Raymond D. Aller, MD, and Hal Weiner
Negotiating SaaS contracts: what to do and what to avoid
As the trend in cloud computing continues, in part as a way to reduce capital investment costs, laboratory decision-makers must learn the nuances of how to vet this type of vendor and negotiate software-as-a-service agreements. Without this knowledge, they risk entering into a less-than-satisfactory contractual arrangement that can cost them money, industry experts say.
“I have clients who reach out to me when things go wrong,” says health care and information technology attorney Tatiana Melnik, JD, of Melnik Legal, PLLC, in Tampa, Fla. Melnik gave a talk on how to handle information technology agreements at the 2015 American Society for Clinical Pathology meeting in October. Obviously, it’s much better to prevent problems before a service agreement is signed, she notes.
The HIPAA Omnibus final rule of 2013, which, in part, clarifies vendor responsibilities for health care IT security requirements, plus numerous high-profile data breaches costing millions, even billions, of dollars bring into sharp relief the need for caution and attention to detail before and during contract negotiations.
Contracting with a major laboratory information system vendor, such as Cerner, for virtual software hosting is much less risky than signing an agreement with a broad-based cloud service provider that may have servers in foreign countries, says molecular genetic pathologist Alexis B. Carter, MD, the physician informaticist for the laboratory at Children’s Healthcare of Atlanta. Dr. Carter is past-president of the Association for Pathology Informatics.
To minimize their risks, pathology labs should take the following precautions, among others, when considering SaaS agreements:
Scrutinize the vendor. “When you’re looking at cloud computing, it’s really important to do due diligence on the vendor,” Melnik says. She recommends reading the “about us” page on the vendor’s website to find out when the company was founded, its size, and who manages it. Today, it’s all too easy for a college student to start a cloud computing company, she notes. Pathologists need to make sure that their potential SaaS partner is an established firm that is large enough to have a legal and compliance department. For a quick gauge of the vendor’s regulatory compliance record, Melnik recommends asking the sales representative a simple but critical question: “When was the last time you had HIPAA training?”
Identify where your institution’s data would reside. SaaS vendors sometimes develop the technology but don’t run their own infrastructure, Melnik points out. “If they don’t actually own the server and the hardware, you need to understand not only your direct vendor, but also the data center,” she says. “Those business associate obligations to privacy and security have to flow down to that end vendor.” If a lab would be sharing a server with other tenants at a third-party data center, it’s crucial to determine whether rigorous access controls would be in place to prevent “neighbors” from having contact with the laboratory’s data.
Ensure user audit rights. Make sure the vendor grants user audit rights, Melnik urges. “That should ensure your right to see not only their policies and procedures, but also a copy of their HIPAA risk analysis,” she says. If the vendor uses a third-party data center, obtain risk analyses for both entities.
Insist on data breach insurance. Remediating a data breach in the U.S. health care industry costs $398 per record, according to The Ponemon Institute’s 2015 study on health care privacy and security. “Health care, at the moment, is the most expensive industry for data breaches,” Melnik says. Consequently, pathology labs need to make sure SaaS vendors have data breach insurance. “Part of the reason you want to mandate insurance coverage is that it doesn’t matter how good an indemnification provision is,” Melnik explains. “If vendors agree to indemnify you 100 percent for anything that happens but they don’t have the money to do it, you are going to have to cover the costs. You need to make sure they have the money to meet their obligations.”
Specify expected uptime. Dr. Carter stresses the need to specify expected uptime in SaaS contracts. “A lab can’t operate only 23 hours a day,” she says. “You have to operate 24/7, with at least 99 percent expected uptime. If your connections to remote servers can be cut every once in a while because somebody is doing power testing, that is not an acceptable situation.” Labs have to spell this out in contracts or they won’t have legal recourse, she says.
Understand pricing. In addition to asking for current pricing, it’s important to learn when and under what circumstances prices can increase, Melnik says. Also, be sure to identify all hidden costs. Find out whether additional charges will be applied for regulatory compliance review. And determine the cost of transitions. “Assume that we want to terminate the contract, and we need to get the data out,” says Melnik. “How much is that going to cost you? And how is that charged?” Furthermore, if a lab terminates a contract for convenience, how are cancellation fees calculated? “You want to make sure that you won’t pay cancellation fees if you terminate for material breach,” she adds.
In a nutshell, cover all the bases before signing a contract, Dr. Carter advises. “Once the contract has been signed, good luck getting vendors to change their practices,” she says. “It has been my experience that your leverage is always highest before you buy.” —Carolyn Schierhorn
FDA testing bioinformatics platform
The FDA, last month, began beta testing its PrecisionFDA bioinformatics platform, which is a component of President Barack Obama’s Precision Medicine Initiative. The agency is developing the open-source genomics platform through a collaboration with DNAnexus, which provides a global network for sharing and managing genomics data and tools.
“PrecisionFDA will provide the community with a research-and-development portal that will enable research and test developers to test, pilot, and validate existing and new bioinformatics approaches for processing next-generation sequencing,” the FDA reports. For example, users will be able to share information and cross-validate tests or results against crowd-sourced reference material.
DNAnexus expects the platform will be used by NGS-based test providers, biotechnology and pharmaceutical companies, academic medical centers, standards-making bodies, and research consortia, among others.
“PrecisionFDA will offer community members access to secure and independent work areas where, at their discretion, their software code or data can either be kept private or shared with the owner’s choice of collaborators, FDA, or the public,” says Taha Kass-Hout, MD, the FDA’s chief health informatics officer and director of the FDA’s Office of Health Informatics. “Initially,” he adds, “PrecisionFDA’s public space will offer a wiki and a set of open-source or open-access reference genomic data models and analysis tools developed and vetted by standards bodies, such as the National Institute of Standards and Technology.”
CPSI to purchase Healthland
Computer Programs and Systems Inc. has signed a definitive agreement to acquire Healthland Holdings and its Healthland, American HealthTech, and Rycan Technologies affiliates.
“Healthland’s acquisitions of American HealthTech, a provider of EHR solutions for post-acute care facilities, in 2013, and Rycan, a revenue cycle solutions company, in April 2015, provide immediate benefits to the markets and solutions that the combined company can leverage,” says Healthland CEO Chris Bauleke.
Following the acquisition, support for Healthland’s Classic and Centriq hospital information systems will remain in place and current implementations will continue, CPSI reports. CPSI plans to support and invest in the Centriq platform for at least the next seven years and the legacy Classic platform for a minimum of two years.
“Healthland’s history tracks a very similar course to that of CPSI, as we both have over 30 years of experience in the health care IT space,” says Boyd Douglas, president and CEO of CPSI. Both companies offer a suite of clinical, administrative, and financial software.
Carequality collaborative releases interoperability framework
The public-private collaborative Carequality has published the Carequality Interoperability Framework, guidelines that support greater data exchange in the health care marketplace.
The document is intended to help health care technology vendors, providers, and insurers, among others, share data across electronic platforms in a more seamless manner.
Twelve undisclosed organizations will test the framework by initially focusing on the query-based exchange of clinical documents. However, Carequality reports, “the framework was developed to support an unlimited variety of use cases.”
“The beauty of the framework is that it’s general; it can be applied to any type of content and any technical architecture,” says Dave Cassel, director of Carequality. “We’re starting with document queries because those capabilities are widely supported in the field, but that’s obviously not the last word in interoperability. The framework provides the governance and trust foundation required for any type of widespread connectivity in health care.”
The guidelines detail the legal terms, technical specifications, policy requirements, and governance processes that organizations should adopt to facilitate health information exchange. Full access to all resources is available on the Carequality wiki.
Carequality is part of the nonprofit Sequoia Project information exchange network. Among Sequoia’s members are the vendors Epic, Cerner, and eClinicalWorks, and the health care systems Kaiser Permanente, Intermountain Healthcare, and Dignity Health, as well as health care industry associations and other groups.
Xifin enters partnership with QualityStar
Xifin has signed an agreement with the anatomic pathology quality assurance services provider QualityStar to market QualityStar’s cloud-based case review service.
Xifin will offer the service as an app on the Xifin ProNet physician collaboration portal of its Health Economics Optimization platform. The app is intended to facilitate the confidential, HIPAA-compliant, secure exchange of cases for quality assurance review by QualityStar’s national network of National Institutes of Health/National Cancer Institute-designated cancer centers and subspecialty pathologists.
“Offering our anatomic pathology customers convenient access to QA services advances our ability to provide the cloud-based exchange of images and case data needed to support collaboration and reduce misdiagnosis to improve clinical quality and economic performance,” says Chrystal Adams, associate vice president of product line management at Xifin.
Psyche recognized by magazine for CIOs
Psyche Systems was recently named one of the top 50 most promising health care solutions providers of 2015 by CIOReview magazine. Psyche was awarded the honor for its NucleoLIS automated, standalone molecular laboratory information system.
The distinction is based on Psyche’s ability to seamlessly host its solutions, the company reports. NucleoLIS provides automatic updates and upgrades, guaranteed system uptime, and disaster recovery.
The annual CIOReview top 50 list is selected by a panel of health care industry experts, including CEOs, chief information officers, and analysts, as well as members of the magazine’s editorial board.
Psyche Systems, 508-473-1500[hr]
Dr. Aller is director of informatics and clinical professor in the Department of Pathology, University of Southern California, Los Angeles. He can be reached at firstname.lastname@example.org. Hal Weiner is president of Weiner Consulting Services, LLC, Eugene, Ore. He can be reached at email@example.com.