Outsourcing agreements relating to cloud projects in the healthcare sector (eHealth or telemedicine) trigger relevant regulatory and contractual issues.
Based on my experience, the top 5 list of potential issues concerning outsourcing agreements relating to cloud projects in the medical sector are:
1. What data can be collected and how can be used?
The Italian data protection authority addressed this issue providing specific guidelines. Indeed, the main misunderstanding of healthcare companies derives from the attempt to use collected data for any purpose based on the consent obtained from patients at the time of collection. It is possible in some cases to avoid the need of an additional consent should the collected data be used for additional purposes. But it is crucial to identify beforehand the purposes for which the collected data want and can be used.
In any case, as an exception to such principle is the processing of anonymised data that is not subject to any restriction bearing in mind though that data linkable to the relevant individual through a code are not deemed to be anonymous, but personal data. This is particularly relevant especially as a consequence of the adoption of the European General Data Protection Regulation.
2. How can personal data be transferred to non-EEA subcontractors?
The easiest approach is to put in place the “Standard contractual clauses for the transfer of personal data to processors established in third countries“, rather than relying on the uncertainties given by the Privacy Shield for data transfers to the United States. These are a contractual arrangement obliging entities to comply with obligations deemed by the European Commission to meet European standards and therefore allowing the communication of the personal data outside the EU without the need to obtain the consent from patients to the transfer. Additionally, in case of transfers within a group of companies, it is also an option to implement the so called Binding Corporate Rules. In respect to this issue, it is also important to contractually agree the location of data centers as this might have an impact on privacy compliance issues.
3. Who owns the database in outsourcing agreements?
According to an opinion of the Italian data protection authority, the hospital on whose behalf patients’ data are collected shall be the data controller and the entity actually providing the service shall be a data processor. But it is also relevant to contractually agree with the entity managing the cloud database the ownership of the intellectual property rights on the database. And this issue is even more relevant if the entity requesting the creation of the database contributed with its knowledge and skills to its setting up and/or development.
4. What to do in case of data loss?
Given the very sensitive data processed in cloud projects run in the medical sector, it is important to have disaster recovery plan in case of data losses and because of the sanctions applicable in case of data breach, the supplier shall be deemed liable for them. Also, it is likely that outsourcees will be strictly monitored as a consequence of the General Data Protection Regulation.
5. Is there a migration plan applicable in case of termination?
As mentioned here, also in order to avoid to be forced to keep the same supplier for a term longer than necessary and to avoid any disruption in the cloud service on the termination of the agreement, it is crucial to have in place a migration plan whose duration and obligations on the supplier shall be adequate to make sure that the migration process in the outsourcing agreements can be smoothly performed.
The issues above are only some of the issues relevant in cloud project, but it would be interesting to have your view on them.
If you found this article interesting, please share it on your favourite social media!
Image courtesy from Flikr by megan ann