This article can also be found in the Premium Editorial Download "Health IT: Health care cloud computing: Ensuring patient data security."
Download it now to read this article plus other related content.
The meaning of the phrase health care cloud is evolving as the U.S. health care system expands its IT infrastructure. It can refer to patient Web portals, radiology image sharing, back-office
Right now, however, health care cloud typically refers to just one thing -- Web-based electronic health records (EHR) systems, hosted by a vendor.
Regardless of how an organization uses patient data within the cloud, uptime is the key to a successful implementation and continued usability. While some CIOs and physicians have expressed reservations about using cloud vendors, the ones that make the leap typically claim that a vendor's cloud uptime is better than the uptime they could provide themselves.
One such practitioner is Kevin McGovern, who runs his four McGovern Physical Therapy Associates clinics in northern Massachusetts with cloud-based EHR, accounting and billing systems. McGovern's not eligible for the federal program that provides financial incentives to hospitals and certain health care providers who adopt EHR systems. He switched to cloud services purely for business reasons.
Before moving to a cloud EHR system from WebPT Inc., McGovern had been running a server-based EHR over a wide area network. Not only was there downtime involved, but the EHR application slowed as more people logged in to work on patient records.
His new cloud vendor isn't perfect, but the situation is a vast improvement over the previous configuration.
"Sometimes there are uptime issues, especially when the West Coast wakes up," McGovern said. "Right about noon, when our clinicians maybe have a sandwich and start to do some notes and [West Coast users] start to treat patients, you'll see it slow down -- but I know [the vendor is] working on it."
Other than that, McGovern noted, the cloud EHR service is much faster, even at its slowest, than his previous server-based EHR system.
Patient safety, liability and the health care cloud
Attorney Diana McKenzie of HunterMaclean in Savannah, Ga., has more than two decades' experience negotiating IT contracts on behalf of health care providers. She said health care cloud services are so new that she has yet to see any liability lawsuits involving cloud uptime or security issues.
"You can guess where the case law's going to go, but the fact is cloud computing really hasn't been around long enough for there to be a plethora of case law related to how the courts are going to parse through all of this," she said.
Fortunately, McKenzie continued, many principles that apply to software applications running on local networks can be applied to cloud services, too. For example, health care organizations should make cloud uptime expectations known before, not after, signing the service contract. That's also the time to do some homework on the vendor's ability to follow through on cloud uptime pledges.
Start by going over the standard vendor contract and understanding what's being offered for an "uptime warranty," which could also be called an "availability warranty."
Another component of cloud uptime is how fast the system works when it is up, falling under the category of "response time warranty." Many contracts McKenzie has seen offer 90% or 95% uptime -- which isn't close to what health care providers expect and their patients need.
While the "five nines," or 99.999%, uptime standard might be too unrealistic -- or expensive, considering vendors that guarantee five nines do so at an exponentially higher cost -- it's possible to negotiate up from the standard contract's number. There are probably some uptime options between what’s stated in the vendor standard contract and five nines, but many contracts outline only one service level, implying that there aren't other options. Ask the vendor what other lines are available, and at what cost.
Simply negotiating satisfactory cloud uptime and response time warranties doesn't protect a health care provider from getting sued by a patient whose care was affected when a cloud vendor's services went down. McKenzie said providers can protect themselves by getting insurance to cover such scenarios and by hiring an outside IT consultant to assess network infrastructure and readiness for high-volume Internet throughput.
Health care providers should also negotiate audit rights into their contract. This will let them monitor the vendor's ability to make good on promises made in the service contract relating to cloud uptime, backup and recovery from downtime. This also involves calling a vendor's customers and asking "hardball" questions -- what they like and don't like, how they rate the user experience, what the vendor does and doesn't deliver, how they rate the vendor's technical ability and support, what they got charged for that they didn't think they were going to be charged for and so on.
Regardless of how an organization uses patient data within the cloud, uptime is the key to a successful implementation and continued usability.
Speaking of auditing, doing a little background check on a cloud vendor -- or any IT vendor, for that matter -- before signing a contract can prevent crises down the road. Checking on a company's legal record, as well as the records of executives and investors, can uncover pending intellectual property lawsuits, financial improprieties and personal problems that might foreshadow trouble. In one real-life example that McKenzie is fond of sharing, a vendor CEO had been convicted of federal felonies and awaited sentencing while his company was negotiating a service agreement with one of her clients.
Of course, this isn't to say that cloud services are any more risky than their equivalents that run on applications on local networks, McKenzie said. In fact, for many health care providers, especially those in locations where IT resources are scarce, cloud vendors probably represent an improvement in security, uptime and backup/recovery systems, she said.
She concluded by advising hospitals to hire an attorney experienced in health IT law to help hammer out contracts. This saves money in the long run, McKenzie said, because inexperienced lawyers "don't know just how much you can really change in these contracts. The answer is, 'A lot.'"
HIPAA compliance requires uptime due diligence, too
Poor cloud uptime can also be a HIPAA compliance problem, said Carlos Leyva, an attorney whose HIPAASurvivalGuide.com site offers IT tips to hospital CIOs. Cloud vendors should pay close attention to four sections of the HIPAA Security Rule -- CFR 45 Part 164, Subpart C -- that relate to uptime and backup. Hospitals that enter into agreements with cloud vendors should likewise verify their ability to comply with the following rules pertaining to uptime:
- 164.306: Among many rules, HIPAA requires covered entities to ensure availability of data.
- 164.308: They must conduct risk assessments that consider threats to data availability and keep audit logs to determine information system activity.
- 164.310: They must have backup/disaster recovery plans.
- 164.312: They must comply with detailed requirements for auditing information system activity.
Leyva, of the Digital Business Law Group P.A., like McKenzie, encourages hospitals to do their due diligence before signing a contract, especially in regards to subcontracting. Since the HITECH Act expanded the scope of HIPAA, business associate agreements apply to cloud vendors the same way that compliance obligations do for hospitals. These obligations, in turn, get passed on to subcontractors.
This can get tricky, Leyva said, especially when subcontractors are located in other countries. Know to whom patient data is going and where. If there are any international partners of the cloud vendor, confirm they have agreed to comply with U.S. laws and agree to fall under the jurisdiction of U.S. law.
In the end, choose partners wisely. A health care organization's name will appear in the paper and on the federal data breach notification board when its business associates lose HIPAA-protected data, Leyva said. "The fact of the matter,” he said, “is the hospital's going to be on the hook if [it] can't get access to patient records for an extended period of time."
Although the HITECH Act and its new HIPAA rules seem like difficult mandates, they are actually "good problems" for hospitals to have, Leyva said. In the end, tougher rules will give health care a needed modernization.
"What were the backup plans when it was all on paper?" he said. "With respect to a lot of enabling technologies for running the business, [health care was] 20 or 30 years behind everybody else."
Let us know what you think about the story; email Don Fluckinger, Features Writer.
This was first published in September 2011