Software as a Service (SaaS) and Application Service Providers (ASP) — What You Need to Know

In the past few years, the prevalence of cloud-based applications in healthcare has expanded rapidly. But, what is cloud computing and how does it apply to the medical practice and EHRs? For practical purposes, cloud computing describes a situation in which the software you are using and applicable data is accessed via the Internet instead of via programs or data on your computer or local network. A basic non-health IT example of cloud computing would be Gmail or Google Docs. Most EHR vendors now offer Software as a Service (SaaS) or Application Service Provider (ASP) versions of their EHR systems as an alternate to more traditional software solutions. These solutions are appealing to many practices as they reduce the upfront costs and require less sophisticated technical support than their client-server counterparts. If you are considering or currently use a cloud-based EHR solution, consider the following:

  • You will only be able to access the system and your data when connected to the Internet. As such, you should consider having a second alternate access using a different network. For example, if your high speed Internet is provided by a cable company, consider a back-up line from a telecom such as AT&T or a wireless Internet card from a cellular phone carrier like Verizon wireless. While this access may not be as fast as your primary connection, it will provide additional protection should your access go down.
  • The speed of the system will be dependent on your Internet bandwidth. Ensure that your practice has sufficient bandwidth for all of your staff to use the system at the same time with out slowing down substantially. Your EHR vendor or ASP provider should be able to guide you as to how much bandwidth is sufficient.
  • Updates and upgrades are managed by your EHR vendor according to a system upgrade schedule. As a result, they will not be under your control.

When using a cloud-based solution (ASP or SaaS), consider the following:

  • Understand your EHR vendor’s terms of use and data ownership policies. You should own the data for your practice.
  • Understand whether the EHR vendor/service provider has the right to re-purpose de-identified data from your practice for research or sale to other interested parties. Many EHR vendors (especially “free EHRs”) rely on this as a revenue source. This is not necessarily a bad thing; however, you should understand how the data is being used. If the service you are using does re-purpose the data, it is highly recommended that the process used to de-identify the data is clearly described as well as mechanisms used to ensure that personal health information (PHI) is protected. In addition, confirm whether provider/practice identifying information is released. You should also determine whether you will be provided with a detailed description of how your practice’s data has been been used and to whom it has been sold. Ideally you should be able to opt out of the sale/re-use of this data.
  • Establish in your contract what would happen if you were forced or decide to move to a different EHR system. How will the information/data entered by your practice be provided to you and in what format? Make sure the data will be provided in a usable format. Ideally you will want the data to be provided in a format that can be used to populate a new EHR system. As a minimum requirement, patient data should be provided in .pdf format that can be attached as discrete documents in a new EHR.
  • Understand how much it will cost to transfer your data into a new EHR system and which information can be brought over as structured data.
  • Confirm that you will have the ability to extract the data you have entered into the system for your own purposes. For instance, ensure that you can use your data for your own research or for research initiatives in which you decide to participate. You should clearly understand whether there are any restrictions that limit you from exporting your data to third-party registries or similar programs.
  • Ensure that all of the data centers used by the vendor are considered “Business Associates” of your practice and are HIPAA compliant. You do not have to have have separate agreements with the data centers, but the EHR vendor/service provider must have established contracts to ensure that your practice is not violating HIPAA requirements.
  • Remember to double check whether any new features you purchase override any of the terms of your original contract.

For non cloud-based client server users:

  • Even if you are using a local client server solution, you should be aware that some of the functions your practice may be cloud-based. The most common cloud-based add-ons are registry programs and patient portals. These additional services should be subject to the same level of scrutiny as fully cloud-based solutions.

Overall, I believe that cloud-based solutions offer a very effective option for many practices, especially small medical practices. However, ensure that you do your homework.

Have you had experiences using cloud-based EHR systems? If so, add your comments below.

This post is the personal opinion of the author and does not necessarily reflect the official policy or position of the American College of Physicians (ACP). ACP does not endorse a specific EHR brand or product and ACP makes no representations, warranties, or assurances as to the accuracy or completeness of the information provided herein.


2 responses to "Software as a Service (SaaS) and Application Service Providers (ASP) — What You Need to Know"
  • April 12, 2012
    keith pitzele

    The author has made some very good points in the article above. However, under the paragraph that starts with, “When using a cloud-based solution (ASP or SaaS), consider the following:”, the last five items that the author cites does not only apply to SAAS/ASP applications but it applies to client server installs as well.

    • April 13, 2012
      William S. Underwood MPH

      As you point out these items are also applicable to client server applications and I encourage you to get answers to them regardless of the type of system you are looking to purchase. Thanks for the sage comment.

Leave a Reply

Your email address will not be published. Required fields are marked *