An increasing number of health care providers are outsourcing the hosting and maintenance of software applications, the storage of data, and related support services. Outsourcing can provide cost savings, rapid deployment, system scalability, other efficiencies, and appropriate data security. It also introduces additional issues into the provider’s risk management analysis, largely based on the fact that a third party rather than the provider has possession and control of vital and sensitive assets and information. Before you enter into a contract that includes a cloud computing component, you should consider some of the following:
- No business decision or activity is risk free. Risk management is a balancing process based on the particular facts and circumstances. For example, a provider may be less concerned about its inability to access its web-based job application submission portal than its electronic health record application. Not all risks are the same, and a provider should devote more attention and resources to managing its greatest risks.
- Risk management is a team sport. Effective risk management requires the participation and interaction of representatives of the intended user group, financial analysts, compliance officers, information technology and data security experts, and legal counsel experienced in advising on and negotiating the particular type of contract.
- The final form of the contract will not be perfect. Almost always, the parties start the negotiation process with the vendor’s “standard” contract. Almost always, it is a one-sided document designed to protect the vendor’s interests vigorously. The key is to determine which issues to focus on in light of the particular facts and circumstances, including the reputation and financial strength of the vendor, the results of the provider’s inquiries to other users of the software or service and other due diligence, the importance of the application and the impact of its unavailability or failure to perform properly or effectively, and the provider’s ability to transition to another vendor or solution quickly if necessary.
- Start early. A provider will be in a much better position to manage its risks if it discusses key risk management and contract issues with the potential vendors for a project up front in the RFP stage. This lets each vendor know what is important to its potential customer and that its inability to meet its potential customer’s needs may result in its loss of the business. Reviewing the vendor’s form contract for the first time when you have completed the selection process and are under pressure to sign and start work on the project unnecessarily reduces the effectiveness of your risk management process and gives additional leverage to the vendor.
- Have a plan. Before you start your next outsourcing project, develop a checklist of items that are important to you, including due diligence items you will want to review and provisions you will want any contract to include. Customize your checklist for the particular project. Then include the checklist in your RFP or other early investigation document and ask each potential vendor to respond to it. You will have greater leverage in this early stage of the sales cycle.
To read more about cloud computing contract issues for healthcare providers, please see these materials from a recent presentation I gave at the annual North Carolina Bar Association Health Law Section meeting.