eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a "cloud." Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations. However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:
- Access: who has access to your information (including your patients' protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider's records, and only in accordance with the scope of the agreement between the parties.
- Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, "GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down - giving records holders 30 days' notice to reclaim their data or lose it. This caused a great number of problems." While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider's data in its possession in the format specified by the provider.
- Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: "Allscripts' MyWay service costs $700 per month per health care provider. GE Healthcare's new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive."
As mentioned above, all of these issues, and the others identified in the eWeek summary, should be subject ton contract negotiations between the parties. Frequently, ASP vendors use click-wrap license terms and non-negotiable contracts. Healthcare providers should resist the pressure to simply sign such standard forms because failure to negotiate these agreements will expose your organization to very substantial risks with respect to, inter alia, control of and access to data, and privacy and security of the stored PHI.
"Data Storage: Storing Health Records in the Cloud: 10 Reasons Why It's a Bad Idea," eWeek.com (August 17, 2010).