Moving to the Cloud? The Contract is Key

Feb. 25, 2014
In an educational session on Monday, called “Hidden Pitfalls of the Cloud, Mobile technology and Mobile Data,” Lee Kim, director of privacy and security at HIMSS and Steven J. Fox, an attorney with Post & Schell, P.C., gave practical advice for provider organizations entering into agreements with cloud vendors. They spoke about the ins and outs of negotiating a vendor contract and questions to ask during the vetting process.

In an educational session on Monday, called “Hidden Pitfalls of the Cloud, Mobile Technology and Mobile Data,” Lee Kim, director of privacy and security at HIMSS and Steven J. Fox, an attorney with Post & Schell, P.C., gave practical advice for provider organizations entering into agreements with cloud vendors. They spoke about the ins and outs of negotiating a vendor contract and questions to ask during the vetting process.

Kim noted that there regulations in the privacy and security space may vary on the state level; many states are what she termed “HIPAA-Plus,” with Health Insurance Portability and Accountability Act requirements that go beyond federal requirements. Pennsylvania, for example, has additional HIPAA requirements related to AIDS, mental health and alcohol use. 

Fox used a general definition of the cloud service provider as a vendor that hosts data remotely, outside the direct control of the customer organization.  “Data not under your direct control is where I get nervous, and you should be to,” he told the audience.

He cautioned provider organizations that considering entering into agreements that “that vendors are not your friends; they are your business partners.” A business relationship can be beneficial to both parties, but negotiating a solid contract requires a taking a hard look at the terms, he said. “That is the meat of what you are going to end up with,” he said. He advised against signing the initial contract with few or no changes, but instead of treating it as a point for negotiation. He said clients should pay special attention to pricing, and make sure that it reflects discussions it has had with the vendor.

When negotiating with a cloud service provider, it’s important to keep in mind that all cloud vendors are not equal, he said. He added that outsourcing data or applications does not mean hands off for the organization that owns the data.

Other advice he offered organizations includes:

  • Make sure you understand what the deal is about, and that is reflected in the contract. He cautioned about generic contracts that don’t reflect what the client organization understands about the agreement. He added to make sure that vendor responses to the client’s questions are stipulated in the contract.
  • Find out as much as possible about the cloud service provider: How long has it been in business; does it use state-of-the-art security protocols; is it a publicly traded or a wholly owned company and does it have financial resources to provide the service; and does it have a disaster recovery plan. “Check references,” he said.
  • Know where the data will be stored, and if it will be kept inside U.S. borders.
  • Know how easily you can access your data if the vendor goes bankrupt or out of business, or if you want to move the data to a different vendor.
  • Check if the vendor has third-party certification.

Sponsored Recommendations

Cloud Communications: Connecting Care at the Core

Cloud communications is the present, the recent past, and the future of collaborative healthcare.

The Ultimate HIPAA Security Guide for Cloud Communications

The healthcare industry is leading the charge in innovation, embracing cutting-edge technologies to enhance patient care and optimize operations. Forward-thinking organizations...

Improving Workplace Safety and Patient Care in Behavioral Health

In 2023, Vail Health enhanced safety in their behavioral health clinic, but the impact went beyond their expectations. Read their case study to see how prioritizing workplace ...

Transforming Hospital Capacity Through Smarter Patient Progression Strategies

Helping patients move seamlessly through every stage of their care, from admission to discharge, is critical to ensuring patient safety, improving outcomes, and optimizing capacity...