPHI HITECH creates a statutory obligation of BAs

to comply with HIPAA’s privacy and security p y p y yrequirements─ Prior to HITECH, the obligation was only a

contractual commitment24


Under HITECH, BAs, including cloud providersUnder HITECH, BAs, including cloud providers acting as BAs, are required to:─ Maintain written policies/procedures addressing the

HIPAA S it R l i tHIPAA Security Rule requirements─ Maintain adequate training programs for employees─ Designate a security officer for the companyDesignate a security officer for the company─ Conduct “adequate and thorough” risk assessments of

security methodsL l d d l d ti f th Larger cloud vendors may already satisfy these requirements, but small companies may struggle

25


Perhaps most important aspect of HITECH is p p pthe breach notification requirements:─ CE (reminder: this would be a cloud vendor’s

) f (customer) is required to notify its customers (the owners of the PHI) of any breach of unsecuredPHI

─ BA (the cloud vendor) is also required to notify the CE of a breach “without unreasonable delay” and

ithi 60 dwithin 60 days max The BA is also required to identify the individual

whose PHI was breached, if possible26

RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECH

HITECH breach notification requirements, cont:─ “Unsecured PHI” means PHI that is not rendered

unusable, unreadable, or indecipherable to unauthorized individuals through use of gtechnology or methodology specified by Secretary of Dept. Health & Human Services

27

RREGULATORYEGULATORY RREQUIREMENTSEQUIREMENTS --HITECHHITECH

Patients or other owners of PHI have the right to grequest an accounting of all disclosures of their PHI for the prior 3 years

This includes the use of any downstream cloud vendors who─ This includes the use of any downstream cloud vendors who have hosted the data

─ Requires the disclosure of the identity of these partiesTh h ll i l d d ith ’t d ’t─ The challenge is many cloud vendors either can’t or don’t want to track these disclosures

Patients or other owners of PHI may also demand the return of their PHI at any time─ This requires the ability for customers to access the data at

any timey28

LLIABILITYIABILITY FORFOR FFAILUREAILURE TOTOCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORYCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORY

RREQUIREMENTSEQUIREMENTS

If the CE has demonstrated a pattern of non-compliance with the BA Agreement and the BA knowscompliance with the BA Agreement and the BA knows of it, both the CE and the BA could be liable under HIPAA / HITECH

HIPAA / HITECH imposes certain criminal and civil penalties on CEs and BAs that fail to comply─ No longer merely a breach of contract with the CENo longer merely a breach of contract with the CE

29

LLIABILITYIABILITY FORFOR FFAILUREAILURE TOTOCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORYCCOMPLYOMPLY WITHWITH RREGULATORYEGULATORY

RREQUIREMENTSEQUIREMENTS

Two recent cases indicate that the government is taking a aggressive approach to enforcing HIPAA /taking a aggressive approach to enforcing HIPAA / HITECH─ Cignet Health of Prince George's County, Md., ordered to

pay a $4 3 million civil monetary penalty for violating thepay a $4.3 million civil monetary penalty for violating the HIPAA privacy rule – February 2011

─ The General Hospital Corporation and Massachusetts General Physicians Organization Inc agreed to pay the U SGeneral Physicians Organization Inc. agreed to pay the U.S. government $1 million to settle potential violations of the HIPAA Privacy Rule

30

Contractual Responses to Contractual Responses to Regulatory RequirementsRegulatory RequirementsRegulatory RequirementsRegulatory Requirements

31

CCONTRACTUALONTRACTUAL RRESPONSESESPONSESCCONTRACTUALONTRACTUAL RRESPONSESESPONSES

In light of the new HITECH requirements, CEsIn light of the new HITECH requirements, CEs have begun requiring some or all of the following legal protections in their contracts with cloud vendors:─ Indemnification of damages arising from cloud

d ’ b h f HITECH i tvendor’s breach of HITECH requirements─ Reimbursement of costs associated with

notification of breacheso ca o o b eac es─ Expressly allowing the cloud customer to seek

equitable relief (e.g., injunctions) against the cloud dvendor

32

CCONTRACTUALONTRACTUAL RRESPONSESESPONSESCCONTRACTUALONTRACTUAL RRESPONSESESPONSES Legal protections in light of HITECH, cont:Legal protections in light of HITECH, cont:

─ Not only requiring the cloud vendor to abide by HITECH and the BA Agreement, but also abide by any amendments to the relevant laws/regulations as well asamendments to the relevant laws/regulations as well as guidance from the Dept. Health & Human Services

─ Permit the cloud customer to audit the security of the cloud vendor

─ Require consent and/or allow control over any downstream cloud vendors that might be used, g ,including the right to audit

─ Indemnify the cloud customer for all breaches by any downstream cloud vendors that may be useddownstream cloud vendors that may be used

33

THANK YOU!THANK YOU!Regina Sharrow and Ike WillettB k & D i l LLPBaker & Daniels LLP600 East 96th Street, Suite 600Indianapolis IN 46240Indianapolis, IN 46240

[email protected](317) 569-4604

[email protected] ett@ba e d co(317) 569-4640 34

Documents

Current Options for EHRCurrent Options for EHR ... · Current Options for EHRCurrent Options for EHR Implementation: Cloud or No ... Health Care Providers required to adoptHealth