Offshoring Private Health Information
Do you know how your EMR, EHR, or other vendors handle your patient information? Here’s why your data may be less protected than you think—and why the liability may rest with you.
Electronic Medical Records (EMR) and Electronic Health Records (HER) systems include many built-in privacy and security features, including passwords, screen time-outs, encryption. When you search for a system vendor, you probably know the importance of such features. After all, guarding Protected Health Information (PHI) is key to remaining HIPAA compliant and avoiding costly violations.
What you may not know is whether a vendor uses third-party services—such as data storage—located overseas, a concept known as offshoring. Why does it matter? If your practice contracts with a company that offshores data, your patients’ private health information could end up outside a locked system.
Not surprisingly, there is no guarantee that personnel located offshore will have the proper expertise or training necessary to comply with US health care privacy rules. Also, U.S. companies will find it difficult and costly to monitor offshore activities and ensure their compliance with business associate agreements (BAAs) and other privacy and security requirements. Furthermore, offshore parties may not be subject to US laws– even if the contract requires compliance– and their own country may not compel them to comply with U.S. legal requirements. If you think this sounds like the recipe for a potential HIPAA violation, you are correct.
The Laws Surrounding Offshoring
You might wonder: don’t laws exist to protect you from liability, especially if you’re unaware of the offshoring? Or at a minimum, does the law give you tools to determine if their contractors are offshoring?
The short answer is no. Currently, there are no laws that require vendors who offshore data to disclose it. Federal laws don’t prohibit the offshoring of PHI as long as the standard HIPAA requirements are met.
However, while there are no explicit laws or requirements, there has been some guidance. The Centers for Medicare and Medicaid Services (CMS) has provided questions that should be asked when dealing with offshoring:
- Are policies/procedures in place to ensure that PHI and other personal data stays secure?
- Is unnecessary offshore access to PHI prohibited?
- Can the offshore activities be terminated immediately upon discovery of a significant breach? (CMS does not “require that such termination rights necessarily be exercised”)
- How and how often will audits be conducted? (CMS “appears to recommend annual audits”).
CMS has also imposed limited demands on the health plans it regulates regarding offshoring. It has been requiring collection and reporting of information regarding offshoring of their health care providers, vendors and other subcontractors. According to CMS, reported information includes:
- all contractors and subcontractors that engage in Offshore Activities involving PHI
- the type(s) of PHI provided to the offshore contractor
- the functions that the contractor performs offshore that involve PHI
- whether Offshore Activities involving PHI are necessary, and whether alternatives to those Offshore Activities were considered
- the contracting arrangement’s safeguards to protect PHI, and provisions for audits of the offshore contractors’ compliance with those safeguards
CMS recommends that health plans conduct desk audits (i.e., offsite audits) of their offshore contractors’ activities. CMS requires Medicare Fee-for-Service (FFS) contractors to report privacy breaches within 30 days of discovery. This is due to CMS not requiring reports of privacy breaches from these entities. But CMS itself will not pursue offshore HIPAA violations, the Office of Civil Rights (OCR), as part of the Department of Health and Human Services, fulfills that role.
Offshoring is still a relatively new and untested field in the U.S. So, there is not much information about what OCR will do when faced with violations. Experts say that OCR will not pursue the foreign companies after a breach since OCR does not have any authority outside the US. Thus, the risks are all on the provider for any possible violations, even if their facility is HIPAA-compliant.
Protecting PHI in Your EHR
As a rule, it’s important to know as much about your vendors as you can. Read your contracts closely– or hire specialized healthcare attorneys who know what to look for. If your current EHR company offshores data or uses offshore resources that may touch your data, you’ll want to dig deeper to find out what policies they have in place around that practice and make sure the policies are documented and incorporated into all of your vendor agreements, including your BAA.
But as we mentioned earlier, it can be difficult to monitor offshore companies to know if they are complying with the BAA and other privacy and security requirements. If you’re shopping for a new EHR, know that there are companies who don’t offshore their data! Choosing a domestic vendor who only contracts with other domestic third-party vendors can save you some worry. No matter what EHR/EMR company you work with, be sure to have a BAA and develop comprehensive HIPAA policies and procedures for your practice minimize your liability.
In addition to helping you meet HIPAA requirements, Jackson LLP can review and negotiate your vendor, employment, real estate, or other business contracts to ensure they protect your interests and don’t contain hidden traps. Schedule a complimentary phone consultation to learn more.