When a healthcare organization makes the decision to outsource a service offshore and the service includes offshoring PHI…what are the legal obligations? The first thing the organization should do is identify all of the state and federal laws related to the offshoring of PHI. For example, some states restrict the offshoring of Medicaid data. There are states that are trying to pass laws restricting offshore activities, so check before you offshore. This is even more important for healthcare organizations that span multiple states.
Once the determination is made that, it is legal for the type of data to be offshored there are many other considerations. First, look at the privacy and security laws of the country where the data will be offshored. Some countries have very weak privacy laws or laws that are not enforced. Second, is there a Business Associate Agreement (BAA) and does the BAA spells out the data privacy and security requirements? The Business Associate (BA) must know when they sign the BAA they are assuming the data privacy and security responsibilities of the covered entity.
Obtaining a BAA does not relieve the covered entity of responsibility, particularly if the BA is not a U.S. based company. The covered entity is required by HIPAA 164.308(a)(1)(ii)(A) to conduct an accurate and thorough assessment of the potential risk and 164.308(a)(1)(ii)(B) implement security measures sufficient to reduce risks. The BA assumes this requirement when they sign the BAA. The only way for the covered entity to know if the BA has the required security in place is by either assessing the BA’s security measures to ensure they are sufficient to reduce the risk or rely on a third party security assessment.
The bottom line is when offshoring PHI the covered entity must include all requirements in the BAA and ensure they are enforced. The covered entity must ensure they know where their data is stored, transmitted, and processed. The security in place must meet the same or more stringent than the covered entity. Lastly, the BA’s security measures must be reassessed periodically to ensure they are still in place and functioning as intended.
James L. Angle
Regional Information Security Officer