Offshoring Private Health Information

Do you know how your EMR, EHR, or other vendors handle your patient information? Here’s why your data may be less protected than you think — and why the liability may rest with you.

Electronic Medical Records (EMR) and Electronic Health Records (EHR) systems include many built-in privacy and security features, including passwords, screen time-outs, and encryption. When you search for a system vendor, you probably know the importance of such features. After all, guarding Protected Health Information (PHI) is key to remaining HIPAA compliant and avoiding costly violations.

What you may not know is whether a vendor uses third-party services—such as data storage—located overseas, a concept known as offshoring. Why does it matter? If your practice contracts with a company that offshores data, your patients’ private health information could end up outside a locked system.

Offshoring Risks

Not surprisingly, there is no guarantee that offshore personnel will have the proper expertise or training necessary to comply with US healthcare privacy rules. Also, US companies will find it difficult and costly to monitor offshore activities and ensure their compliance with business associate agreements (BAAs) and other privacy and security requirements. Furthermore, offshore parties may not be subject to US laws– even if the contract requires compliance– and their own country may not compel them to comply with US legal requirements. If you think this sounds like the recipe for a potential HIPAA violation, you are correct.

The Laws Surrounding Offshoring

You might assume that laws exist to protect you from liability, especially if you’re unaware of the offshoring. Or you may think that, at a minimum, the laws give you tools to determine if their contractors are offshoring.

Unfortunately, no laws require vendors who offshore data to disclose it. Federal laws don’t prohibit the offshoring of PHI as long as the standard HIPAA requirements are met.

However, while there are no explicit laws or requirements, there has been some guidance. The Centers for Medicare and Medicaid Services (CMS) has provided questions to ask when dealing with offshoring:

1. Are policies/procedures in place to ensure that PHI and other personal data stay secure?
2. Is unnecessary offshore access to PHI prohibited?
3. Can the offshore activities be terminated immediately upon discovery of a significant breach? (CMS does not “require that such termination rights necessarily be exercised”)
4. How and how often will audits be conducted? (CMS “appears to recommend annual audits”).

CMS has also imposed limited demands on the health plans it regulates regarding offshoring. It has been requiring the collection and reporting of information regarding the offshoring of their health care providers, vendors, and other subcontractors. According to CMS, reported information includes:

• all contractors and subcontractors that engage in Offshore Activities involving PHI
• the type(s) of PHI provided to the offshore contractor
• the functions that the contractor performs offshore that involve PHI
• whether Offshore Activities involving PHI are necessary and whether alternatives to those Offshore Activities were considered
• the contracting arrangement’s safeguards to protect PHI, and provisions for audits of the offshore contractors’ compliance with those safeguards

CMS recommends that health plans conduct desk audits (i.e., offsite audits) of their offshore contractors’ activities. In addition, CMS requires Medicare Fee-for-Service (FFS) contractors to report privacy breaches within 30 days of discovery. This is due to CMS not requiring reports of privacy breaches from these entities. But CMS itself will not pursue offshore HIPAA violations; the Office of Civil Rights (OCR), as part of the Department of Health and Human Services, fulfills that role.

Offshoring is still a relatively new and untested field in the US. So, there is not much information about what OCR will do when faced with violations. Experts say that OCR will not pursue foreign companies after a breach since OCR does not have any authority outside the US. Thus, the risks are all on the provider for any possible violations, even if their facility is HIPAA-compliant.

Protecting PHI in Your EHR

As a rule, it’s essential to know as much about your vendors as possible. Read your contracts closely– or hire experienced healthcare attorneys who know what to look for. If your current EHR company offshores data or uses offshore resources that may touch your data, you’ll want to dig deeper to find out what policies they have in place around that practice. Make sure to document those policies and incorporate them into all of your vendor agreements, including your BAA.

But as we mentioned earlier, it can be challenging to monitor offshore companies to know if they comply with the BAA and other privacy and security requirements. If you’re shopping for a new EHR, know that there are companies that don’t offshore their data! Choosing a domestic vendor who only contracts with other domestic third-party vendors can save you some worry. No matter what EHR/EMR company you work with, be sure to have a BAA and develop comprehensive HIPAA policies and procedures for your practice to minimize your liability.

In addition to helping you meet HIPAA requirements, Jackson LLP can review and negotiate your vendor, employment, real estate, or other business contracts to ensure they protect your interests and don’t contain hidden traps. If you’re in one of the states where we have licensed attorneys, schedule a complimentary phone consultation to learn more.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.