Tips for Negotiating a Cloud Vendor Agreement

With the digitization of medical records, there has been a lot of interest lately in storing information on the cloud. But storing data on the cloud—particularly clinical data—also presents risks to the hospital, which is legally responsible for the data it stores on the cloud is safe. That’s a tall order, and there are plenty of potential pitfalls to avoid when negotiating a contract with a cloud vendor.

“The cloud is great, but the trick is that the customer doesn’t have control of the data, and yet they are still responsible for it,” says Diana J.P. McKenzie, partner and chair, Information Technology and Outsourcing Group, Hunter, Maclean, Exley & Dunn, P.C., Savannah, Ga.

I recently spoke with Ms. McKenzie, who made a presentation about negotiating tips for cloud computing at the HIMSS 12 annual conference in February, about what healthcare provider organizations can do to protect themselves legally when taking advantage of the cloud. Here are her suggestions.

1. Make sure your lawyer asks enough questions; if not, the client doesn’t have somebody who really understands what’s going on. Where is the data going to be stored; if outside the U.S., what country? Examine the security policies and operational policies of cloud vendors, which can vary greatly from vendor to vendor, to make sure the data will be protected. She also cautions that some cloud vendors don’t follow their own policies.
2. Require the vendor to test certain scenarios before there is an emergency—a process not unlike a fire drill. “You have to make sure that everything you think is there will be there when you need to produce it,” she says. Testing also allows you to discover things about your own process, such as decisions about when and how far back the vendor should go in backing up data.
3. Avoid “soft” language in contracts; spell out your expectations in firm language. Use quantifiable measure, demand firm commitments, and use commercially reasonable standards against recognized standards, she advises.
4. Due diligence is a must. Put out a request for proposals to see what vendors can and cannot do, and compare them. Use a lawyer and/or consultant to put together the RFP, preferably who have plenty of experience—with a track record of putting together “several hundred of these at least,” she says. That kind of experience is invaluable to structuring these deals, she says. Check references, and use social media, user groups, conferences and basic online searches to get experiences from other customers.
5. In the regulatory arena, data privacy and security concerns include the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. But there are other regulations providers should be aware of, she adds, including Gramm-Leach-Bliley, (financial, which also relates to patient payments) and Sarbanes Oxley (relates to U.S. public companies). State privacy laws are also important; they vary from state to state; cloud vendors need to be up on state laws. “Don’t just focus on HIPAA and HITECH, because you are still subject to all of these other laws out there,” she says.
6. Pay attention to export control regulations. There are severe rules in place restricting certain kinds of encrypted data leaving the U.S., she says. Some countries “own” all of the data within their borders, she adds.
7. Look for the kinds of insurance a cloud vendor has. Two types of insurance apply to the cloud. One is cyber insurance coverage, which relates to exposures related to the Internet environment. The other is errors and omission insurance, to protect against negligent actions. The later is expensive, and the insurance company makes an assessment of the vendor’s track record. For the hospital, this amounts to a validation by the insurance company that a cloud vendor is worth the risk, McKenzie says.
8. Don’t forget the basics. Clients are often excited about new technology, she says, but she cautions hospitals to cover all of the legal bases when entering into negotiations with cloud vendors. “All of the things you always needed in every other IT contract, you need here too,” she says.