What you need to consider about cloud-based software vendors

A while back the HIPAA landscape experienced sweeping changes to the rules and regulations surrounding protected health information (PHI).

Penalties were increased, patients were given more rights, and business partners of groups and practices were held more accountable. These changes happened as cloud-based software models were becoming more popular.

In a cloud-based model, your patient data will reside at a data center which either the vendor has contracted with or manages themselves. So, even though a cloud-based model and data center will typically offer you better security for your data because of the technology they use and expert staff available, they control the access to your patient data.

To make sure you are picking the best long-term partner in a cloud-based world, here are a few HIPAA-related questions that you might want to ask your cloud vendor if you are contemplating a cloud-based software model.

Administrative questions

1) Are you willing to sign a business associate agreement (BAA)? A business associate agreement is a contract between you and the data center that basically lays out the rules of the road regarding what your rights in their rights are and what the penalties are concerning breaches of HIPAA. If a vendor is not willing to sign a business associate agreement I would first ask them why and then run away.

2) Do you have a HIPAA-compliance certification? This means that the data center your cloud vendor is using has gone through a rigorous evaluation to show that it is HIPAA compliant. Anybody with a few bucks can start a data center but not all data centers are HIPAA compliant. With cloud computing getting more and more popular there a lot more players out there trying to cash in on the gold mine. So don’t just trust the salesperson that their data center is HIPAA compliant without checking on what their certifications are.

3) Does everyone in your data center have access to the database and awareness, education and training on HIPAA compliance? This includes rules and regulations surrounding HIPAA as it relates to the data center as well as how to recognize and report breaches.

4) Do you have a process to keep updated on HIPAA legislation and rules? HIPAA will constantly change because it’s a federal program and because we have more and more data floating around in the cloud. You can technically have a data center that understands HIPAA as it stands now but do they have a plan for keeping updated as it changes?

5) Do you have policies and procedures regarding data breaches? It is one thing to be aware of potential data breach but quite another to be able to effectively communicate that breach to you, the customer, since at the end of the day you will take the hit should your PHI become breached.

6) Do you have a service level agreement (SLA) that you execute with your customers? With a proper service level agreement, you’ll be assured how you will be taken care of in case of an issue and what the penalties and remedies if the data center does not take care of you per the SLA. Typically you do not find vendors putting various support guarantees in their agreements. Does your data center walk the walk as well as talk the talk when it comes to taking care of your data?

7) Do you address aspects of HIPAA compliance in your standard software and data hosting contract? It needs to be called out within the contract as well as having provisions for changing regulations. Many times when I review contracts it might say that the vendor is HIPAA compliant but doesn't really get into any detail.

Technical questions

1) Do you store your PHI outside of the United States? The data center could be anywhere; it could be in Texas, it could be in California or it could be in Mexico. The reason it is important to discern this is because if your data is stored in a different country and there's a breach there might be an issue in terms of liability and remedies.

2) Can you provide details on backup and recovery processes? Does the data center continually test the backup and recovery processes for reliability and accuracy? Too many times a data center will just say that it has regular backups but it is important to understand how the backup processes work. Most agreements don't detail how this happens. I have had groups and practices come to me that had issues because their partner’s backups weren't reliable. In one specific case we found out that the data center had not regularly tested their backup and recovery processes for reliability.

3) Do you have redundancy, mirror data and failover? A good data center that is HIPAA compliant will have the ability to have your data stored real time on different servers. This cuts down on any hassles should there be a data problem.

4) Do you have processes and procedures to permanently delete data should there be a need to? For example if you leave that data center to go to another vendor then you certainly would want to know that your data had been permanently deleted and there was no possibility for a breach. You need assurances that your PHI is no longer floating around at the data center.

Signing on to a cloud-based software model can be a wonderful thing. It can take all the IT and hassles involved out of your hands so you can focus on the business of dentistry. And, as mentioned above, a good data center can provide great security and protection from hacks and data breaches. However, as we all know, no system is impenetrable and it is up to you to understand HIPAA considerations regarding the data center that will be storing your patient data before signing on with a cloud-based software vendor.