| Author |
Topic |
|
nathans
Aged Yak Warrior
938 Posts |
 Posted - 2006-01-06 : 13:10:13
|
| Yo,Get this. A friend has recently been venting to me about troubles brewing between her organization and a 3rd party (3P) software vendor. She has spent 18 months implementing this 3P software suite assisted by the 3p-provided consultants. She recently had the need to pull some custom reports from the 3P-created database that the software suite could not provide.This 3P suite is basically a front-end used for data entry of medical information. The organization is a hospital and they have limited IT know-how on hand, so they are reliant upon these 3P-provided consultants for advice. She only called me after learning that the 3P company basically had her hog tied. Read on.Of course they were not happy with the custom reporting idea and were quick to tell her that all of the 3P db objects were encrypted and further, it was illegal for her to directly query their tables. The 3P company went on to tell her that the backups she setup to run on this database were in violation. The 3P company assert that they "own" that data and have only licensed it to her organization for 1 year. If she wishes to persist the data beyond the 1 year she must pay the company a "storage fee." (To store the data in HER database!)Fine, I can understand that the company wants to protect their product, but I dont agree that they should be able to control her backup methodology or charge her to "store" data (inputted through the app by her employees) beyond 1 year. Is this legal? Can they hijack the SQL server like this? The hospital owns the server and the SQL licenses. Should they not be able to pull a daily backup of their database or run Reporting Services against it?Any info or resources regarding this matter is greatly appreciated. Nothing pisses me off more than to hear of consultants ripping off non-technical organizations like this. Especially non-profit community hospitals. Thanks Nathan Skerl |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2006-01-06 : 13:39:00
|
| It will all depend on the terms of the contract.>> The 3P company assert that they "own" that data and have only licensed it to her organization for 1 year.That's quite possible - but "storage fee" is an odd term, it's usually called a licence.>> the backups she setup to run on this database were in violationThat's a bit surprising - it implies that the contract includes server maintenance. Whatever it should be explicitly stated in the contract who is responsible for the server. If your friends company is responsible then the backups would be part of that and it would be difficult to argue otherwise.As to running reports against the data - that could also be a difficult one. The database structure and such has been developed by the 3p and if they don't provide an access method for external systems then what your friend is doing is a bit dubious.Note that they could restructure the database with an upgrade at any time and wreck the reports.Sounds a bit like the relationship has broken down and your friend should think about replacing the system asap - under a contract where the system is built for them and they own everything delivered.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2006-01-06 : 14:45:29
|
| Whoa -Whoa -Whoa you said "medical information" Like in medical records?And the organization cannot get at them or back them up? This is against federal LAW!!! In all medical record keeping in the U.S. the Medical service provider must maintain direct control over medical records and it cannot be released to any 3rd party without written consent of the patient.JimUsers <> Logic |
|
|
|
mcrowley
Aged Yak Warrior
771 Posts |
Posted - 2006-01-06 : 14:54:21
|
| I think JimL is right. Medical records in America are a very big security hassle. Have your hospital's lawyer peruse the contract, and see if there is anything to worry about in there. Then change vendors as soon as possible. Bullying the customer is simply not acceptable. |
|
|
|
mcrowley
Aged Yak Warrior
771 Posts |
Posted - 2006-01-06 : 14:58:02
|
| From http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAAlawdetail.pdf"WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION"SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part--"(1) uses or causes to be used a unique health identifier;"(2) obtains individually identifiable health information relating to an individual; or"(3) discloses individually identifiable health information to another person,shall be punished as provided in subsection (b)."(b) PENALTIES.--A person described in subsection (a) shall--"(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;"(2) if the offense is committed under false pretenses, be fined not more than$100,000, imprisoned not more than 5 years, or both; and"(3) if the offense is committed with intent to sell, transfer, or use individuallyidentifiable health information for commercial advantage, personal gain, or maliciousharm, be fined not more than $250,000, imprisoned not more than 10 years, orboth. |
|
|
|
nathans
Aged Yak Warrior
938 Posts |
Posted - 2006-01-06 : 16:00:10
|
| >> "Like in medical records?"Yes: patient care plans, doctors orders, prescriptions, nursing notes, etc.>> "... the organization cannot get at them or back them up?"They cannot directly access the data. They can have them backed up but only by purchasing additional licensing options. When she asked how the vendor would comply with the various HIPPA requirements of backing up medical records for a specified amount of time they replied that she "would have to purchase a data storage extension as the software suite they purchased would only persist data for a period of 1 year." Persist data!? Wtf, is the app going to delete the records if they dont comply? It seems to me that this is an attempt of the vendor to lock this unaware hospital into a slave contract. And thus far the hospital has put up no resistance to this type of treatment (they do not know any better). When I questioned why she could not query the data directly, independently from the app, this snowball began. I think if the hospital's lawyer questioned these practices the vendor would quickly change their tune. It definitely sounds (and feels) very illegal.I really appreciate all the info guys. Its really too bad all consultants are not as selfless and ethical as the Sqlteam community.Nathan Skerl |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2006-01-06 : 20:00:48
|
| >>"were quick to tell her that all of the 3P db objects were encrypted"It is possible, but I doubt that the data is encrypted. It is probably only SQL Server encryption of procs, views, and functions. That is easily cracked with freeware utilities available on the web. Google is your friend.>>"it was illegal for her to directly query their tables."I doubt that it is "illegal" to directly query their tables. It may violate some software license contract, but that makes is a civil matter. As a practical matter, it's kind of hard to prove.>>"The 3P company went on to tell her that the backups she setup to run on this database were in violation. The 3P company assert that they "own" that data and have only licensed it to her organization for 1 year. If she wishes to persist the data beyond the 1 year she must pay the company a "storage fee."I find it hard to believe that they could assert ownership of the data input by the hospital. This attitude is all the more reason to setup backups.I think backups would be covered as a standard practice for proper safekeeping of data, the hospital is required to do this for patient safety, and not doing backups would be reckless and expose the hospital to liability.This may just be consultants with a vested interest in locking in a continuing steam of fees talking. The hospital and a lawyer should look at the contract closely and decide for themselves what they are bound to. And then get the meanest, flesh-eating lawyer they can find to do a number on the 3P vendor.CODO ERGO SUM |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2006-01-06 : 20:59:25
|
| this sounds a little crazy. Are you sure that your friend has the story completely correct?I am aware of some software packages that specifically state that you cannot reverse engineer the schema or procs or whatnot with tools like ERwin or data architect. But I have never heard of any software company that stated that they own the data contained in the database. That actually would open them up to quite a bit of liability. -ec |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-01-06 : 21:18:33
|
"They cannot directly access the data"Reminds me of when we first moved from "proprietary home grown ISAM files" to "SQL" we convened a meeting of our biggest customers (which in those days were Times /Fortune top 25 companies) to get a consensus on what they wanted, seeing as we knew diddly-squat about this newfangled "open systems" thingie.So I kicked off with "What is your definition of Open Systems" and the IT guy from one of the clients replied "Oh that's easy: Its a prioritary system we buy from Oracle"  Kristen |
|
|
|
eyechart
Master Smack Fu Yak Hacker
3575 Posts |
Posted - 2006-01-06 : 22:59:57
|
quote:
Originally posted by KristenSo I kicked off with "What is your definition of Open Systems" and the IT guy from one of the clients replied "Oh that's easy: Its a prioritary system we buy from Oracle" Kristen
you go way back then :)Oracle truly was a money saving solution back in the day when you compare it's capabilities to the competition at the time - IBM System/R running on a mainframe. Open systems back in the day meant Unix machines. I think oracle only ran on the PDP-11 for the first few releases, and then was ported to C and made "portable" so it could run on Unix and Vax and even the lowly PC.It is funny to see that today Oracle has taken the place of the "mainframe" and now there are several much lower cost solutions with much of the same features and capability. They are now battling the same issues that IBM must have been faced with when Oracle was the new kid on the block.-ec |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-01-07 : 06:17:17
|
"you go way back then"You say the nicest things  Kristen |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2006-01-07 : 08:05:20
|
LOL Kristen quote:
I think if the hospital's lawyer questioned these practices the vendor would quickly change their tune. It definitely sounds (and feels) very illegal.
Totally agree. I very rarely say this... but, time to send in the lawyers!Damian"A foolish consistency is the hobgoblin of little minds." - Emerson |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-01-07 : 10:16:31
|
| As the saying goes - if you need to get the contract out to read it then the relationship is in trouble.Kristen |
|
|
|
|
3rd party legalities