Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011
Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act ) passed in 2009 Goal: to increase provider efficiency and improve quality of care for patients through the use of electronic health records (EHRs) 2
Introduction Health Care Providers required to adopt and meaningfully use health information technology, BUT Costly to implement Technology still evolving Relatively new concept for many smaller health care providers Incentives for adopting EHR turn into reduced d Medicare reimbursement in 2015 for those failing to adopt and use health information technology 3
Could Cloud Computing be the Solution? 4
What is Cloud Computing? Using the WWW or the internet to access computer applications Three service models Software as a service (SaaS) Platform as a service (PaaS) (e.g., web server, database, programming language) Infrastructure as a service (IaaS) (networks, visualization, storage) 5
What is Cloud Computing? Cloud computing delivery methods Private cloud the resources used to provide the services are dedicated to one specific customer Public cloud the resources are shared generally with the vendor s other customers Hybrid cloud multiple clouds are interconnected 6
Pros Pros and Cons of Cloud Computing Cost effective (hardware, software, personnel) Scalable Flexible Cons Pay only for services used on demand Outsource non-medical functions/focus on practice May be slower Loss of control (normal operating and in emergency situations) Privacy concerns Long-term operating costs may exceed cost of ownership Regulatory complications 7
Early Experiences in Cloud Adoption Health care companies have begun experimenting with taking business- critical operations to the cloud Two general issues How to ensure regulatory compliance How to limit legal liability 8
Early Experiences in Cloud Adoption Early struggles trying to achieve these goals due to: Complexity of regulatory landscape 50 U.S. state laws, federal U.S. law, EU directives, other international law Hesitancy of cloud vendors to customize their service one size fits all mentality to privacy and security; however, health care companies face unique challenges 9
Early Experiences in Cloud Adoption Three strategies: Limit the types of data going g to the cloud to non-sensitive and unregulated data Require cloud vendors to limit data centers to U.S. only Solve regulatory and liability challenges up front via due diligence and detailed contract provisions 10
Early Experiences in Cloud Adoption Limit the types of data going to the cloud to non-sensitive and unregulated data - Only allow non-sensitive or non-health information to be used on the cloud - This diminishes the benefit of broad implementation of cloud solutions 11
Early Experiences in Cloud Adoption Require cloud vendors to limit data centers to U.S. only - Some companies also require strict oversight of any downstream cloud vendors (e.g., cloud vendor using Amazon for storage) - Require consent; require downstream vendor to abide by same privacy/security requirements; require indemnification and liability for downstream vendor s breaches - This simplifies the regulatory challenge but ignores how some cloud vendors actually operate 12
Standard Position of US U.S. Cloud dv Vendors Legal Liability: Limited liability for breach of privacy/security requirements Usually limited to a dollar cap If not capped, limited to gross negligence or intentional misconduct Limited ability to retrieve data Sometimes only upon termination Will usually charge a fee for return of data Limited transition assistance Sometimes none Will usually charge a fee 13
Standard Position of US U.S. Cloud dv Vendors Regulatory Compliance: Will often not consider customer s standard privacy/security policies and will not modify their standard privacy/security policies Sometimes this is not a problem, but if a cloud vendor is not accustomed to health care-based customers, then this is often a non-starter 14
Negotiate Up Front Healthcare companies must do their due diligence on potential cloud vendors and possibly down-stream cloud vendors as well Consider a site visit to the cloud vendor s facilities to ensure vendor s employees understanding of applicable laws Consider transparency/cloud vendor s willingness to allow one or more visits Request an initial pilot to test the system 15
Negotiate Up Front Thorny issues must be addressed and detailed provisions must be included in the contract Specify vendor as responsible party for monitoring and implementing additional regulatory requirements and include time frames for implementation Require cloud vendor to specify who will have access to the data at remotely hosted environment and confirm they are trained in HIPAA compliance Incorporate detailed transition provisions and processes to ensure you or the successor vendor receive the data needed, d including timing, format of data, etc. Include detailed provisions re: data sanitation process upon termination of contract (or failure of vendor s business) 16
Negotiate Up Front Thorny issues (con t) Ensure you have multiple paths to data center hosting to avoid loss of access to data Include in the contract how often vendor will back-up data and in what format Discuss maintenance (how often, duration of each maintenance and process) and alternative data access during maintenance Ensure standards and important technical terms/definitions are agreed upon and detailed in the contract Ensure you maintain ownership of and access to all of your data - ALWAYS 17
REGULATORY CHALLENGES FOR HEALTH CARE ADOPTERS OF CLOUD COMPUTING 18
HEALTH CARE REGULATORY CHALLENGES OF CLOUD COMPUTING Ensuring regulatory compliance presents one of the most difficult challenges to health care companies ability to leverage the advantages of cloud computing 19
SUMMARY OF REGULATORY REQUIREMENTS The primary federal legal requirements U.S. Health Care companies must follow are: Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) HITECH Act 20
REGULATORY REQUIREMENTS - HIPAA Two basic parts to HIPAA: Privacy Rule and Security Rule Privacy Rule: How and when may protected health information ( PHI ) be disclosed Security Rule: Implement specified administrative, physical, and technical safeguards to keep PHI secure 21
REGULATORY REQUIREMENTS - HIPAA Privacy Rule: HIPAA Originally only applied to Covered Entities Covered Entity = health plans, health care clearinghouses, and healthcare providers Permits disclosure of PHI only as required or permitted Requires CE to enter into Business Associate Agreement with Business Associates Business Associate = parties to whom a CE may disclose PHI so BA can perform service on its behalf If a CE transmits PHI to a cloud vendor, the cloud vendor (and any downstream cloud vendor to which the CE s PHI is transmitted) will be BAs 22
REGULATORY REQUIREMENTS - HIPAA HIPAA Security Rule: Four specific safeguards are required: Integrity, Confidentiality, and availability of electronic PHI ( e-phi ) Protect t against threats t and hazards Protect against reasonably anticipated disclosures Ensure that workforce complies with the Rule 23
REGULATORY REQUIREMENTS - HITECH HITECH expands the definition of a Business Associate to include certain organizations that provide data transmission of PHI and that require access on a routine basis This would include cloud vendor with access to PHI HITECH creates a statutory obligation of BAs to comply pywith HIPAA s privacy and security requirements Prior to HITECH, the obligation was only a contractual commitment 24
REGULATORY REQUIREMENTS - HITECH Under HITECH, BAs, including cloud providers acting as BAs, are required to: Maintain written policies/procedures addressing the HIPAA Security Rule requirements Maintain adequate training programs for employees Designate a security officer for the company Conduct adequate and thorough risk assessments of security methods Larger cloud vendors may already satisfy these requirements, but small companies may struggle 25
REGULATORY REQUIREMENTS - HITECH Perhaps most important aspect of HITECH is the breach notification requirements: CE (reminder: this would be a cloud vendor s customer) is required to notify its customers (the owners of the PHI) of any breach of unsecured PHI BA (the cloud vendor) is also required to notify the CE of a breach without unreasonable delay and within 60 days max The BA is also required to identify the individual whose PHI was breached, if possible 26
REGULATORY REQUIREMENTS - HITECH HITECH breach notification requirements, cont: Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through use of technology or methodology specified by Secretary of Dept. Health & Human Services 27
REGULATORY REQUIREMENTS - HITECH Patients or other owners of PHI have the right to request an accounting of all disclosures of their PHI for the prior 3 years This includes the use of any downstream cloud vendors who have hosted the data Requires the disclosure of the identity of these parties The challenge is many cloud vendors either can t or don t want to track these disclosures Patients or other owners of PHI may also demand the return of their PHI at any time This requires the ability for customers to access the data at any time 28
LIABILITY FOR FAILURE TO COMPLY WITH REGULATORY REQUIREMENTS If the CE has demonstrated a pattern of non- compliance with the BA Agreement and the BA knows of it, both the CE and the BA could be liable under HIPAA / HITECH HIPAA / HITECH imposes certain criminal and civil penalties on CEs and BAs that fail to comply No longer merely a breach of contract with the CE 29
LIABILITY FOR FAILURE TO COMPLY WITH REGULATORY REQUIREMENTS Two recent cases indicate that the government is taking a aggressive approach to enforcing HIPAA / HITECH Cignet Health of Prince George's County, Md., ordered to pay a $4.3 million civil monetary penalty for violating the HIPAA privacy rule February 2011 The General Hospital Corporation and Massachusetts General Physicians Organization Inc. agreed to pay the U.S. government $1 million to settle potential violations of the HIPAA Privacy Rule 30
Contractual Responses to Regulatory Requirements 31
CONTRACTUAL RESPONSES In light of the new HITECH requirements, CEs have begun requiring some or all of the following legal protections in their contracts with cloud vendors: Indemnification of damages arising from cloud vendor s breach of HITECH requirements Reimbursement of costs associated with notification o of breaches es Expressly allowing the cloud customer to seek equitable relief (e.g., injunctions) against the cloud vendor 32
CONTRACTUAL RESPONSES Legal protections in light of HITECH, cont: Not only requiring the cloud vendor to abide by HITECH and the BA Agreement, but also abide by any amendments to the relevant laws/regulations as well as guidance from the Dept. Health & Human Services Permit the cloud customer to audit the security of the cloud vendor Require consent and/or allow control over any downstream cloud vendors that might be used, including the right to audit Indemnify the cloud customer for all breaches by any downstream cloud vendors that may be used 33
THANK YOU! Regina Sharrow and Ike Willett Baker & Daniels LLP 600 East 96th Street, Suite 600 Indianapolis, IN 46240 Regina.Sharrow@bakerd.com (317) 569-4604 Isaac.Willett@bakerd.com e co (317) 569-4640 34