Sapsiwai - Fotolia

Unclear HIPAA rules permit healthcare data offshoring … for now

Soon enough, Washington will take on the issues surrounding the offshoring of healthcare data, says technology and security consultant Kevin McDonald.

Over the past decade, much discussion has taken place about the implications of the Health Information Portability and Accountability Act covered entities and their business associates leveraging cheaper offshore solutions for services such as radiology, transcription and even treatment planning. The issues surrounding the solutions' quality, data integrity and covered entities sidestepping state licensing of staff requirements are vast, but we are going to primarily deal with HIPAA Security and Privacy and related civil and criminal implications here.

To date, the bottom line has been that the Health Information Portability and Accountability Act (HIPAA) rules lacks statutory clarity in regard to the issue of offshoring and the myriad of privacy and jurisdictional challenges offshoring creates. I do believe, however, the enforcement of covered entities' (CEs) obligations to ensure their business associates (BAs) properly regard and defend Protected Health Information (PHI) raises regulatory questions about the future legitimacy of offshoring. Now that BAs have similar regulatory obligations as CEs, I believe the government will exert pressure around the issue of offshoring.

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Department of Health and Human Services' (HHS) release of the Final Omnibus Rule on January 17, 2013, the extension of statutory obligation to BAs makes for an interesting twist in offshoring. The Omnibus Rule reaffirmed and strengthened the reach of HHS's Office of Civil Rights (OCR) and Department of Justice (DOJ) with respect to BAs within the United States and its territories, but it did nothing directly to the offshoring of PHI.

Along with the obligation to comply with HIPAA rules, HITECH instated the associated direct civil and criminal liability of domestic BAs beyond breach of contract. The subsequent publication of the Omnibus Final Rule reinforced these. Under the Final Rule, the OCR has the power to domestically deal out civil penalties, corrective actions and long-term monitoring, while the DOJ has the power to domestically deliver a criminal prosecution. Through enforcement under HITECH, the State attorneys general also have the power to cause pain to U.S.-based companies, because the attorneys general are empowered to bring civil actions in federal district courts for state residents who have been damaged or whose rights were violated by information breaches.

In reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

The State attorneys' general authority, however, is limited to where the federal government is already active: "If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney General may bring an action under this subsection against the person with respect to such violation during the pendency of that action."

In recent months, the Federal Trade Commission (FTC), through its own rulings, has also laid claim on the State attorneys' general ability to institute fines, monitor and otherwise harass CEs and BAs domestically.

So all of this is well and good, but, in reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

Even domestically, the OCR finds it difficult to collect penalties from the likes of Cignet Health of Maryland. In the vast majority of cases, the primary motivation for international firms to comply is only contractual and may be reputational, and the rights given to foreign corporations within the BAs' home country puts limitations on their exposure.

According to a report by the Office of the Inspector General (OIG) released April 2014, the OIG has similar concerns. To quote the OIG: "For example, Medicaid agencies or domestic contractors who send PHI offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections to support HIPAA compliance."

I would also argue that international privacy protections may cover only the data of their own citizens. While the OIG report is about Medicaid agencies, which cover a limited -- albeit large -- population, the fact that the OIG raised these concerns means we should be concerned with this for other entities. I predict this thinking about limiting the risk by limiting offshoring will catch on in Washington.

While Medicaid, unlike Medicare, does not require permission from the federal government to transfer information offshore, some states do not allow the offshoring of PHI for Medicaid at all. This complicates the issue. Since the Affordable Care Act, insurers and provider networks began to cross state borders through exchanges that involve Medicaid subsidies to patients in states that have these limitations. The OIG report, combined with the FTC reaching into the HIPAA regulatory universe and with states deciding to prohibit Medicaid data from leaving the country, creates potential future problems for those that choose to offshore.

Let me add one more twist to all of this: Outsourced offshore IT, storage and/or software as a service vendors. As we have seen here, the OIG has concerns about the potential for data getting passed offshore. States have placed specific limitations on Medicaid information leaving their states. What about data intentionally or inadvertently sent -- or illegally taken -- offshore through IT support services, datacenter disaster recovery efforts and even load balancing? I know that's an entirely different article, but it's still something to consider here.

I would argue that in the event of a major offshore breach, an enterprising lawyer could use all of this to show a lack of "reasonableness" in the decision to offshore in the first place.

Next Steps

The top 10 risks of offshore outsourcing

The best practices for outsourcing: how to identify risks when offshoring

Gartner: Physical location of data will become irrelevant by 2020

Dig Deeper on Vertical Market Sales Strategy