Six Questions to Ask Your Cloud Vendor

July 16, 2013

A cloud vendor may tell you it's HIPAA compliant, but related technology needs to comply as well. Here's how to make sure your bases are covered.

A colleague who provides IT consulting to physician offices had this recent conversation with an office manager:

"You are using the SaaS version of the EHR, correct?"

"Yes."

"So how is your data backed up?"

"The cloud."

"What does that mean?"

"I don't know: that is what the sales person said."

As "software as a service" - also known as "Saas" or "cloud" - applications proliferate across healthcare, they are creating new opportunities, as well as new challenges for practices. If your practice is considering a Saas subscription, ask your vendor these six questions during the sales process.

1. Are you HIPAA compliant?

Before you think to yourself, "well, duh," the truth is that many practices assume a vendor is compliant, without even asking.

"Going to the cloud shouldn't minimize your HIPAA concerns. If a vendor isn't HIPAA compliant, don't touch them with a 10-foot pole," advises John Brewer, my aforementioned colleague and president of Med Tech USA, LLC, a firm that provides HIPAA compliance consulting. "If they aren't willing to take on that risk, why would your practice take on theirs?"

A reputable cloud EHR or practice management vendor may well be compliant. But there's a sky full of new technology solutions for follow-up care, reminders, disease management, customer relationship management (CRM), and more. Does the vendor have a privacy policy and terms of use? Does its app have an auto-logout feature for inactivity? Are physician-patient messages transmitted securely? If the app generates automated, non-secure e-mails to patients, can the vendor confirm that the content doesn't contain protected health information (PHI)?

Be particularly picky with cloud storage vendors. Yes, they offer efficient document sharing and management for multi-site offices and those who engage offsite transcriptionists. But according to Brewer, very few are HIPAA compliant. They may encrypt their data and send it across a secure connection, but encryption and HIPAA compliance are not the same thing.

"I recommend against posting PHI to any storage service that doesn't proclaim in writing that they are HIPAA compliant," Brewer says.

2. Do you have a business associate agreement for us to sign?

The business associate agreement (BAA) is a HIPAA requirement: Practices must sign one with each external organization or vendor with which they share PHI. It's a "risk reducer" essentially guaranteeing the vendor will use PHI only for the purpose for which you've engaged in its service, and safeguard it from misuse.

Some practices think the vendor contract is the BAA, Brewer says. But that's not the case, it must be separate agreement. Ideally, every practice should have its own BAA, and ask all business associates (such as technology vendors) to sign it. If the vendor is hesitant to provide a signature on your BAA, and doesn't have one of its own, don't do business together.

3. Where will my data be stored?

Where, exactly, is all your PHI and billing data being stored? It might be located in the vendor's own facility, and protected under their policies - but very likely, it's not.

Many cloud vendors themselves use a cloud solution for storage. If the cloud vendor you are about to subscribe to is using a hosting company to store your data, you need to find out if that company is HIPAA compliant. What are their security procedures and is your cloud vendor covered under a BAA with that hosting company? Where are the data centers (containing your billing data and PHI) physically located? Ideally, you'd like for them to be in multiple locations, so in case of a natural disaster in one location, your data is still available in the other.

4. What is your data backup-plan?

Make sure the vendor has systematic data backup procedures. Ask how often backups are completed, where the data is stored, and whether there are multiple copies (called redundant data sets, or redundant copies) that can speed data restoration after disaster.

"Patient data is important, but you could see patients without it if you had to," Brewer says. He adds, "If your billing data gets blown away, your cash flow stops immediately."

5. What is your disaster recovery plan?

If you're hoping that the cloud vendor will assume all disaster planning and recovery headaches, think again. The cloud doesn't get your practice off the hook - it just changes the procedures and your role.

Find out exactly what your practice's role will be in the restoration of data, when there is a disaster. For example, what exactly will your manager or IT professional need to do? What is the authentication process for restoring your virtual private network (VPN) and your data? "Your practice needs to have written procedures for working with the vendor to 'stand up' a restored data set after a disaster has taken it offline," insists Brewer.

6. Which browsers do you support?

Most cloud vendors don't support the old versions of Internet browsers - the very browser versions that many practices still use. That means some of the cloud app's features may not work "as advertised," or at all, if you use, say, Internet Explorer 6 or Firefox 3.6.

Review the vendor's technical requirements before you sign. They may require your practice to upgrade or change your existing browsers. Depending on the size of your practice or your IT environment, this may add to the total cost of purchase and implementation.

Cheryl Toth is a writer, speaker, and tech coach with Chicago-based KarenZupko & Associates, Inc. she is passionate about technology adoption, innovative service ideas, and operational improvements that improve practice profitability and the patient experience.