P2 Mobile Logo

Search form


Six Questions to Ask Your Cloud Vendor

Six Questions to Ask Your Cloud Vendor

A colleague who provides IT consulting to physician offices had this recent conversation with an office manager:

"You are using the SaaS version of the EHR, correct?"


"So how is your data backed up?"

"The cloud."

"What does that mean?"

"I don't know: that is what the sales person said."

As "software as a service" — also known as "Saas" or "cloud" — applications proliferate across healthcare, they are creating new opportunities, as well as new challenges for practices. If your practice is considering a Saas subscription, ask your vendor these six questions during the sales process.

1. Are you HIPAA compliant?

Before you think to yourself, "well, duh," the truth is that many practices assume a vendor is compliant, without even asking.

"Going to the cloud shouldn't minimize your HIPAA concerns. If a vendor isn't HIPAA compliant, don't touch them with a 10-foot pole," advises John Brewer, my aforementioned colleague and president of Med Tech USA, LLC, a firm that provides HIPAA compliance consulting. "If they aren't willing to take on that risk, why would your practice take on theirs?"

A reputable cloud EHR or practice management vendor may well be compliant. But there's a sky full of new technology solutions for follow-up care, reminders, disease management, customer relationship management (CRM), and more. Does the vendor have a privacy policy and terms of use? Does its app have an auto-logout feature for inactivity? Are physician-patient messages transmitted securely? If the app generates automated, non-secure e-mails to patients, can the vendor confirm that the content doesn't contain protected health information (PHI)?

Be particularly picky with cloud storage vendors. Yes, they offer efficient document sharing and management for multi-site offices and those who engage offsite transcriptionists. But according to Brewer, very few are HIPAA compliant. They may encrypt their data and send it across a secure connection, but encryption and HIPAA compliance are not the same thing.

"I recommend against posting PHI to any storage service that doesn't proclaim in writing that they are HIPAA compliant," Brewer says.

2. Do you have a business associate agreement for us to sign?

The business associate agreement (BAA) is a HIPAA requirement: Practices must sign one with each external organization or vendor with which they share PHI. It's a "risk reducer" essentially guaranteeing the vendor will use PHI only for the purpose for which you've engaged in its service, and safeguard it from misuse.

Some practices think the vendor contract is the BAA, Brewer says. But that's not the case, it must be separate agreement. Ideally, every practice should have its own BAA, and ask all business associates (such as technology vendors) to sign it. If the vendor is hesitant to provide a signature on your BAA, and doesn't have one of its own, don't do business together.


Loading comments...

By clicking Accept, you agree to become a member of the UBM Medica Community.