Feature | June 03, 2014 | Dave Fornell

Navigating Negotiations With Cloud and Mobile IT Vendors

Questions to ask, and legal advice to avoid hidden pitfalls in contracts

Even for the most seasoned radiologists and hospital administrators, the rapid advances on new technology such as cloud storage, Web-based software and mobile apps may leave some wondering where to start when vetting healthcare IT vendors. For those who feel this description fits them, you are not alone; a session on this topic was packed solid during the 2014 Healthcare Information and Management Systems Society (HIMSS) annual meeting in February.

“Outsourcing data or applications to a cloud provider does not mean you should be hands-off — you need to conduct due diligence and monitor the vendor’s performance. You are ultimately responsible for the confidentiality, integrity and availability of your patients’ data,” explained attorney Steven Fox, principal, Post & Schell PC, which specializes in healthcare data protection and breaches. “In a cloud, your data is not directly under your control and that makes me nervous and it should make you nervous too.” 

He contends vendors need to be held accountable and maintain complete transparency if they are going to be responsible for your data. For this reason, when evaluating vendors it is important to identify how each vendor handles a security incident involving protected health information, added Lee Kim, director, privacy and security, HIMSS, who also spoke at the session. She said providers need to assess the steps vendors use to ensure medical devices, applications and patient data are secure and meet HIPAA and other regulatory requirements. This includes how the vendor would handle the loss or theft of a device, or data that may contain patient information such as credit card or social security numbers that might be used for fraud. “The less you have to deal with data losses and breeches the better,” said Lee. 

Gathering Data on Prospective Vendors

Fox said it is important to learn as much about a vendor as possible before they store your data. He suggests evaluating vendors to see if their technology is consumer- or medical-grade quality, and added that the maturity of their technology may also play a role in security. In addition, look at the personnel handling the data for the vendor. “If a vendor is resistant or hesitant in sharing information or says ‘that is none of your business,’ then maybe that is not a vendor you want to work with,” Fox said. “You need them to be as transparent as possible.” 

When approaching vendors, especially those a provider has worked with in the past, he suggests maintaining the mindset that vendors are not your friends. “They are your business partners, and you need to look at them that way,” Fox said. “Even if Jim the vendor is your friend, you need to do your due diligence. What do you know about this vendor? You want to ask a lot of questions when you are talking to a cloud vendor.”

Use RFP as an Accountability Tool

Fox said facilities should come up with a list of very specific questions they want answers to when evaluating cloud vendors. These should be written into the request for proposal (RFP) that is sent out to prospective vendors to force them to answer each point. When a vendor is chosen, the responses in their RFP should be included in the final contract language. If a vendor resists this, it might mean they were trying to say what they thought you wanted to hear rather than what they can actually deliver. Fox said he has had vendors back-peddle on these points when the information was written into the contract, which helped clarify the reality of what that vendor could truly offer

Fox has a standard list of questions for cloud vendors, including:

• Is the data stored in the United States or outside the country?

• How will the vendor use the data? Often vendors will de-identify patient data to resell for research or big-data analytics. However, Fox said even if the data is de-identified, it might be possible for people who are very tech savvy to pull a patient’s identification, partial identification or other information from the data. For this reason he suggests asking the vendor to indemnify you for any loss or breech of patient data. 

• Is data stored in a proprietary format or is it readily readable and convertible to other systems? This will be important if a facility needs to migrate its data to another vendor.

Does the vendor have a disaster recovery plan for data backup? If not, Fox said you might not want to use the vendor in case there is ever a flood, hurricane, tornado or fire where the data is stored. Also, he suggests thinking outside the box. He said an upper story of a building can still flood or suffer water damage if a water or sprinkler pipe leaks or a toilet overflows. 

What happens if a vendor goes bankrupt or out of business?

• Has the vendor demonstrated the ability to successfully create interfaces to your particular system? If so, Fox suggests asking for contact information at the previously interfaced facility to speak with them directly and hear their view of how the system works. 

• Will the hospital still have access to the data if there is no Internet access? Fox said issues with weather or an Internet provider may cause loss of Web access. If that happens, the hospital may want to keep a copy of the data onsite as a backup. 

• Does the vendor have any third-party certifications? 

• Fox suggests asking for copies of a vendor’s data and site security policies. Many small vendors may not have these, which could raise a red flag to their plan or ability to properly secure your data. 

• How long will it take to recover data after a disaster?

• Does the vendor contract out its cloud storage to subcontractors?

• Is the license perpetual or only for a set time limit? Some software licensing fees are for set periods, say seven years, after which the vendor charges the fee again. 

• Include acceptance testing in the contract to ensure the technology works with your systems.

Fox also suggested including any warranties in the RPF. He said to make sure these include compliance to documentation and specifications listed in the contract, interoperability/interfaces, compliance with laws and regulations, security  and virus protection, and language to address sunset issues. 

The Contract

Fox offers the advice to never accept a vendor’s standard contract. He also warns that every word in a contract has meaning. Most contracts need edits to address the concerns above. “The contract is really, really important — you want to have a solid one,” Fox said. “The vendor might say ‘none of our other vendors have made this many contract changes,’ but it is important that every word of a contract is read.”

Look in the vendor’s contract for language for limitations of liability or indemnification. Fox said some vendors want you to indemnify them against issues with use of their software.

When finalizing a contract, he suggests not accepting PDFs — they are difficult to edit and often delay the contract signing. Accepting a draft contract in Microsoft Word is best, but make sure to ask for an unlocked copy so edits can be made or notes added.

As a final suggestion, Fox urged not getting involved with vendors who want help co-developing software. He suggested not getting involved in software development clauses, which often result in an IT project becoming a money pit.

Related Content

ScImage Awarded U.S. Government DIN-PACS IV Contract
News | PACS | August 16, 2017
ScImage Inc. was recently awarded a new DIN-PACS IV (Digital Imaging Network/Picture Archiving and Communications...
Neighbors Emergency Center Selects Novarad PACS/RIS
News | PACS | August 15, 2017
August 15, 2017 — Novarad Corp.
Sponsored Content | Whitepapers | Enterprise Imaging | August 11, 2017
All around the world, regulatory requirements and market forces are driving a growing demand for higher-quality, more-...
RSNA Announces Pediatric Bone Age Machine Learning Challenge
News | Artificial Intelligence | August 10, 2017
August 10, 2017 — The Radiological Society of North America (RSNA) is organizing a challenge intended to show the app
Xavier University Announces Healthcare Artificial Intelligence Summit
News | Artificial Intelligence | August 07, 2017
Xavier University has launched the Xavier Center for Artificial Intelligence (AI), a pioneering effort to accelerate...
Fujifilm Launches Synapse PACS Version 5
Technology | PACS | August 03, 2017
August 3, 2017 – Fujifilm Medical Systems U.S.A. Inc.
The team from Smart City Networks, the first corporate donor for the HIMSS Steve Lieber Innovator Scholarship

The team from Smart City Networks, the first corporate donor for the HIMSS Steve Lieber Innovator Scholarship, came together during HIMSS17 for the check presentation. From left to right: Tim Overall, general manager; Marty Rubin, chief executive officer; Steve Lieber, HIMSS president/CEO; Frank Loyke, senior event coordinator; and Jennifer Way, assistant general manager

News | Information Technology | August 01, 2017
The Steve Lieber Innovator Scholarship, sponsored by the HIMSS Foundation, recognizes the leadership and passion for...
Sponsored Content | Videos | Analytics Software | July 28, 2017
Woojin Kim, M.D., chief medical information officer, Nuance Communications, explains how analytics solutions can help
Nuance Restores Service to Majority of eScription Clients Following Malware Incident
News | Information Technology | July 28, 2017
Nuance Communications Inc. provided an update on its restoration process following the previously reported June 27,...
Agfa Receives FDA 510(k) for Xtend Functionalities on Xero Universal Viewer
Technology | Remote Viewing Systems | July 27, 2017
Agfa HealthCare announced it has received U.S. Food and Drug Administration (FDA) 510(k) clearance for the Xero Xtend...
Overlay Init