Feature | June 03, 2014 | Dave Fornell

Navigating Negotiations With Cloud and Mobile IT Vendors

Questions to ask, and legal advice to avoid hidden pitfalls in contracts

Even for the most seasoned radiologists and hospital administrators, the rapid advances on new technology such as cloud storage, Web-based software and mobile apps may leave some wondering where to start when vetting healthcare IT vendors. For those who feel this description fits them, you are not alone; a session on this topic was packed solid during the 2014 Healthcare Information and Management Systems Society (HIMSS) annual meeting in February.

“Outsourcing data or applications to a cloud provider does not mean you should be hands-off — you need to conduct due diligence and monitor the vendor’s performance. You are ultimately responsible for the confidentiality, integrity and availability of your patients’ data,” explained attorney Steven Fox, principal, Post & Schell PC, which specializes in healthcare data protection and breaches. “In a cloud, your data is not directly under your control and that makes me nervous and it should make you nervous too.” 

He contends vendors need to be held accountable and maintain complete transparency if they are going to be responsible for your data. For this reason, when evaluating vendors it is important to identify how each vendor handles a security incident involving protected health information, added Lee Kim, director, privacy and security, HIMSS, who also spoke at the session. She said providers need to assess the steps vendors use to ensure medical devices, applications and patient data are secure and meet HIPAA and other regulatory requirements. This includes how the vendor would handle the loss or theft of a device, or data that may contain patient information such as credit card or social security numbers that might be used for fraud. “The less you have to deal with data losses and breeches the better,” said Lee. 

Gathering Data on Prospective Vendors

Fox said it is important to learn as much about a vendor as possible before they store your data. He suggests evaluating vendors to see if their technology is consumer- or medical-grade quality, and added that the maturity of their technology may also play a role in security. In addition, look at the personnel handling the data for the vendor. “If a vendor is resistant or hesitant in sharing information or says ‘that is none of your business,’ then maybe that is not a vendor you want to work with,” Fox said. “You need them to be as transparent as possible.” 

When approaching vendors, especially those a provider has worked with in the past, he suggests maintaining the mindset that vendors are not your friends. “They are your business partners, and you need to look at them that way,” Fox said. “Even if Jim the vendor is your friend, you need to do your due diligence. What do you know about this vendor? You want to ask a lot of questions when you are talking to a cloud vendor.”

Use RFP as an Accountability Tool

Fox said facilities should come up with a list of very specific questions they want answers to when evaluating cloud vendors. These should be written into the request for proposal (RFP) that is sent out to prospective vendors to force them to answer each point. When a vendor is chosen, the responses in their RFP should be included in the final contract language. If a vendor resists this, it might mean they were trying to say what they thought you wanted to hear rather than what they can actually deliver. Fox said he has had vendors back-peddle on these points when the information was written into the contract, which helped clarify the reality of what that vendor could truly offer

Fox has a standard list of questions for cloud vendors, including:

• Is the data stored in the United States or outside the country?

• How will the vendor use the data? Often vendors will de-identify patient data to resell for research or big-data analytics. However, Fox said even if the data is de-identified, it might be possible for people who are very tech savvy to pull a patient’s identification, partial identification or other information from the data. For this reason he suggests asking the vendor to indemnify you for any loss or breech of patient data. 

• Is data stored in a proprietary format or is it readily readable and convertible to other systems? This will be important if a facility needs to migrate its data to another vendor.

Does the vendor have a disaster recovery plan for data backup? If not, Fox said you might not want to use the vendor in case there is ever a flood, hurricane, tornado or fire where the data is stored. Also, he suggests thinking outside the box. He said an upper story of a building can still flood or suffer water damage if a water or sprinkler pipe leaks or a toilet overflows. 

What happens if a vendor goes bankrupt or out of business?

• Has the vendor demonstrated the ability to successfully create interfaces to your particular system? If so, Fox suggests asking for contact information at the previously interfaced facility to speak with them directly and hear their view of how the system works. 

• Will the hospital still have access to the data if there is no Internet access? Fox said issues with weather or an Internet provider may cause loss of Web access. If that happens, the hospital may want to keep a copy of the data onsite as a backup. 

• Does the vendor have any third-party certifications? 

• Fox suggests asking for copies of a vendor’s data and site security policies. Many small vendors may not have these, which could raise a red flag to their plan or ability to properly secure your data. 

• How long will it take to recover data after a disaster?

• Does the vendor contract out its cloud storage to subcontractors?

• Is the license perpetual or only for a set time limit? Some software licensing fees are for set periods, say seven years, after which the vendor charges the fee again. 

• Include acceptance testing in the contract to ensure the technology works with your systems.

Fox also suggested including any warranties in the RPF. He said to make sure these include compliance to documentation and specifications listed in the contract, interoperability/interfaces, compliance with laws and regulations, security  and virus protection, and language to address sunset issues. 

The Contract

Fox offers the advice to never accept a vendor’s standard contract. He also warns that every word in a contract has meaning. Most contracts need edits to address the concerns above. “The contract is really, really important — you want to have a solid one,” Fox said. “The vendor might say ‘none of our other vendors have made this many contract changes,’ but it is important that every word of a contract is read.”

Look in the vendor’s contract for language for limitations of liability or indemnification. Fox said some vendors want you to indemnify them against issues with use of their software.

When finalizing a contract, he suggests not accepting PDFs — they are difficult to edit and often delay the contract signing. Accepting a draft contract in Microsoft Word is best, but make sure to ask for an unlocked copy so edits can be made or notes added.

As a final suggestion, Fox urged not getting involved with vendors who want help co-developing software. He suggested not getting involved in software development clauses, which often result in an IT project becoming a money pit.

Related Content

News | Remote Viewing Systems | June 14, 2018
International Medical Solutions (IMS) recently announced that the American College of Radiology (ACR) added IMS'...
Wake Radiology Launches First Installation of EnvoyAI Platform
News | Artificial Intelligence | June 13, 2018
Artificial intelligence (AI) platform provider EnvoyAI recently completed their first successful customer installation...
How AI and Deep Learning Will Enable Cancer Diagnosis Via Ultrasound

The red outline shows the manually segmented boundary of a carcinoma, while the deep learning-predicted boundaries are shown in blue, green and cyan. Copyright 2018 Kumar et al. under Creative Commons Attribution License.

News | Ultrasound Imaging | June 12, 2018 | Tony Kontzer
June 12, 2018 — Viksit Kumar didn’t know his mother had...
Zebra Medical Vision Unveils AI-Based Chest X-ray Research
News | Artificial Intelligence | June 08, 2018
June 8, 2018 — Zebra Medical Vision unveiled its Textray chest X-ray research, which will form the basis for a future
Konica Minolta Launches AeroRemote Insights for Digital Radiography
Technology | Analytics Software | June 07, 2018
Konica Minolta Healthcare Americas Inc. announced the release of AeroRemote Insights, a cloud-based, business...
Vinay Vaidya, Chief Medical Information Officer at Phoenix Children’s Hospital

Vinay Vaidya, Chief Medical Information Officer at Phoenix Children’s Hospital

Sponsored Content | Case Study | Artificial Intelligence | June 05, 2018
The power to predict a cardiac arrest, support a clinical diagnosis or nudge a provider when it is time to issue medi
How image sharing through a health information exchange benefits patients while saving time and money is depicted in this slide shown at HIMSS 2018. Graphic courtesy of Karan Mansukhani.

How image sharing through a health information exchange benefits patients while saving time and money is depicted in this slide shown at HIMSS 2018. Graphic courtesy of Karan Mansukhani.

Feature | Information Technology | June 05, 2018 | By Greg Freiherr
A regional image exchange system is saving lives and reducing radiology costs in Maryland by improving the efficiency
Using Imaging Analytics for Radiology, VCU Health in Richmond, Va., has developed a dashboard to view turnaround time analysis. This functionality allows drill down for each technologist and radiologist and looks at the different steps of the imaging cycle.

Using Imaging Analytics for Radiology, VCU Health in Richmond, Va., has developed a dashboard to view turnaround time analysis. This functionality allows drill down for each technologist and radiologist and looks at the different steps of the imaging cycle.

Sponsored Content | Case Study | Information Technology | June 05, 2018
Sharon Gibbs, director of the radiology department at VCU Health in Richmond, Va., aims to provide quality, timely and...
PACS and the Road to Reconstruction
Feature | PACS | June 05, 2018 | By Dave Whitney and Jef Williams
The PACS — picture archiving and communication systems — have been in existence for more than 45 years. One of the...
Videos | Patient Engagement | June 04, 2018
At SIIM 2018, Alexander J. Towbin, M.D., Radiologist, Department of Radiology and Medical Imaging, Neil D. Johnson...
Overlay Init