Offshore firms are business associates and as such are subject to the HIPAA security rules. As stated in the last posting HIPAA requires covered entities to conduct a risk analysis. The risk analysis is the foundation for meeting HIPAA compliance. Organization must account for all PHI regardless of where it is created, received, stored, transmitted or its source or location.
According to the Office of the National Coordinator for Health Information Technology, a security risk analysis is a systematic and ongoing process of both:
• Identifying and examining potential threats and vulnerabilities to protect health information.
• Implementing changes to make patient health information more secure and monitoring the results.
Additionally, the organization must assess the current security measures, identify gaps in the controls, and determine the level of risk. The output should be well documented and reviewed periodically.
Since most organizations cannot assess the risk off offshore BAs, how can they ensure the BA is protecting their PHI? The primary way to ensure the BA is providing data security is to require a third party assessment. One such report is the Service Organization Control (SOC) reports. Organizations use the SOC 2 report to report on the implementation of availability, integrity, confidentiality, and privacy controls. These types of reports provide covered entities with information enabling them to make a risk based decision on outsourcing offshore.
Regardless of what type of third party assessment is conducted; make sure the BA uses a recognized methodology for the assessment. Remember that the covered entity must ensure that identified vulnerabilities are mitigated.
James L. Angle
Regional Information Security Officer