Cloud Computing in Healthcare: HIPAA and State Law Challenges

Transcription

1 Presenting a 90-Minute Encore Presentation of the Teleconference with Q&A Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks THURSDAY, JULY 19, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Matthew A. Karlyn, Partner, Foley & Lardner, Boston M. Leeann Habte, Foley & Lardner, Los Angeles The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.

2 Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

3 For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: Close the notification box In the chat box, type (1) your company name and (2) the number of attendees at your location Click the SEND button beside the box

4 If you have not printed the conference materials for this program, please complete the following steps: Click on the + sign next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.

5 Cloud Computing in Healthcare: HIPAA and State Law Challenges Matt Karlyn Partner Foley & Lardner LLP (617) Leeann Habte Associate Foley & Lardner LLP (213) July 19, Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL

6 6 PART 1 WELCOME TO THE CLOUD

7 7 CDW Tracking Trends 84 percent of IT professionals from a crosssection of industries say their organization has at least one cloud application 30 percent of health care organizations report implementing cloud computing Electronic health records Medical imaging Telemedicine Patient management Traditional business and financial functions

8 8 What is Cloud Computing? Delivery over the Internet (i.e., the cloud ) Software, platform or infrastructure resources provided as services Scalability on-demand Utility and/or subscription billing (i.e., based on the customer s actual use and/or a period of time)

9 Types of Cloud Computing 9 Services Cloud computing has generally been broken down into three types of services Software-as-a-Service (SaaS) refers to the provider s software being delivered over the cloud to the customer as a service (e.g., electronic health record systems) Platform-as-a-Service (PaaS) refers to the providers software development platforms being delivered over the cloud to the customer as a service (e.g. Interface development). For example, a customer may use the service to develop, test, and deploy applications that are then hosted on the provider s infrastructure. Infrastructure-as-a- Service (IaaS) refers to virtual servers, memory, processors, storage, network bandwidth, and other types of infrastructure resources, being delivered over the cloud to the customer as a service (e.g., Amazon, Google Rackspace, IBM computing on demand).

10 10 Models of Cloud Deployment Public Clouds Owned and operated by a cloud provider Private Clouds Computing environment operated exclusively for one organization Community Clouds Computing environment exclusive to 2+ organizations with similar considerations Hybrid Clouds Composition of 2 or more clouds

11 11 Benefits of the Cloud Cost reduction Service flexibility Lower upfront risks and complexity with realizing the benefits of new technology Reduction in capital costs

12 12 That all sounds great BUT There are risks What are the risks that health care organizations evaluating cloud computing solutions should consider?

13 13 Part 2 Is that a storm cloud ahead?

14 Compliance Risks Privacy and Security 14 Health care organizations are required to maintain health care data subject to numerous and differing federal and state laws

15 Federal Laws: HIPAA, HITECH, and Others 15 HIPAA, as amended by the HITECH Act Requires health plans, health care clearinghouses, and covered health care providers to safeguard protected health information (PHI) Establishes 22 separate technology-neutral security standards Gramm-Leach-Bliley Act (GLB Act) Requires a written security plan FTC laws and regulations, PCI DSS

16 16 State Privacy and Security Laws All states have state-specific privacy laws A handful have comprehensive medical privacy laws The rest have separate laws that govern the privacy of medical records and/or sensitive health information Some states also mandate security controls Personal information Electronic health records

17 17 State Breach Reporting Laws Almost all states have specific requirements for reporting breaches of medical or other personal information Data breaches are costly Average cost of $6.75 million, ranging from $750,00 to $31 million in 2010 $204 per compromised record Most expensive data breach increased to $66 million in 2011

18 18 Compliance Not Delegable Accountability for the security and privacy of health information cannot simply be delegated to a cloud provider. HITECH holds Business Associates responsible for civil penalties Notification costs, mitigation of harm, damages State law/ftc differ Organizations are responsible for the actions of their subcontractors

19 19 Cloud Computing Risks Heightened compliance risks Location of data if hosted by vendor Jurisdiction and laws governing data Security/breach notification requirements Scope of liability Vendor s subcontracts with third parties Scope of control, responsibilities involved, recourses/remedies

20 20 Cloud Computing Security Risks Multi-tenancy environment Data may be stored on a server with other customer s data = increased risk of unauthorized disclosure Security risks particular to cloud computing Risks associated with services being delivered over web browser (Adobe Flash, etc.)

21 Evaluating the Risk of Cloud Computing 21 The sensitivity of the data that will be stored in the cloud The criticality of the business process being supported by the cloud computing solution Solutions must be carefully evaluated to ensure the benefits outweigh the risks; ensure contractual protections and operational precautions are taken

22 Data Sensitivity and the Criticality of the Service 22 High Risk = mission critical processes utilizing highly sensitive data Medium Risk = generally available data that requires high service levels; non-confidential enterprise data Low Risk = not mission critical and generally available data; can accept outages and variable performance Individually identifiable health information is high-risk data

23 23 Part 3 Speaking of Contracts Cloud computing agreements have some similarity to licensing agreements, but have more in common with hosting or ASP agreements

24 24 Licensing vs. the Cloud Traditional licensing/hardware purchase Vendor installs the software or equipment in the customer s environment Customer has ability to have the software or hardware configured to meet its needs Customer retains control of the data In the cloud Software, hardware and customer data are hosted by the provider typically in a shared environment (e.g., many customers per server) Software and hardware configuration much more homogeneous across all customers

25 25 Licensing vs. the Cloud (cont d) Shift of top priorities From configuration, implementation and acceptance (in the licensing world) to service availability, performance, service levels, data security and control (in the cloud) Traditional provisions retain importance, in particular Insurance, indemnity, intellectual property, limitations of liability, warranties

26 Cloud Customers Must Make Important Decisions 26 There are no standard forms that work for every customer, for every product, in every deal Some commonly used outsourcing and software licensing terms may be useful, but cannot be uniformly applied to cloud computing transactions More robust contractual protection and provisions that address issues unique to the cloud are likely needed For the low risk deals, a low risk solution may outweigh the need for contractual protections For high risk deals, better to take a closer look and include the provisions that will protect your company Note that robust contractual protections may have an impact on price and eliminate certain providers altogether

27 The Focus of Cloud Computing Transactions 27 Focus should be on: The criticality of the software, data and services to the enterprise The unique issues presented by a cloud computing environment (e.g., data security) The service levels and pricing offered by different suppliers and for different services Outsourcing agreements and traditional licensing agreements are a good starting point, but not a good ending point

28 Part 4 Key Contractual Issues in Cloud Computing 28 Note that these slides and this presentation contain several examples of language that is commonly found in cloud computing agreements. These slides and this presentation are not a substitute for legal advice. The language to be used in your transactions depends on a variety of factors and the particular circumstances. You are strongly advised to engage knowledgeable legal counsel to access and help minimize your legal liabilities based on the particular requirements of your organization. Like any presentation or article, this is not meant to be a substitute for knowledgeable legal counsel.

29 29 Pre-Agreement Due Diligence Can the provider meet your organization s expectations? Require provider to complete a due diligence questionnaire Provider s financial condition Insurance Existing service levels Capacity Data security Disaster recovery and business continuity Redundancy Ability to comply with applicable regulations

30 Pre-Agreement Due Diligence (cont d) 30 Pay particular attention to: Vendor s financial condition and corporate responsibility The provider s subcontracts with third parties The location of the data center(s) where the data will be physically stored and who may have access to the data

31 31 Service Availability If the provider stops delivering services, the customer will have no access to the services (which may be supporting a critical business function), and perhaps more importantly, no access to the customer s data stored on the provider s systems A customer must be able to continue to operate and have access to its data at all times

32 32 Service Availability (cont d) What do you need? If provider is maintaining PHI, a disaster recovery plan and an emergency mode operation plan Disaster recovery and business continuity assurances For example, Provider shall maintain and implement disaster recovery and emergency mode operation procedures to ensure that the Services are not interrupted during any disaster. Provider shall provide Customer with a copy of its current disaster recovery plan and emergency mode operations plan and all updates thereto during the Term. All requirements of this Agreement, including those relating to security policies, workforce screening and termination, training, and due diligence shall apply to the Provider disaster recovery site. Provider s agreement not to withhold services (even if there is a dispute) For example, Provided Customer continues to timely make all undisputed payments, Provider warrants that during the Term of this Agreement it will not withhold services provided hereunder, for any reason, including, but not limited to, a dispute between the parties arising under this Agreement.

33 33 Service Availability (cont d) Protections against provider s financial instability Enable customer to identify issues in advance For example, Quarterly, during the Term, Provider shall provide Customer with all information reasonably requested by Customer to assess the overall financial strength and viability of Provider and Provider s ability to fully perform its obligations under this Agreement. In the event Customer concludes that Provider does not have the financial wherewithal to fully perform as required hereunder, Customer may terminate this Agreement without further obligation or liability by providing written notice to Provider. In-house software solution: consider requiring the provider to make available or develop an in-house solution to replacing software services if it stops providing those services

34 34 Service Levels Uptime service level Services must be available to customer at all times to support operations Outage window Measurement period Remedies Require provider to monitor servers by automatic pinging Unavailability should include severe performance degradation Service response time

35 35 Service Levels (cont d) Uptime an example For example, Provider will make the Services Available continuously, as measured over the course of each calendar month period, an average of 99.99% of the time, excluding unavailability as a result of Exceptions, as defined below (the Availability Percentage ). Available means the Services shall be available for access and use by Customer. For purposes of calculating the Availability Percentage, the following are Exceptions to the service level requirement, and the Services shall not be considered Un-Available, if any inaccessibility is due to: (i) Customer s acts or omissions; or (ii) Customer s Internet connectivity.

36 36 Service Levels (cont d) Response Time an example Maximum latencies and response times for the customer s use of the services For example, The average download time for each page of the Services, including all content contained therein, shall be within the lesser of (i) 0.5 seconds of the weekly Keynote Business 40 Internet Performance Index ( KB40 ), or (ii) two (2) seconds. In the event the KB40 is discontinued, a successor index (such as average download times for all other customers of Provider) may be mutually agreed upon by the parties.

37 37 Service Levels (cont d) Other common service level issues that customers should address are: Simultaneous visitors Problem response time and resolution time Data return and periodic delivery Remedies for failure to meet service levels Should include financial penalties and termination

38 38 Service Levels (cont d) Why are they so important? Assure the customer that it can rely on the services and provide appropriate remedies if the provider fails to meet the agreed service levels Provide incentives that encourage the provider to be diligent in addressing issues

39 39 Data Security The security of a customer s data in a cloud computing environment has been recognized as one of the largest areas of concern for a customer The customer is ultimately responsible for complying with privacy and security regulations, and data security breaches are costly

40 40 Data Security (cont d) Business Associate Agreements Required with cloud provider, if it hosts data or software containing PHI on its own server, or accesses PHI, even if only for troubleshooting software function (OCR, FAQ) BAA provisions may be incorporated in End User License Agreements, particularly by software companies (e.g., EHR software) EULA must be valid under State law for BAA to be enforceable

41 41 Data Security (cont d) Business Associate Agreements HIPAA standards may not address data security risks associated with cloud computing environment In addition to requiring the cloud provider to provide physical, technical, and administrative safeguards, as required by the HITECH Act, BAA or contract should expressly address the provider s policies and procedures related to: Security protections unique to cloud Control of subcontracting arrangements Location of data Data redundancy Data ownership and use rights E-discovery Data conversion/data return

42 42 Data Security (cont d) Security protections in provider s policies: Compare with own policies and legal requirements Ensure that providers policies address: Baseline security measures, including physical controls over data storage facilities Security incident management Hardware, software and security policies Information access and authorization procedures Security issues particular to cloud computing and services being provided over the internet Some providers won t show customer their security policies but will permit onsite access

43 43 Data Security (cont d) Security protections in contract should: Address State law requirements Define customer s vs. providers responsibilities for security Include method to monitor performance of security controls and procedures (e.g., third party audit) Include administrative, technical, and physical safeguards, in accordance with applicable laws Expressly establish requirements for storage of customer information Provide for customer s audit rights

44 44 Data Security (cont d) Subcontracting arrangements Third party relationships should be disclosed in advance of reaching an agreement HIPAA compliance BAA must ensure that any subcontracts to whom the Covered Entity provides PHI agree in writing to the same restrictions and conditions that apply to the Business Associate in its agreement with the Covered Entity

45 45 Data Security (cont d) Subcontracting arrangements Who is operating the data center the provider or a third party? Ensure third party hosts comply with your agreement Provider should accept all responsibility for the third party host Provider should be jointly and severally liable with the third party host for any breach of the agreement by the third party host Consider entering a separate confidentiality agreement with the third party host Advance notice if any change of the host

46 46 Data Security (cont d) Location of Data May determine the jurisdiction and the governing law Overseas data may present practical difficulties Other state laws may impose additional compliance requirements Should include prohibition on off-shore work and restrictions on data transfer For example, In performing the functions, activities or services for, or on behalf of, Customer, Provider shall not, and shall not permit any of its subcontractors, to transmit or make available any PHI to any entity or individual outside the continental United States without the prior written consent of Customer. All activities and services shall be performed and rendered at the locations set forth in Attachment. The Parties may mutually agree to authorize Provider s use of additional locations in an amendment to this Agreement.

47 47 Data Security (cont d) Breach notification Agreement should establish: The procedures and timeframe for reporting a breach to the Covered Entity The procedures and role of the parties with respect to investigation of the breach and notification of individuals Liability of the Business Associate

48 48 Data Security (cont d) In the event of a security breach: Customer should have sole control over the timing, content, and method of customer notification (if it is required) If the provider is responsible for the breach, then the provider should reimburse the customer for its reasonable out-of-pocket expenses in providing the notification, mitigating the harm, and otherwise complying with the law

49 49 Data Security (cont d) Data redundancy Agreement should contain explicit provisions regarding Provider s duty for regular backups and frequency of back ups Below is a sample data redundancy provision: Provider will: (i) execute (A) nightly database backups to a backup server, (B) incremental database transaction log file backups every 30 minutes to a backup server, (C) weekly backups of all hosted Customer Information and the default path to a backup server, and (D) nightly incremental backups of the default path to a backup server; (ii) replicate Customer s database and default path to an off-site location (i.e., other than the primary data center); and (iii) save the last 14 nightly database backups on a secure transfer server (i.e., at any given time, the last 14 nightly database backups will be on the secure transfer server) from which Customer may retrieve the database backups at any time.

50 50 Data Security (cont d) Data ownership and use rights Agreement must contain: Clear language regarding customer s ownership of data Specific language (i) regarding the provider s obligations to maintain the confidentiality of such information and (ii) placing appropriate limitations on the provider s use of such customer information Strict limitations on provider s use of data in aggregated, de-identified form Use of aggregate data must be for health care operations purpose permissible under HIPAA

51 51 Data Security (cont d) E-discovery Agreement must require provider to retain meta-data Data conversion/return of data Must ensure that the customer is not locked in to the provider s solution and provider can return or destroy data at termination of agreement A sample data conversion provision is provided below: At Customer s request, Provider will provide a copy of Customer Information to Customer in an ASCII comma-delimited format on a CD- ROM or DVD-ROM. Upon expiration of this Agreement or termination of this Agreement for any reason, Provider shall (a) deliver to Customer, at no cost to Customer, a current copy of all of the Customer Information in use as of the date of such expiration or termination and (b) completely destroy or erase all other copies of the Customer Information in Provider s or its agents or subcontractors possession in any form, including but not limited to electronic, hard copy, or other memory device. At Customer s request, Provider shall have its officers certify in writing that it has so destroyed or erased all copies of the Customer Information and that it shall not make any use of the Customer Information.

52 52 Insurance Customer should self-insure against IT risks by obtaining a cyber-liability policy Provider should be required to carry: Technology errors and omissions liability insurance Commercial blanket bond, using Electronic & Computer Crime or Unauthorized Computer Access insurance Most data privacy and security laws will hold the customer liable for security breaches whether it was the customer s fault or the provider s fault

53 53 Indemnification Third party claims relating to the provider s breach of its confidentiality and security obligations, and claims relating to infringement of third party intellectual property rights Limitation to copyright is not acceptable Limitation to US IP rights may be acceptable, but consider whether use of the services will occur overseas

54 54 Limitation of Liability Scrutinize limitation of liability provisions carefully If you can t eliminate the limitation of liability in its entirety, seek the following protections: Mutual protection Appropriate carve-outs (e.g., confidentiality, data security, indemnity) A reasonable liability cap for direct damages

55 55 Intellectual Property Provider s IP may be embedded in the customer s business process You should obtain ownership of any work product and a very broad license to use any provider IP incorporated into any work product

56 56 Warranties The following warranties are common in these types of agreements: Conformance to specifications Performance of services Appropriate training Compliance with laws No sharing / disclosure of data Services will not infringe No viruses / destructive programs No pending or threatened litigation Sufficient authority to enter into agreement

57 57 Implementation When there will be significant implementation services, the customer should consider establishing a broad definition of services in the cloud computing agreement E.g., extensive software or hardware implementation, configuration, customization) This is useful in limiting provider claims for out of scope activity and request for additional money

58 58 Fees Ability to add and remove resources with a corresponding upward or downward adjustment in the service fees Identify all potential revenue streams and make sure that the identified fees are inclusive of such revenue streams Lock in recurring fees for a period of time (one to three years) and thereafter an escalator based on CPI or another index

59 59 Term The customer should be able to terminate the agreement at any time upon notice (14 to 30 days) and without penalty The software and infrastructure are being provided as a service and should be treated as such The provider may request a minimum commitment from the customer to recoup the provider s investment in securing the customer as a customer If you agree to this, limit to no more than one year and the provider should be required to provide evidence of its up front costs to justify such a requirement HIPAA requires covered entities to terminate the agreement upon knowledge of a material breach by a subcontractor unless the breach can be cured

60 60 Publicity Agreement should contain a provision relating to announcements and publicity in connection with the transaction. Provider should be prohibited from: Making any media releases or other public announcements relating to the agreement Using your name and trademarks without your prior written consent

61 61 Assignment You should be able to assign your rights under the agreement to your affiliates You should obtain assurance that any provider assignee will agree to be bound by all the terms and conditions of the agreement

62 62 Exclusivity In order for customers to obtain the best pricing, providers are asking customer to contractually commit to an exclusive arrangement Before entering into such an arrangement, ensure your company has the proper protections in the agreement Excellent service levels Appropriate exceptions to exclusivity Right to transition in anticipation of termination You don t want to be bound to a poorly performing provider! Weigh pricing advantages with performance commitments and reliability of the provider

63 Post-Execution Ongoing Provider Assessment 63 Regular program of evaluating a provider s performance Provider required to supply the requisite information to access the services Notify the customer of any changes with regard to the provider Provide recommendations to improve the services

64 64 Negotiation Leverage is important you may not be able to obtain all of the protections you want Evaluate the business risks Do the services support a critical business function? Do the services involve sensitive data? Are the services customer facing?

65 65 Negotiation (cont d) If you can t get the protections you want in the most significant areas of risk, consider walking away If walking away is not an acceptable option, focus on risk mitigation For example, if the provider refuses to modify its uptime service level (arguing that it cannot separately administer an uptime warranty for different customers) focus on improved remedies and exit rights for failure to meet the service level

66 Part 5 -- Additional Issues to Consider 66 Ability to audit Lack of transparency and control Subcontracting and flow down of provisions IP issues Change management and governance/ oversight

67 67 QUESTIONS? Matt Karlyn Partner Foley & Lardner LLP 111 Huntington Avenue Boston, MA (617) Leeann Habte Associate Foley & Lardner LLP 555 S. Flower Street Los Angeles, CA (213)