Avoiding the financial and compliance risks of cloud computing

Two of the scariest words in the healthcare cloud computing lexicon: Access denied.  

When your data resides on someone else’s servers, plenty can go wrong. And HIPAA isn’t necessarily the worst of it. 

Take Full Circle Health Care, for instance. The 10-person practice in Presque Isle, Maine with approximately 3,500 patients, tried accessing hosted patient records only to find that its EHR host, CompuGroup Medical (CMG), had blocked access over a payment dispute.

What happened at Full Circle could literally happen to just about any healthcare organization that subscribes to cloud-based EHR services.

Scary misappropriations

After CMG acquired Full Circle's former EHR service provider, HealthPort, the monthly subscription fees increased from an average cost of $300 to $600 to $2,000 per month without any substantial change to the previous services Full Circle received from HealthPort. Grover said CMG ignored their requests for itemized invoices and were even charged for hardware that was never delivered.

After attempting to reconcile the dispute for two years without redress of any kind from CMG, Full Circle barred CMG from accessing its checking account for payment and signed on with another EHR vendor, athenahealth. CMG in retaliation denied access to patient records while continuing to send out invoices adding a 29 percent surcharge for overdue payments.

While the David and Goliath battle continues between a worldwide health company with revenues of $700 million versus Full Circle Health Care, a privately-owned family practice and occupational health center in rural Maine, experts are weighing in with advice on how other practices can avoid the same fate, no matter what circumstances lead to a practice's inability to access their patient EHRs.

Healthcare Finance News asked Dianne J. Bourque, a healthcare attorney at Mintz Levin in Boston, 'absent a dispute, what happens if an EHR provider goes bankrupt and disappears?'

"The outcome might be the same,” Bourque answered. “Scary.”

In addition to not having access to patient data, the situation unleashes a raft of legal, financial, regulatory questions that providers need to answer immediately. Can the vendor be trusted to continue protecting the information in accordance with HIPAA? To what degree is the provider responsible should a breach occur? What are the other risks we need to address now?

Of course, Bourque doesn't leave it at that. She advises that a contract's termination and dispute resolution provisions should state that under no circumstances will data be withheld, and that the contract should also reiterate the requirements of HIPAA and the Business Associates Agreement (BAA). If the medical records company has access to the practice's medical records, for instance, it should have signed a HIPAA BAA, under which it has obligations to ensure the availability to the practice of the PHI to which it has been entrusted.

While CMG has a right to be paid for its services, Bourque suggested that the parties might use an escrow arrangement, where payment or even data is escrowed pending resolution of a dispute so that the company is not compelled to resort to something as drastic as locking the EHR.

Meanwhile, Benjamin Wright, an attorney and instructor on "Law of Data Security" at the SANS Institute says that a well-written contract in favor of the medical practice would say that the vendor may never deny the customer access to its data.

If for whatever reason a provider finds itself in a similar situation to Full Circle, Wright suggested that "friends" of the medical practice might step in to help bring the EHR party to the negotiating table. Those friends might include local municipal/county government, the state medical association or a national group like the American Medical Association. 

The publicity is not good for the EHR vendor, Wright added, and could pressure them to be more flexible. “The publicity is also not good for the EHR vendor community as a whole,” she said. 

CompuGroup declined an interview request, only saying in an email: "Regarding the questions you posed, there are no comments at this time."

Practicable advice

Beyond publicity there are federal provisions that address continued access to data in case of a dispute, transition to another EHR vendor or termination of a contract, noted Shruthi Parakkal, a health research analyst at Frost & Sullivan.

Parakkal advised practices to be thorough when the original contract is drawn up. A good contract should include the nomination of a third party for mediation and arbitration. 

If a practice is unsure of the viability of the contract they can ask the Office of Civil Rights within HHS to perform audits on the HIPAA BAA as they are authorized to hold the parties involved in contract accountable in case of any discrepancies.

In the meantime, despite the recent publicity over Full Circle's situation, the practice’s CEO E. Victoria Grover said CMG has not softened its position. Grover added that Full Circle is in the process of reconstructing the medical records. Although the task may seem herculean even for a smaller practice with 3,500 patients, the provider is recreating the electronic record by getting the old paper charts out of storage and transferring pertinent data to athenahealth’s EHR service. All patients' local pharmacies are also being contacted and the pharmacies are sending prescription records for the last six months.

Full Circle currently has access to all labs drawn in its office for the last two years and employees are contacting local hospitals for copies of imaging reports, discharge summaries, ER reports or consultations from the last year.

"Since I started working as a Physicians Assistant in this area in 1981, I've taken the time to make sure my patients' understand their own health history,” Grover said. “Since they are accustomed to being active participants in their own healthcare, they willingly help me recreate their historical record.”

After plunking down nearly $75,000 for its EHR, CEO Grover can only lament: "Never in my wildest dreams did I think CompuGroup would hold those records hostage."

Yet, with 70 percent of all healthcare providers depending on outside vendors, unless these practices take care before they sign a contract, there may be many more providers singing the same sad song.