This is the first in a series of postings on offshore outsourcing in healthcare. This first posting will provide some background information, while subsequent posts will address the legal issues, risks, and possible ways to mitigate the risks to the extent possible. The understanding must be that regardless of what actions are taken, the risk cannot be completely eliminated.
First, notice the title does not say offshoring Protected Health Information (PHI). While protecting PHI is critical for healthcare organizations, it is not the only information that requires protection. Healthcare Business Associates (BA) sometimes offshore other functions that include things like Personally Identifiable Information (PII) and Payment Card Industry (PCI).
As with other industries, the healthcare industry through BAs are increasing the amount of data being offshored. Healthcare organizations offshore things like claims processing, transcription, administrative functions, and call centers for medical support (When you call in for things like ask a nurse, you may be talking to a nurse in India or the Philippines).
How does HIPAA affect the offshoring of data? Currently, the HIPAA rules are unclear when it comes to offshoring. What is clear is under the HIPAA Omnibus Rule, business associates and subcontractor can be held liable for HIPAA compliance.
When a healthcare organization outsources offshore it complicates the ability to secure protected information. How do they ensure that data shipped offshore is secure? Does the organization know their data is offshore? One Health Information Manager (HIM) asked what actions should be taken once he found out the transcription service he contracted with was sending data to India. There was nothing in the contract that specified where the service would be performed. At this point, what options does the HIM have?
An example of a case where offshoring went wrong is when a vendor subcontracted transcription service to a company who in turn subcontracted with another company who sent the work to Pakistan. The Pakistani medical transcriptionist working with the data threatened to release medical records to the Internet. The Pakistani woman withdrew her threat when she was paid hundreds of dollars. This example highlights how risky offshoring can be. On the positive side there are things a healthcare organization can do in order to mitigate some of the risks.
Next week I’ll look at some of the legal issues with offshoring in healthcare.
Are you ready to sharpen your skills in cybersecurity to help organizations manage their cyber risk? The NCI is offering programs and courses. Join the world of cyber professionals!
James L. Angle
Regional Information Security Officer