Coming to terms with Software as a Service agreements for long-term care
According to a 2017 survey, nearly 88% of healthcare organizations use Software as a Service (SaaS) products. Thus, most long-term care providers are familiar with SaaS agreements, even if they do not recognize them by name.
For instance, long-term care providers typically enter into SaaS agreements when implementing electronic medical records software or when contracting for certain human resources and payroll functions. SaaS arrangements are distinguishable from traditional software licensing arrangements because the software is made available through a website, rather than being installed on the provider's computer system. SaaS providers charge service fees on a recurring periodic basis, instead of charging a large upfront fee.
Like most traditional software licensing agreements, SaaS agreements are generally written with the software provider's — not the customer's — best interests in mind. And depending upon the size of the organization, it may be difficult to negotiate the SaaS provider's terms. Smaller long-term care providers may have the bargaining power only to negotiate the contract duration, while larger providers typically engage in the extensive negotiation of risk allocation provisions, such as limitation of liability, indemnification, and service standards.
No matter where your organization falls on this size spectrum, all long-term care providers should understand the following key terms in their SaaS agreements. Each of these key terms can present significant risks if not negotiated or, at a minimum, understood.• HIPAA. When a nursing home enters into a SaaS agreement, it is imperative to consider whether the SaaS provider has access to residents' protected health information, and is, therefore, a “business associate” under the Health Insurance Portability and Accountability Act, commonly known as HIPAA.
If the SaaS provider is a business associate, HIPAA requires the parties to enter into a HIPAA compliant business associate agreement. HIPAA also requires the long-term care provider to consider the arrangement in its periodic risk assessments. Failing to do so (or relying on a SaaS provider's incorrect claims that it is not a business associate) could be a costly mistake.
Although the terms above are common, SaaS agreements vary between vendors and each will have unique risks, depending upon the parties and circumstances involved. Thus, while this article provides general guidelines, it cannot be used as a definitive source to answer all legal or business questions about a specific SaaS agreement. Long-term care providers should consider engaging a qualified healthcare attorney to answer their specific questions about SaaS agreements.
 HIMSS Analytics, 2017 Essentials Brief: Cloud, http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiz78alxunYAhVRS6wKHRjUDcYQFggsMAA&url=http%3A%2F%2Fwww.himssanalytics.org%2Fsites%2Fhimssanalytics%2Ffiles%2FCloud%2520Study_2017%2520Snapshot.pdf&usg=AOvVaw2lEFQThuZrsiQoYCYW_k-o (last visited February 15, 2018)
 Guidance on HIPAA & Cloud Computing, Department of Health and Human Services (June 16, 2017), https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.
 45 CFR 164.504(e).
 45 CFR 164.308(a)(1)(ii)(A). See also, $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis, Department of Health and Human Services (December 14, 2015), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/university-of-washington-medicine/index.html.
 Id. See also, Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million, Department of Health and Human Services (August 4, 2016), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ahcn/index.html.
Andrea Lee (@AndreaLeeAtt) is a healthcare attorney at Honigman Miller Schwartz and Cohn LLP.
DISCLAIMER: The views expressed in this article are my own and do not represent those of my employer. This article was created for informational purposes only, does not constitute legal advice and does not create an attorney-client relationship.