Sapsiwai - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Unclear HIPAA rules permit healthcare data offshoring … for now

Soon enough, Washington will take on the issues surrounding the offshoring of healthcare data, says technology and security consultant Kevin McDonald.

Over the past decade, much discussion has taken place about the implications of the Health Information Portability and Accountability Act covered entities and their business associates leveraging cheaper offshore solutions for services such as radiology, transcription and even treatment planning. The issues surrounding the solutions' quality, data integrity and covered entities sidestepping state licensing of staff requirements are vast, but we are going to primarily deal with HIPAA Security and Privacy and related civil and criminal implications here.

To date, the bottom line has been that the Health Information Portability and Accountability Act (HIPAA) rules lacks statutory clarity in regard to the issue of offshoring and the myriad of privacy and jurisdictional challenges offshoring creates. I do believe, however, the enforcement of covered entities' (CEs) obligations to ensure their business associates (BAs) properly regard and defend Protected Health Information (PHI) raises regulatory questions about the future legitimacy of offshoring. Now that BAs have similar regulatory obligations as CEs, I believe the government will exert pressure around the issue of offshoring.

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Department of Health and Human Services' (HHS) release of the Final Omnibus Rule on January 17, 2013, the extension of statutory obligation to BAs makes for an interesting twist in offshoring. The Omnibus Rule reaffirmed and strengthened the reach of HHS's Office of Civil Rights (OCR) and Department of Justice (DOJ) with respect to BAs within the United States and its territories, but it did nothing directly to the offshoring of PHI.

Along with the obligation to comply with HIPAA rules, HITECH instated the associated direct civil and criminal liability of domestic BAs beyond breach of contract. The subsequent publication of the Omnibus Final Rule reinforced these. Under the Final Rule, the OCR has the power to domestically deal out civil penalties, corrective actions and long-term monitoring, while the DOJ has the power to domestically deliver a criminal prosecution. Through enforcement under HITECH, the State attorneys general also have the power to cause pain to U.S.-based companies, because the attorneys general are empowered to bring civil actions in federal district courts for state residents who have been damaged or whose rights were violated by information breaches.

In reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

The State attorneys' general authority, however, is limited to where the federal government is already active: "If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney General may bring an action under this subsection against the person with respect to such violation during the pendency of that action."

In recent months, the Federal Trade Commission (FTC), through its own rulings, has also laid claim on the State attorneys' general ability to institute fines, monitor and otherwise harass CEs and BAs domestically.

So all of this is well and good, but, in reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties -- no less criminal ones.

Even domestically, the OCR finds it difficult to collect penalties from the likes of Cignet Health of Maryland. In the vast majority of cases, the primary motivation for international firms to comply is only contractual and may be reputational, and the rights given to foreign corporations within the BAs' home country puts limitations on their exposure.

According to a report by the Office of the Inspector General (OIG) released April 2014, the OIG has similar concerns. To quote the OIG: "For example, Medicaid agencies or domestic contractors who send PHI offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections to support HIPAA compliance."

I would also argue that international privacy protections may cover only the data of their own citizens. While the OIG report is about Medicaid agencies, which cover a limited -- albeit large -- population, the fact that the OIG raised these concerns means we should be concerned with this for other entities. I predict this thinking about limiting the risk by limiting offshoring will catch on in Washington.

While Medicaid, unlike Medicare, does not require permission from the federal government to transfer information offshore, some states do not allow the offshoring of PHI for Medicaid at all. This complicates the issue. Since the Affordable Care Act, insurers and provider networks began to cross state borders through exchanges that involve Medicaid subsidies to patients in states that have these limitations. The OIG report, combined with the FTC reaching into the HIPAA regulatory universe and with states deciding to prohibit Medicaid data from leaving the country, creates potential future problems for those that choose to offshore.

Let me add one more twist to all of this: Outsourced offshore IT, storage and/or software as a service vendors. As we have seen here, the OIG has concerns about the potential for data getting passed offshore. States have placed specific limitations on Medicaid information leaving their states. What about data intentionally or inadvertently sent -- or illegally taken -- offshore through IT support services, datacenter disaster recovery efforts and even load balancing? I know that's an entirely different article, but it's still something to consider here.

I would argue that in the event of a major offshore breach, an enterprising lawyer could use all of this to show a lack of "reasonableness" in the decision to offshore in the first place.

Next Steps

The top 10 risks of offshore outsourcing

The best practices for outsourcing: how to identify risks when offshoring

Gartner: Physical location of data will become irrelevant by 2020

Dig Deeper on Vertical Market Sales Strategy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Should we have strict regulations concerning data that is sent outside the U.S.?

We do have strict regulations in place today. If a CE sends e-PHI to an overseas company then that CE is responsible to make sure there is a BAA in place and the overseas entity is a BA. If the BA is US based and sends e-PHI overseas to one of its own facilities it needs to make sure that its employees are trained and adhere to HIPAA policies and procedures.  If US based BA sends e-PHI to an overseas sub-BA then the sub BA needs to have a BAA in place and make sure its employees are trained and policies and procedures followed.

Whether the US can enforce criminal penalties for an overseas company violating privacy or security is a legal question that pertains to much more than just HIPAA, but there are many contractual requirements that can be enforced and are required of the CE by law in the BAA contracts.

The patients need to give permission this is a litltle dirty secret that most Americans are not yet aware of. I don't want my PHI leaving the country.
[Kevin McDonald, the author of this column, asked me to post this response.] @InfoStorSec: The issue is not the regulations or the existence of agreements. The issue is government enforcement that in the vast majority of instances cannot be done internationally. Our OCR has no right or jurisdiction to reach into another country and enforce our federal law. The OIG report essentially points out that having agreements means very little if the entity is beyond the reach of the US government and that the risk of breach grows when offshoring data. The agreement may provide some limited ability to chase down bad actors or otherwise liable BA in civil claims courts, but there is little to nothing that can be done by the government to enforce the civil and criminal penalties (against the BA) offered under HIPAA/HITECH. From the report: “If Medicaid agencies engage in offshore outsourcing of administrative functions that involve PHI, it could present potential vulnerabilities. For example, Medicaid agencies or domestic contractors that send PHI offshore may have limited means of enforcing provisions of BAAs that are intended to safeguard PHI.” I can easily extrapolate this to non-Medicaid agencies and if the OIG sees this as a problem with federal agencies, why not private organizations?  The way to get jurisdiction is to limit the offshoring of the data and services in the first place. I am not a mind reader nor advocating for a change. I only point out the stark inconsistency of knowing there is a problem and yet allowing it to continue in the face of OCR's privacy protection obligations.
Is this 'other article' written? If a U.S. company uses another U.S. company's offshore assets to provide offshore customers services, is that company (or either) bound by HIPAA to protect user data in the same way it is when the users and data are US-resident?

Lets not forget about the US IT jobs going to offshore workers? Offshoring is causing US IT salaries to fall as well.
I have worked in the IT EDI arena for over 15 years and I have serious concerns about healthcare data of any US citizen being sent offshore.
I would bet that the average American has no idea that their PHI and medical data is being sent to offshore companies to analyze and manipulate?