Reviewing and negotiating an IT contract on behalf of a university can be a daunting task. It requires a firm grasp of both technical and legal jargon. In addition, it requires an awareness of the institution’s obligations to comply with various state and Federal laws – especially those relating to the privacy and security of student, employee, patient and customer information. Some examples include the following:
Legal compliance with privacy and security laws becomes more challenging when the university cedes some its internal IT processes via the Internet to third parties – i.e., cloud computing.
- Family Educational Rights and Privacy Act (FERPA)
- Health Information Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Fair Credit Reporting Act (FCRA)
If your institution is considering the cloud computing approach, we suggest you read the article: Cloud vs. Office? The Answer is Not as Clear-cut as You Might Think. Moreover, as part of your contract review and legal due diligence, be certain you can answer WHD Attorney Andrew Schlidt’s questions. If you cannot, you should consider contacting legal counsel to address potential legal compliance risks, including those relating to privacy, security, intellectual property and disaster recovery.
If your institution currently utilizes the cloud, consider an after-the-fact audit to determine areas processes that may be noncompliant or expose the institution to legal exposure. We recommend, however, that an internal audit of this nature be implemented and documented with legal counsel who may be sensitive the protection of privileged information.