A colleague who provides IT consulting to physician offices had this recent conversation with an office manager:
"You are using the SaaS version of the EHR, correct?"
"So how is your data backed up?"
"What does that mean?"
"I don't know: that is what the sales person said."
As "software as a service" — also known as "Saas" or "cloud" — applications proliferate across healthcare, they are creating new opportunities, as well as new challenges for practices. If your practice is considering a Saas subscription, ask your vendor these six questions during the sales process.
1. Are you HIPAA compliant?
Before you think to yourself, "well, duh," the truth is that many practices assume a vendor is compliant, without even asking.
"Going to the cloud shouldn't minimize your HIPAA concerns. If a vendor isn't HIPAA compliant, don't touch them with a 10-foot pole," advises John Brewer, my aforementioned colleague and president of Med Tech USA, LLC, a firm that provides HIPAA compliance consulting. "If they aren't willing to take on that risk, why would your practice take on theirs?"
Be particularly picky with cloud storage vendors. Yes, they offer efficient document sharing and management for multi-site offices and those who engage offsite transcriptionists. But according to Brewer, very few are HIPAA compliant. They may encrypt their data and send it across a secure connection, but encryption and HIPAA compliance are not the same thing.
"I recommend against posting PHI to any storage service that doesn't proclaim in writing that they are HIPAA compliant," Brewer says.
2. Do you have a business associate agreement for us to sign?
The business associate agreement (BAA) is a HIPAA requirement: Practices must sign one with each external organization or vendor with which they share PHI. It's a "risk reducer" essentially guaranteeing the vendor will use PHI only for the purpose for which you've engaged in its service, and safeguard it from misuse.
Some practices think the vendor contract is the BAA, Brewer says. But that's not the case, it must be separate agreement. Ideally, every practice should have its own BAA, and ask all business associates (such as technology vendors) to sign it. If the vendor is hesitant to provide a signature on your BAA, and doesn't have one of its own, don't do business together.