The document outlines the agenda for a networking breakfast event focusing on cloud technology in healthcare, featuring various presentations and a panel discussion. Key challenges include the healthcare sector's hesitance to adopt cloud computing due to trust issues, regulatory confusion, and a lack of guidance on HIPAA compliance. The mission of the Health Care Cloud Coalition (HC3) is to reduce obstacles to cloud technology adoption, promote innovation, and build trust through an accepted accreditation process.

1. Networking Breakfast
Presentations Start at 9AM ET

2. Logistics &
Agenda
Grant Elliott
CEO, Ostendio, Inc.
@HCCColaition
#HC3

3. @HCCCoalition #HC3
Event Sponsors

4. @HCCCoalition #HC3
Agenda
8:30am Networking breakfast (sponsored by Davis Wright Tremaine LLP)
9:00am HC3 Overview Adam Greene
9:30am What is the Cloud? Hemant Pathak
10:00am The Disruptive Cloud Anish Sebastian
10:20am The Practical Cloud Pete Celano
10:40am Panel Discussion & QA Moderated by Shahid Shah
(Hemant Pathak, Chad Kissinger, Sandeep Pulim, Adam Greene)
11:30am HC3 Wrap up Adam Greene
Noon End

5. @HCCCoalition #HC3
Questions & Comments
Send questions to @HCCCoalition #HC3

6. Addressing Regulatory
Challenges of Bringing Health
Care to the Cloud
Adam H. Greene, JD, MPH
Partner, Davis Wright Tremaine LLP

7. @HCCCoalition #HC3
The Challenges
Cloud computing and
cloud-based mobile
technology can improve
health care and reduce
costs, but…

8. @HCCCoalition #HC3
The Challenges
Health care is not fully
leveraging cloud
technology because of lack
of trust in information
security

9. @HCCCoalition #HC3
The Challenges
Where health care
entities leverage cloud
computing, there are too
many inefficiencies:
A sea of different information
security questionnaires
Confusion and disagreement
over business associate
agreement terms
Confusion over information
security responsibilities

10. @HCCCoalition #HC3
The Challenges
A lack of HHS
guidance on how
HIPAA applies to
cloud computing:
What if cloud vendor was
unaware it was hosting PHI for a
covered entity?
No guidance or audit protocols
specific to business associates
How to handle patients rights
and breaches when you may not
know what information you have

11. @HCCCoalition #HC3
The Challenges
The price of entry for
small companies into
health care is too high
because of this
confusion.

12. @HCCCoalition #HC3
The Mission of HC3
Reduce obstacles to the health care sector
leveraging cloud computing technology.
Promote innovation by reducing health care
compliance burdens on health care technology
companies.

13. @HCCCoalition #HC3
The Objectives of HC3
1. Understanding – Create an accepted
framework for health care and cloud computing

14. @HCCCoalition #HC3
The Objectives of HC3
Develop internal
guidance on how
HIPAA applies to cloud
computing.

15. @HCCCoalition #HC3
The Objectives of HC3
Develop
tools,
such as:
Sample business associate agreement
provisions, to address unique cloud
computing issues
Notices that clearly identify each party’s
security responsibilities
A self-audit protocol for cloud computing
providers

16. @HCCCoalition #HC3
The Objectives of HC3
Work with health care providers and other
associations (e.g., HIMSS, Cloud Security
Alliance) to obtain feedback and promote
the tools and guidance.

17. @HCCCoalition #HC3
The Objectives of HC3
2. Trust – Build trust in cloud computing and
regulatory compliance through an accepted
accreditation/certification process or other
programs.

18. @HCCCoalition #HC3
The Objectives of HC3
Certification
needs to be:
Focused on health care (e.g., HIPAA,
Alcohol and Substance Abuse
Treatment Confidentiality)
Focused on cloud computing
Scalable (e.g., works for both large IaaS
provider and small SaaS provider that
does not host its own data)

19. @HCCCoalition #HC3
The Objectives of HC3
Not looking to reinvent the wheel.
 Adopt and promote any existing or upcoming
certifications/accreditations that meet our needs.
 Tweak any existing certifications/accreditations
that get us 90% of the way there.

20. @HCCCoalition #HC3
The Objectives of HC3
3. Government Outreach – Seek regulatory
guidance from HHS and other relevant
agencies. Maintain outreach and
transparency with the government.

21. @HCCCoalition #HC3
The Objectives of HC3
4. What else?

22. @HCCCoalition #HC3
Next Steps?
Learn from others today about the benefits and
challenges of cloud computing in health care.
Discuss the scope of what HC3 will initially
take on.
Incorporate and set up structure for
membership dues.
Volunteers

23. Health Care Cloud Coalition
Legal considerations with cloud
computing
A View From The Cloud Vendor.
Insight on the HIPAA Omnibus Rule,
Cloud Privacy & Security, and HIPAA
Enforcement
Hemant Pathak, Assistant General Counsel, Microsoft

24. @HCCCoalition #HC3
What are the types of cloud model we
are going to discuss today?
 Enterprise Cloud
 Three types of cloud services: SaaS, PaaS, IaaS
 Public, Private, Hybrid
 Always available
 Per user, consumption buying model
 Data and services with a common delivery model in
shared data centers
 Different from traditional “outsourcing”

25. @HCCCoalition #HC3
Why do customers choose cloud
services?
 On demand scalability, reliability and flexibility of
computing resources, updates, interoperability and tech
support
 Reduction of infrastructure costs & complexities at very
large economies of scale across the board (electricity,
network bandwidth, operations, SW & HW).
 Organizations can “get out” of the Data Center business
 The right vendor can address state of the art security &
privacy protocols to help customers address their
compliance requirements in a highly regulated industry

26. @HCCCoalition #HC3
From the cloud service provider (CSP) perspective
– what are contracting expectations?
 Cloud services are configurable, but generally not
customizable
 SLA, Service Descriptions, Security Descriptions
 Contract terms that require unique requirements for
service for one individual subscriber are not scalable
 Pre-Sales CSP & customer partnership and due
diligence on contract terms and solution alignment
reduces risk now and in the future for both parties
 Ensure compliance with laws and corporate policies
 Protect brand and reputation for both parties

27. @HCCCoalition #HC3
From the customer perspective – what
are contracting expectations?
Where and how is data stored?
 Clear data maps and geographic boundary information Data
must be encrypted wherever possible
Who has access and what is accessed?
 Core customer data must be accessed only for service
delivery, troubleshooting, migration and malware prevention
purposes on an exception basis and all access should be
logged
Who owns data?
 The Customer. Data must be fully portable and retrievable
Who pays for costs related to security breaches?
 Commercial term addressed by the parties

28. @HCCCoalition #HC3
Security & Privacy – How do you get
assurances?
 Security
 Physical Data Center standards
 Secure Networks
 Automated operations
 Robust breach prevention, detection and mitigation
 Compliance -Cloud Service Providers (CSP) should address
regulatory standards
 E.g. - ISO 27001, HIPAA BAA
 Federal Trade Commission
 Watchdog groups
 Healthcare agencies
 DHHS
 Independent Audit & Verification

29. @HCCCoalition #HC3
What are questions Customers ask a
potential CSP?
 Security & Privacy Compliance
 Does the cloud vendor offer a BAA
 Does the BAA contain all required HIPAA terms
 Does the CSP stipulate to comply with breach notification rule, timely reporting,
appropriate and transparent limitations on use & disclosure and “minimum
necessary”
 Embedded technical, physical and administrative safeguards in support of HIPAA
 Data mining – will my cloud provider use my data for advertising, marketing or
other commercial purpose w/o my consent
 Does CSP have transparent and robust process on addressing third party
requests for data?
 Clinical centered care strategies
 Compliance across collaboration modes through audio, video & messaging
 HealthCare Enterprise Ready

30. @HCCCoalition #HC3
What are consequences of non-
compliance?
 Phoenix Cardiac Surgery
 Fined $100,000 by DHHS for failure to obtain a BAA
“Covered Entity failed to obtain satisfactory assurances in business
associates agreements from the Internet-based calendar and from the
Internet-based public email providers that these entities would appropriately
safeguard the ePHI received from Covered Entity.”
 Oregon Health & Science University
 Negative PR stemming from breach involving storing a spreadsheet of
patient data with cloud service which was not a business associate.
 DHHS Regulator Quotes
“If you use a cloud service, it should be your business associate. If they
refuse to sign a business associate agreement, don't use the cloud service.”
“…cloud services [are] under direct regulations of HIPAA…,"

31. @HCCCoalition #HC3
Conclusion
 Health Care Providers moving to the cloud want to
choose a CSP that has been proven trustworthy and that
they can trust.
 Transparency about compliance, security and privacy
practices and use of data is the key to trust.
 Transparency allows customers to determine whether
using a given cloud offering helps them to be compliant
with applicable regulations and corporate policy.

32. @HCCCoalition #HC3
QUESTIONS?

33. The Disruptive Cloud –
How the cloud is helping
me drive innovation
Anish Sebastian Co-founder 1EQ

34. @HCCCoalition #HC3
The Cloud

35. @HCCCoalition #HC3
The Cloud = 10X Improvement!
 Ease of Use
 Scalability
 Risk and Reliability
 Cost
 Security
 Connectivity

36. @HCCCoalition #HC3
Ease of Use

37. @HCCCoalition #HC3
Ease of Use
 Deploy infrastructure quickly
with no need for system
admin
 No cabling, racking,
unboxing or buying
 Software now controls the
infrastructure
 Control your servers with
the click of a mouse

38. @HCCCoalition #HC3
Scalability

39. @HCCCoalition #HC3
Scalability
 Can adjust to min by min
variation in demand
 Nothing to purchase and
take delivery
 Increase innovation, by
removing “too scared to try”
syndrome
 Go global in a matter of
seconds (co-location)

40. @HCCCoalition #HC3
Risk and Reliability
 Cancel immediately
 Change instantly, even OS
 Rebuilt instantly
 No long term contracts
 Based on enterprise grade
hardware
 Employ best practices in IT:
 Design for failure
 Control framework
 Disaster recovery

41. @HCCCoalition #HC3
Cost
 Pay for only what you use –
nothing up front and pay as you
go
 Zero cap Ex = lower burn rate =
happy investors!
 Cloud has economies of scale,
business model based on
volume not margin
 Since we started using amazon,
prices have gone down

42. @HCCCoalition #HC3
Security
 Architected for enterprise security
requirements
 More than likely more secure than
what you can normally build
yourself
 AWS White paper on HIPPA
 Ability to quickly fix security holes
and keep up with new compliance
standards.

43. @HCCCoalition #HC3
Being an “aaS”
SaaS – Software as a Service
PaaS – Platform as a Service
IaaS – Infrastructure as a Service

44. @HCCCoalition #HC3
The Cloud Pyramid
Broad
Niche

45. @HCCCoalition #HC3
The cloud Pyramid
Developers
Users
Network Engineers

46. @HCCCoalition #HC3
The cloud Pyramid
Google Apps, Heroku,
Salesforce
Windows Azure
SendGrid, Mailchip, Twilllio
Zendesk, ……..a lot more
Amazon, Racksapce

47. @HCCCoalition #HC3
The cloud Pyramid – Applications long
tail effect.
• The long tail
is directly an
impact of the
cloud.
• They all talk
to each
other.

48. @HCCCoalition #HC3
Connectivity
 This long tail of products
connect to the cloud via API
 It has fueled a new era of API
 Allows for various SaaS
companies to stitch together a
whole series of services
generally via API
 Everything is connected to
everyone

49. @HCCCoalition #HC3
Differentiation
 Bottom Line:
 The cloud allows you to focus on what
truly makes you different
 Let’s you outsource commoditized
services and services that are not your
core competencies.

50. @HCCCoalition #HC3
What does the future look like?

51. The Answer is in the Cloud
Pete Celano
MedStar Institute for Innovation
www.mi2.org

52. @HCCCoalition #HC3
Mission
 Extend Access to the Poor/Rural
 Reduce Costs
 Better Outcomes
 New Revenue

53. @HCCCoalition #HC3
New World
 Old World: EMR(s) is
what you have
 New World: Innovate
“north” of the EMR.
And bolt-in.

54. @HCCCoalition #HC3
Focus Areas
1. Capacity Utilization
2. Extending the Site of
Service
3. Flowing Data to Docs

55. @HCCCoalition #HC3
5-Step Process
1. What problem are we trying to solve, and RoI?
2. Balance Sheet Test
3. Our BAA
4. Pilot Fast
5. Take it Wide if Pilot Works & Economics are Verified

56. @HCCCoalition #HC3
Five Predictions
1. Only more inventors will run-not-walk to
healthcare
2. EMR vendors will be acquiring right & left in 2015
and beyond
3. Solutions will start breaking Provider-only and
Provider-Payer (“Provayer?”)
4. Virtual Visits will take off like a rocket
5. Apple’s HealthKit et al will finally make Remote
Patient Monitoring relevant.

57. Panel Discussion and Q&A
10:40AM – 11:30AM
• Hemant Pathak (Microsoft)
• Chad Kissinger (OnRamp)
• Sandeep Pulim (@Point of Care 360)
• Adam Greene (Davis Wright Tremaine LLP)
- Moderated by Shahid Shah, Netspective