April 2, 2020

The Legal Perspective

Moving to the Cloud
By G. Wythe Michael, Jr.

Over the past several years, many businesses have migrated essential software and business systems from company owned personal computers and servers to the “cloud.” In general, cloud computing refers to a network of remote computer servers hosted on the internet that store, manage, and process data. Typically, third party vendors provide both the software and the data storage capabilities – thereby allowing the business customer to access the information through any internet enabled computer. The healthcare industry is no exception to this trend, with practice groups using cloud-based services for billing, scheduling, medical records, telemedicine and for other uses.

Cloud computing offers several advantages over the traditional hardware/software model. These advantages can include lower costs (no need to purchase and maintain expensive servers or software), flexibility (users can pay for just the right amount of service and quickly make changes) and ease of use (the services can be accessed wherever an internet connection is available).

With these advantages, however, come risks – especially for healthcare providers. Certainly the biggest risk for practice groups using cloud-based services involves data breaches and other violations of HIPAA and the HITECH Act regulations. This is especially important given the numerous changes and requirements addressed in the Omnibus Final Rule issued by the Department of Health and Human Services in January, 2013 (with enforcement beginning effective September 23, 2013).

To address these risks, practice groups desiring to utilize cloud-based services should, as an initial matter, determine whether each vendor is capable of providing the service levels required by the practice and complying with applicable data security standards. This should include, among other things, an assessment of the vendor’s security infrastructure, the location(s) where the data will be stored, the vendor’s disaster recovery plans, the vendor’s service level capacity, the vendor’s financial capabilities, and a review of the vendor’s compliance history. These matters should be addressed during the initial negotiations with the vendor.

Second, practice groups should negotiate protective provisions into the agreement with the vendor. At a minimum, these protections should include the following:

• The agreement should require the vendor to adhere to specific service levels so that the practice group is assured that it will be able to access the services and data when needed.

• The agreement should require strict compliance with HIPAA and other applicable data and privacy security laws.

• The agreement should require the vendor to notify the practice of breaches of PHI and should describe the duties of the parties in the event of a breach.

• The agreement should require the vendor to return the practice’s data in a usable format upon the termination of the agreement.

• The agreement should require the vendor to protect and indemnify the practice for data breaches caused by the vendor.

Given the importance of the services provided, the critical information being stored and the potential risks, practice groups should ensure that their cloud vendors are capable of performing the required services and that the agreement with the vendor contains adequate protections for the practice. Accordingly, a review of the vendor agreement by an experienced attorney will be extremely valuable.


G. Wythe Michael, Jr. is an attorney with the law firm of Goodman, Allen & Filetti. Wythe regularly works with medical, dental and other professional service firms and understands the unique issues impacting these firms and their owners. Call 804-565-6811or visit their website goodmanallen.com