According to a recent Gartner Group study, annual spending on cloud-related transactions may grow to almost $150 billion worldwide by 2014. Although health care is a market segment that has generally resisted jumping into the technology explosion taking place "in the cloud," according to the CDW 2011 Cloud Computing Tracking Poll, 30 percent of health care organizations are now either implementing cloud-based solutions or are already operating such solutions.

In addition, the poll projects that current cloud users will spend more than one-third of their 2016 I.T. budget on cloud resources and applications. This ever-growing movement is driven by the flexibility, cost savings and convenience that cloud-based solutions can offer. At the same time, there are significant downsides to making the move-including the loss of control over critical I.T. systems and sensitive data. However, there are a number of ways health care organizations can manage the risks and reap the rewards of the cloud.

Benefits and risks of the cloud

The term "cloud computing" generally refers to a "public" cloud, in which users have the ability to access I.T. resources and data, on demand, from a third-party provider over the Internet. By effectively outsourcing software hosting, maintenance and support to a cloud services provider, local and regional health care organizations can obtain reliable, scalable, secure and easily available technology solutions that might otherwise be out of reach.

Health care organizations can derive substantial benefits by moving their I.T. systems and data to the cloud. According to the CDW survey, 88 percent of health care organizations that are cloud users have reduced the cost of software applications by moving them into the cloud, with an average annual savings of 20 percent.

Despite the clear cost savings, health care organizations should carefully monitor tax regulations as states begin to formulate positions on the taxability of cloud-based services. Several states have already issued administrative rulings that such services may be subject to state sales tax, and providers are certain to pass these taxes on to their customers.

Other benefits of a cloud solution include (1) fast and easy access to patient data as compared to paper files; (2) best practices data security; and (3) transaction-based pricing for access to state-of-the-art hardware and software. (Cloud users typically pay a monthly or annual subscription fee to the cloud service provider for hosting the software and data and providing Internet-based access, as well as the maintenance and support services that keep the application running.)

There are also a number of unique cloud-based solutions that can specifically benefit health care organizations, including:

* Access to encrypted EMR and EHR;

* Storage of de-identified patient data and practice guidelines in centralized databases;

* Home monitoring apps for patients; and

* Real-time collaboration by professionals using encrypted or de-identified patient data.

A cloud-based solution will, however, require health care organizations to turn over sensitive information-such as the personal health information of its patients and customers-to the provider. If an unauthorized disclosure of such sensitive information occurs, it can have particularly severe consequences for health care organizations, including significant costs of recovering/restoring the data and of notifying affected individuals of the disclosure.

Managing risks and compliance

Before agreeing to provide any information to a cloud provider, health care organizations should conduct due diligence to make sure that the entity is capable of safeguarding its information. In addition, there are a variety of contractual protections that health care organizations can use to manage data privacy and security risks, and to mandate the required response if a breach occurs. Such measures are important not only as good business practice, but also to facilitate compliance with HIPAA, the HITECH Act and other laws that apply to health care organizations.

At a minimum, any contract that involves the transfer of personal information to a cloud provider should include provisions that expressly require the provider to comply with all applicable laws and to maintain appropriate protections against the loss or destruction of such information.

Contracts should also require the cloud provider to bear the costs of remedying a data privacy/security breach, including the expensive process of notifying all of the affected patients/customers. Unless these issues are clearly addressed in the agreement, it may be difficult to recover these costs from the provider.

Periodic audits can be used to monitor whether a cloud provider has appropriately implemented the necessary safeguards to protect sensitive data. A common approach is to require each provider to undergo an annual independent audit of its data security controls for each facility where information is stored.

The provider should also be required to take appropriate measures to promptly resolve any issues identified in the audit report. In today's data-driven world, reliable cloud providers should be willing and able to perform an audit of their data centers, and health care organizations should be skeptical of any that are not.

Insurance coverage presents another opportunity to manage cloud-related data privacy and security risks. Contracts for cloud-based services should require providers to maintain appropriate insurance policies that cover the insured's losses from data security breaches, as well as payments required by law to be made to third parties as a result of a breach. Health care organizations that choose to implement cloud-based solutions should also be certain that their own insurance coverage provides appropriate protection from cloud-based risks.

When moving to a cloud-based technology solution, a health care organization essentially hands over control of its I.T. operations to the cloud provider, including the ability to make changes to the technology itself. If the provider experiences a problem-either with its own software and systems or those of a third-party service provider on which it relies-a health care organization could find its entire network adversely affected.

Therefore, it becomes particularly important to negotiate certain contractual rights against the provider in the event of a problem. For example, the availability/uptime of the system in the cloud and other appropriate service levels-such as minimum system response times-should be specifically addressed in the contract, as should the remedies available if the provider fails to make the cloud-based solution available as agreed.

Credits against subscription fees, termination rights or other rights triggered by a failure to meet service level commitments may also be needed to incentivize cloud providers to deliver the agreed-upon level of performance and ensure a meaningful remedy if they fall short.

Termination rights

When handing over data to a provider in the cloud, health care organizations risk putting one of their most valuable assets-data-at the mercy of the provider in the event of a dispute. If the provider suspends its services or refuses to allow access to data, a health care organization may suddenly be unable to service its patients or customers. As a result, health care organizations should incorporate important protections into any provider agreements, including:

* Termination rights;

* Cure periods to allow time for a breach of contract to be remedied before the provider terminates or suspends services;

* Rights to access and retrieve data at any time; and

* Termination assistance if operations and data need to be moved to another provider.

Careful consideration required

Most health care organizations today are accustomed to an I.T. infrastructure built on a traditional licensed software platform. Therefore, transitioning to cloud-based solutions raises new commercial and legal issues that should be carefully considered before making the move to this "undiscovered country."

The important thing to remember is that no one has to go it alone. Attorneys and other advisors who understand the nature of cloud-based solutions, the risks they pose and the ways to mitigate these risks can help health care organizations make the right decisions and take advantage of all that cloud computing has to offer.

James M. Kunick is Chair of the Intellectual Property & Technology group at Chicago-based law firm Much Shelist. He has nearly two decades of experience representing regional and multinational clients in a broad range of intellectual property, information technology and corporate transactions. Kunick can be contacted at (312) 521-2772 or at

This article first appeared on the HealthData Management web site


Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access