Legal Challenges for U.S. Healthcare Adopters of Cloud Computing

Transcription

1 Legal Challenges for U.S. Healthcare Adopters of Cloud Computing by Kevin Erdman and Nigel Stark of Baker & Daniels LLP 1 ABSTRACT U.S. Healthcare companies have begun experimenting with taking business-critical operations to the cloud, where there are the greatest U.S. regulatory challenges. The early experiences of such companies involve dealing with the increasingly complex U.S. regulatory schemes and the general desire on both sides to limit potential legal liability. The initial standard response by cloud providers is challenging for U.S. Healthcare companies. However, there are contractual and procedural modifications that cloud providers can utilize that can be sufficient for regulatory compliance and business objectives. Introduction Cloud computing may take many different forms and can be used for many different purposes (e.g., software as a service, platform as a service, infrastructure as a service, virtualization, etc.). There are many advantages to cloud computing and the various services that utilize cloud computing, central to which is the flexibility that cloud computing offers. Companies can take advantage of this flexibility for various purposes (e.g., scalability, pricing structures, etc.). Large companies may use cloud computing to help organize multiple locations and coordinate enterprise application. In addition, cloud computing can often allow small companies access to various software, platforms, or other services that were once costprohibitive without the economies of scale. U.S. Health Care companies are, of course, also capable of exploiting the various benefits of cloud computing for many of the same reasons that other companies can. However, U.S. centric cloud computing providers have not had the same level of security and privacy requirements as those providers in the European arena. Recently, further security and privacy regulatory requirements in the U.S. have disrupted the one size fits all approach of many cloud vendors. This paper examines some of the initial difficulties for U.S. Health Care companies in developing cloud computing solutions and some solutions to those difficulties. Big Issues: Four of the most significant issues with U.S. Health Care companies implementation of cloud computing solutions involve (1) the Security/Safety of Data, (2) the rights and responsibilities on termination or transition, (3) third party rights, and (4) regulatory compliance. Despite a variety of types of cloud computing customers, as-a-service providers often take a one-size-fits-all approach to security. They have a security policy, and that is all they will agree to, regardless of whether it satisfies the individual customer s particular security needs. Cloud Computing Providers have approached as-a-service services as a very streamlined process in order to keep costs down. Such Providers seem hesitant to provide customers with unique services. For U.S. Health Care companies, this is often problematic and 1 Kevin Erdman is a Partner with the law firm of Baker & Daniels LLP, and Nigel Stark is an Associate. For further author information visit Page 1

2 a more cooperative discussion regarding security of data is needed, both from a contractual agreement standpoint and a risk management standpoint. Typically, outsourcing providers resist granting broad audit rights to its customers, and cloud computing as-a-service providers are even more reluctant. A quality audit of an asa-service provider requires a significantly more in-depth look into the Cloud Computing Provider s computer systems and propriety methods. However, from a customer s perspective, the customer is relinquishing even more control of its data than under a more traditional service contract, so the desire/need for an audit is greater. This is particularly a concern with U.S. Health Care providers, as their customers have enhanced concerns about the security and privacy of their medical data. These concerns are also compounded if that as-aservice provider utilizes a third party hosting company such as Amazon or Google to host the data and process the as-a-service provider s application. In such an instance, customers will often require the right to audit such third party host s data centers and security systems. Providing a right to audit third party data centers that host data may be accomplished with the following language: Page 2 Customer shall have the right to evaluate such Third Party Host and Supplier shall ensure that it obtains the Third Party Host s agreement to permit Customer such rights, including the right to inspect the Third Party Host s facilities and any other sites where Customer Data or any other component of the Service is hosted. Frequently, the as-a-service provider will insist that it not be liable for the third party host s actions, particularly for security breaches or service interruptions. Just like with traditional subcontractors, customers should insist on some sort of protection (ideally, indemnification) in the event an Amazon or Google suffers a security breach (or some other issue) and the customer incurs damages. Customers should not allow the new paradigm of cloud computing act as a vehicle to redefine the subcontractor relationship. Instead, in addition to the audit rights described above, the Cloud Computing Provider should also provide indemnification for any breach of the privacy/security requirements, including indemnification of damages resulting from a third party host s breach with language such as: Supplier shall defend, indemnify, and hold harmless Customer and its Affiliates and their respective officers, directors, employees, and Representatives from and against any and all losses, damages, costs, or expenses (including court costs and reasonable attorneys fees) arising out of any claims, demands, lawsuits, administrative proceedings, or similar actions due to Supplier s Third Party Host s material breach or violation of its obligations under the Privacy Addendum [or Business Associate Agreement]. One contractual provision desired by many U.S. Health Care companies is the requirement that data centers (including third party hosts) be located only in U.S., supplementing other control provisions over data centers. In the best case, the approval of the U.S. Health Care company will be required for any change in the location or contracting party for data storage or processing. Cloud Computing Providers rarely agree to broad preapproval or veto rights in that regard, but compromise language may be negotiated allowing for observation of the third party data storage hosting company, and if unsatisfactory allow for transition of data to another data center, using the following type of compromise language:

3 Page 3 The [Hosting] Services will be provided through a co-location arrangement with a reputable third party hosting company (the Third Party Host ). Supplier shall notify Customer of the identity of such Third Party Host. Each such facility shall be equipped with access security, climate control, and managed power supply. Customer shall have the right to evaluate such Third Party Host and Supplier shall ensure that it obtains the Third Party Host s agreement to permit Customer such rights, including the right to inspect the Third Party Host s facilities and any other sites where Customer Data or any other component of the Service is hosted. Supplier will ensure that any contract with a Third Party Host remains in effect at all times unless the hosting of the Service is to be transitioned to another Third Party Host in accordance with the procedures set forth below. Supplier shall provide at least thirty (30) days written notice to Customer of any planned transition to another Third Party Host, and Supplier shall use its Commercially Reasonable Efforts to avoid any interruption to the Service while transitioning Third Party Hosts. Supplier represents and warrants that any Third Party Host utilized by Supplier to perform the Service under this Agreement shall be contractually obligated to Supplier to keep Customer Confidential Information and Customer Data confidential in the manner required under this Agreement and to abide by the Privacy Addendum. Unless otherwise agreed upon in writing, the Third Party Host s operations and facilities (as they relate to hosting of the Customer Data or providing the Services to Customer) shall at all times remain within the continental United States. For the avoidance of doubt, the foregoing sentence shall not prohibit the Third Party Host from maintaining facilities or operations outside of the United States, but no operation related to the Service to be provided to Customer shall be conducted outside of the United States. In addition to using cloud storage, it is important to have disaster recovery procedures mandated in the Cloud Computing arrangement. Such disaster recovery should consider both the failure of the non-cloud component of a data processing service and the cloud component. The Cloud Computing Provider should be required to disclose and update its own disaster recovery plan and assist in aiding the reinstallation of the non-cloud components even if the Cloud Provider is not directly involved with that component. Fortunately, as-a-service providers seem more open to detailed disaster recovery procedures than with other issues. As an example of the importance of thorough disaster recovery procedures, in the Fall of 2009, T-Mobile Sidekick users data was stored on a cloud but all data was lost due to a server failure. T-Mobile couldn t recover the data, sales were halted, and many lawsuits filed. This was just data from a phone; imagine the consequences if the data lost was health data or other sensitive or important data. Related to both security and disaster recovery concerns are back-up procedures, but unfortunately no real consensus currently exists on this issue. There are 3 main questions: (1) how often should data be backed up, (2) how should the data be backed up, and (3) whose responsibility it is? In some situations, the answers to (1) and (2) may be in regulatory requirements or guidance. The third question seems to draw the most debate, as as-aservice providers do not want to be responsible for the backing up of all of their customers data. The safest and perhaps fairest solution is for both parties to back up the data. Another issue critical to successful Cloud Computing implementations, and one that seems to be disappearing over the last couple of years, involves as-a-service providers

4 insisting that they should not be responsible for any sort of data security and that is the obligation of either the customer or a third party host. Although there may be arguments regarding the extent of any financial liability, more and more as-a-service providers are recognizing and agreeing that they bear some responsibility as to the security of data, including the requirement to report any security breaches or other security concerns. In a U.S. Health Care company situation, appropriate contractual language is sometimes found in a Business Associate Agreement. However, in contexts where a Business Associate Agreement is not needed or desired, the general obligation to report may be secured using the following breach notification language: Supplier will report to Customer in writing any acquisition, access, use or disclosure of Protected Information of which Supplier has actual knowledge that is not permitted by this Agreement or in writing by Customer (a Breach ). Supplier will make the report to Customer within 24 hours after Supplier knows of such Breach. Supplier will cooperate promptly with Customer as is reasonably required in order for Customer to comply with applicable breach reporting and notification laws, including, but not limited to, Section of the HITECH Act or similar federal or state laws regarding notification of the security breach of personal information (collectively, "Breach Notification Laws"). Supplier shall reimburse Customer for all reasonable costs incurred by Customer to comply with Breach Notification Laws as a direct result of Supplier's failure to comply with any provision of this Addendum or applicable law. Supplier s report will at least: a. Identify the nature of the Breach; b. Identify the individuals (by full name and address) whose Protected Information was subject to the Breach and the total number of affected individuals; c. Identify the Protected Information subject to the Breach; d. Identify who committed the Breach and who acquired, accessed, used or received Protected Information that was subject to the Breach, if the Supplier has actual knowledge as to such identity of the person or persons involved in the Breach; e. Identify what corrective action Supplier took or will take to prevent further Breaches; f. Identify what Supplier did or will do to mitigate any deleterious effect of the Breach; and g. Provide such other information as Customer may reasonably request. Another key issue is the handling of the end of the service contract when the current Cloud Computing Provider is being replaced by another or in house resources. Upon termination of the Cloud Computing service contract (and, ideally, upon any request by the customer), the as-a-service provider should be required to return all data to the customer and destroy any leftover customer data on its systems. Most as-a-service providers will agree to returning the data upon termination (although there is more debate as to whether providers should be required to return data upon any request of the customer), but the debate lies in how the data is to be returned (transmission, media, format, timing, cost, etc.). Companies with larger and more sophisticated IT departments may be able to handle any sort of data dump (albeit perhaps at some expense and inconvenience), but for companies without sophisticated IT departments, the format of the data and the procedure for extraction becomes extremely important. Page 4

5 Typically, Cloud Computing Providers are silent on these issues, or include only the minimal amount of data access upon termination. However, it is possible to obtain greater assistance upon termination depending on how the customer approaches the timing and cost issues. Provided below is sample compromise language that includes reasonable accommodations to protect a company's interests against these sorts of challenges (mostly return of data and transition assistance; carve outs to limitations of liability are typically dealt with separately). This type of contractual language is usually heavily negotiated according to the specifics of the transaction: Page 5 For a period of 30 days after the effective date of any termination or expiration of this Agreement for any reason, (a) Supplier will not take any action to intentionally erase any Customer Content stored on the Services and (b) Customer may retrieve Company Content from the Services. For the avoidance of doubt, Supplier agrees that subsection (b) above does not limit Customer s ability to retrieve Customer Content from the Services prior to the effective date of any termination or expiration of this Agreement. Upon any termination or expiration, Supplier will provide Customer with the same post-termination data retrieval assistance that Supplier generally makes available to all customers, but in no event less than reasonable assistance, including, at a minimum and at no additional cost to Company, any data conversion necessary to provide Customer with its Company Content in the format in which the Customer Content was originally uploaded to the Service by Company. Except as provided in this Section, Supplier will have no obligation to continue to store or permit Customer to retrieve any Customer Content following 30 days after any termination of this Agreement. Prior to expiration of the 30 day period following the effective date of termination or expiration of this Agreement and subject to the other requirements of this Section, in no event shall Supplier (or any of its subcontractors) refuse the return of Customer Content to Company or otherwise deny or prohibit Customer s ability to retrieve Customer Content, regardless of the cause of termination and regardless of any dispute that may then exist between Supplier, Customer, or any other party. In addition, upon any dissolution of Supplier, any bankruptcy or similar proceeding taken by or against Supplier, or in any situation wherein Supplier ceases to do business in its regular course, Supplier (nor any of its subcontractors) shall not refuse the return of Customer Content to Customer or otherwise deny or prohibit Customer s ability to retrieve Customer Content. In addition, at any time prior to the expiration of the 30 day period following the effective date of termination or expiration of this Agreement, Customer may retrieve its Customer Content at any time and for any reason and Supplier shall not (nor shall any of its subcontractors) refuse the return of such Customer Content to Customer or otherwise deny or prohibit Customer s ability to retrieve Customer Content (except to the extent Supplier s compliance with the foregoing would cause it to violate a court order or applicable law). In the event of termination, whether by the Cloud Computing Provider or the customer, there should be an obligation to assist in the transition period with the migration of services and data. Migration of the services being provided is crucial where the service is a business critical service. If an as-a-service provider s security systems fail (or some other sort of extremely important breach occurs), usually the most important concern for the customer is getting away from the provider and doing so with as minimal interruption to its business as possible, even if that costs significant termination or other fees. As such, customers need to

6 negotiate migration procedures into the contract to ensure the speedy, safe, secure, and complete transition of the services and data either to a new provider or back to the customer. Most as-a-service providers are willing to provide migration assistance in a general sense but a) want to be able to charge the customer for it, and b) do not want to agree to detailed migration procedures upfront in order to preserve their flexibility. A health company s data is likely to be its most important consideration in a cloud computing transaction, and as-a-service providers know that. Because of that, absent an obligation to return to the customer its data and to migrate the data/service to the customer or a third party, the provider can hold the customer hostage. Although general contractual provisions with little detail may be able to extract monetary compensation from any Cloud Computing Provider deficiencies in these areas, such contractual remedies are often much less desirable than a well thought out migration plan that if followed mitigates any real world damages suffered by the customer. It is thus important for the company lawyer to understand the migration process from the IT perspective and provide a detailed procedure for such migration so that appropriate contractual provisions may be drafted to ensure such migration is successful. In addition to the general thought that Cloud Computing Providers should not be able to shirk responsibility for subcontractor problems, they should also be responsible for regulatory compliance. Another big challenge of U.S. Health Care companies utilizing cloud computing involves sifting through the regulatory hurdles. Many as-a-service providers hired by U.S. Health Care companies are not in the market of providing services just to health care companies. As a result, their existing security policies may not have the complexity or detail required to satisfy HIPAA or EU laws. However, the risk that stringent international privacy laws apply is high because an as-a-service provider s data center might be located in another country or a virtualized machine might draw resources from several different countries. Typically, it is not sufficient simply to require an as-a-service provider to comply with all applicable law, as often (but not always) the law is not directly applicable on as-aservice providers and only the customer falls directly under the purview of the law. Nonetheless, the customer remains responsible to ensure such requirements are satisfied and because of that, the customer should expressly include all such requirements directly into the relevant contractual language. In addition, customers should demand indemnification for breach not only of the primary commercial contract, but also of HITECH requirements (and other applicable law) directly applicable to the Cloud Computing Provider as well as those privacy and security requirements expressly set forth in the contract. This can be accomplished with language such as: Page 6 Supplier shall defend, indemnify, and hold harmless Customer and its Affiliates and their respective officers, directors, employees, and Representatives from and against any and all losses, damages, costs, or expenses (including court costs and reasonable attorneys fees) arising out of any claims, demands, lawsuits, administrative proceedings, or similar actions due to Supplier s or its Representatives material breach or violation of its obligations under the Privacy Addendum [or Business Associate Agreement]. Further, the costs of regulatory compliance for such breaches should include reimbursement of costs associated with notification of breaches using language such as the following:

7 To the extent Customer is required to notify any third party of any breach of security due to Supplier s breach of its obligations hereunder, Supplier shall reimburse Customer for all such costs. In the U.S. Health Care context, equitable relief against the Cloud Computing Provider should also be provided for breaches of security/privacy obligations using language such as: Supplier acknowledges that monetary damages are inadequate to protect Customer from a breach or threatened breach of [options include: (a) Section X, (b) Supplier s privacy or security obligations hereunder, (c) the Business Associate Agreement, (d) other contractual or regulatory provisions, etc.] and that any such breach may cause irreparable harm. Accordingly, Supplier agrees and consents to Customer seeking injunctive relief without having to prove the inadequacy of monetary damages or irreparable harm. Finally, updated regulatory mandates may necessitate amendments to the privacy or security terms of a contract; however, the parties may not be in a position to amend that contract (or may not desire to). To avoid falling out of regulatory compliance, the customer can require the automatic revision (without having to amend the Agreement) of prior privacy/security terms and/or the automatic inclusion of new requirements as such revisions and insertions become required by changes to HIPAA or other laws or regulations or interpretations or guidance related to such laws and regulations: This Agreement may not be amended or modified except by a written document signed by both Parties; provided that, upon the effective date of any amendments to the Health Insurance Portability and Accountability Act of 1996 and it implementing regulations (45 C.F.R ) or any final regulation or amendment to final regulations promulgated by the U.S. Department of Health and Human Services with respect to Protected Health Information or Standard Transactions, this Agreement will automatically be deemed to have been amended so that the new the obligations resulting from such regulations and amendments, as applicable, will be imposed upon Customer. In addition, under HIPAA, the as-a-service provider may be considered a business associate and the customer may need to execute a Business Associate Agreement with the as-a-service provider in addition to the normal service contract. Furthermore, the as-aservice provider may need to execute a contract similar to a Business Associate Agreement with its third party data hosts. A typical U.S. Health Care "Business Associate" Agreement is appended to this presentation for exemplary language that a U.S. based Cloud Provider should be able to accommodate, particularly if that Cloud Provider has Health Care customers. APPENDIX Page 7