View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Contracting with the Healthcare Cloud Service Provider Workshop on Health Information in the Cloud: Business Strategy, Security and Deployment NC Healthcare Information and Communications Alliance March 2011 Randy Whitmeyer Whitmeyer Tuffin PLLC www.whit-law.com
Topics• Legal Backdrop• Cloud Computing v. Traditional IT Structures• The “Contract Circle”: • Selecting a Health Care IT Vendor • Negotiating Key Contract Terms • Dealing with Vendor Non-Performance
Legal Backdrop• HIPAA/HITECH Privacy and Security Rules• HITECH Meaningful Use• NC and other State Identity Theft Rules• NC Destruction of Personal Information Records Law• EU Data Protection Directive and Cross-Border Data Flows• PCI Rules• Electronic Discovery
Cloud Computing Services• Software as a Service (SaaS)• Platform as a Service (PaaS)• Infrastructure as a Service (IaaS)
Cloud Computing and SecurityAdvantages Disadvantages• Data Dispersal • Lack of Transparency• Data Fragmentation • Lack of Responsiveness• “Tier 1” Data Centers • “Trading Market” of• Multiple Customer Demands Subcontractors • Vendor Lock-In• Easier Patching and Updates • Lack of Security Details
Selecting the Cloud Computing Vendor: DueDiligence and Key Contract Terms
Keys to Selecting a Cloud Computing Vendor• Approach project realistically, in light of personnel, time and budget• Document your requirements • Obtain consultant as necessary• Remember the need for training on new systems and new processes • More realistic to adapt process to system than adapt system to process, in most cases• Perform due diligence on vendor. Rigorously check with other similar users on their experiences. Check certifications• Last but not least: enter into a good contract!!
Negotiation Ideas• Early on in discussions, alert vendor that you want certain key adjustments to contract terms, identifying the issues • If possible, use your own form of contract rather than vendor’s form• Try to keep multiple vendors in the process as long as possible to keep competitive pressure on both price and terms• Consider a formal RFP/response process for larger systems
Security and Privacy Terms• Confidentiality• Third-Party security audits• Right to review detailed security/disaster recovery policies• Obligation to maintain security and security policies• Right to audit and test security• Notification in the case of breach• Indemnification for breaches/payment of costs of required notices to customers• Encryption
Business Associate Agreement• Whose form of BAA? • NCHICA form, of course!• How much embellished?• How does it relate to other confidentiality, security and privacy provisions in contract?
Regulatory Issues• Certification by ONC-ATCB, such as CCHIT• Meaningful use criteria• Cooperation with certification and attestation• Timing of implementation
Other Key Data Issues• Ownership of Data• Disposition of Data on Termination• Location of Data• Legal / Government Request to Access Data
Service Level Agreements• Uptime• Performance & Response Time• Error Correction Time• Infrastructure / Security• Performance Credits• Use of Measurement Technology• Notice/Reporting Obligations
Pricing Terms• Monthly service fees • Per user or provider, or based on transactions? • When does it start?• Implementation fees • Commitment to start date?• Add-on pricing• Payment terms• Caps on increase in fees
Term & Termination• Length• Termination Penalties• Data Rights upon Termination• Vendor Termination or Suspension• Automatic Renewal
Warranties• Warranty to specifications and requirements • Avoid limited warranty to just documentation • Include key functional specifications as an appendix to the document. Sometimes can pull these straight from vendor’s web site• Warranty against noninfringement• Anti-virus warranty• Warranty that documentation is complete and gets updated with new releases in a timely fashion• Services warranty – vendor should use reasonable skill in accordance with industry standards, and supply qualified and experienced personnel
Third-Party Software/Services• Vendor will want to disclaim responsibility (e.g., for performance or IP issues) for third party software components of solution, especially open source• Buyer’s perspective: • I’m buying a solution, and it shouldn’t matter to me whether vendor chose to implement parts of the solution with third-party pieces• Resolution varies and is often fact-specific:• Well-known, off the shelf components more likely to be excluded
Support and Maintenance• Rights to new versions• Timeframes for responding to and fixing problems• Target/efforts versus commitment with financial repercussions
Intellectual Property• Proprietary software company will jealously guard ownership of its products• Dispute often arises over ownership of any custom developed IP, such as interfaces• Buyer’s argument: • I paid for it, I should own it• Vendor’s argument: • You are paying for accelerated development • I would never be able to have a product if each piece of custom IP was owned by the buyer• Possible compromises: • Exclusive use for a period of time • Sharing in royalties
Other Terms • Modification of Contract• Acceptance Terms/Procedures • Assignability• Limitations of Liability • Choice of Law/Jurisdiction• Indemnification • Subcontractor approval• Insurance • Source Code escrow
Project Failure (The typical scenario)• Buyer: The service is late, has not been delivered at all, or has excessive errors• Vendor: Buyer unilaterally expanded the scope of the project, or failed to understand the service and its effect on the practice.
Project Failure (Buyer’s Perspective)• Strategies: • Document problems early and often, and communicate to Vendor • Avoid unduly flattering emails; always come back to haunt in dispute situations • Send formal notice of breach • Provide opportunity to cure • Withholding payment: must be done carefully
Project Failure (Vendor’s Perspective)• Document changes in scope/obtain agreement• Document unforeseen technical issues• Consider when/if to withhold software/services, if unpaid
Key Takeaways• Due Diligence is critical when choosing Cloud Computing Vendors . This includes not only direct questioning but also third-party review such as dun and bradstreet reports, ongoing litigation review, and merger activity.• Insist on transparency• Risk can vary depending on type of data involved and type of cloud• Form contracts rarely handle key issues satisfactorily
Any questions? Randy WhitmeyerWhitmeyer - Tuffin PLLC firstname.lastname@example.org 919-880-6880