Why do Physicians Send Patient Data Offshore?
Patient data is more valuable than ever. On the black market, it has become more desirable than credit card data. For that reason, the need to protect electronic Protected Health Information (ePHI) is at its peak. As-luck-would-have-it, storing electronic data in other countries is also on the rise. As a result, many healthcare providers are sending patient data offshore.
Most doctors don’t knowingly choose to send ePHI offshore. In fact, most doctors understand the importance of patient privacy and HIPAA laws. But today, many U.S. software vendors outsource to contractors who employ data centers located in foreign countries. The cheaper overhead costs allow vendors to pass the savings to healthcare providers. Unfortunately, the savings may cost in terms of security–offshore data management offers as many risks as it does solutions.
Don’t Worry; It’s in the Cloud.
Like most data, our medical data is ending up “In the Cloud.” But, most of us don’t understand what that means. The National Institute of Standards and Technology (NIST) offers this definition: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.” In layman’s terms, the cloud refers to software, services, and storage that reside on the internet instead of on your local computer.
Cloud computing has many benefits, such as efficiency, data security, mobility, and convenience. Plus, businesses in all industries are flocking to cloud-based solutions because they cost less. Let’s face it; maintaining and monitoring redundant servers and network hardware is expensive. So, software solutions that require the customer to support a local database increase the cost for the end-user. As a result, any software provider looking to reduce costs will have to look into a cloud-based solution. Cloud-based solutions reduce operating costs for both the software provider and the product’s end-user.
The Infrastructure is Going to the Cloud
Did you know that the fastest-growing segment of cloud computing is Infrastructure as a Service (IaaS)? With IaaS, the hardware, storage and network components are also being provisioned and managed over the internet. Estimates predict Iaas will approach $50 billion in revenue in the year 2020. But, even though, in this model, everything is accessed through the internet, the data is stored on physical servers somewhere. And–you guessed it–many times, it’s cheaper to house servers offshore.
Today, software companies are approached daily by vendors in the growing IaaS space. They promise inexpensive solutions with “Global Reach” to domestic developers. Unfortunately, in the healthcare industry, “Global Reach” isn’t always a good thing. It can lead to patient’s ePHI being stored outside of North America and to breaches going unreported.
Offshoring ePHI: the Concerns
1. Other Countries and U.S. Law
The rules and regulations for offshore vendors are both complicated and evolving. Currently, no federal agency seems to prohibit using overseas vendors. Domestic and foreign companies that deal with ePHI are liable under HIPAA’s Omnibus rule and are subject to the same penalties. That said, how much do offshore entities even know about U.S. laws? Do they know about HIPAA? If a foreign company were to go out of business, would they destroy ePHI as required under HIPAA? What would happen to the data?
2. The Cost of Cheap
The reality is, legal counsel is expensive. Law-abiding offshore entities may obey their own country’s set of laws. That doesn’t mean they can afford to keep up with the ever-changing U.S. laws on to patient data.
Security is even more expensive. While foreign companies are not always less secure than domestic ones, their security is less transparent. This lack of transparency raises another set of security risks. But although we can’t physically audit all offshore providers, we do know the following:
- In some countries, governments not only spy on all data, they sometimes confiscate it.
- A very cheap provider is not going to house their servers in a state-of-the-art, high-security facility.
- Some foreign businesses are sweatshops run out of apartments with little to no security.
3. Who’s Liable?
Although offshore vendors fall under HIPAA rules, experts are unsure if the Office of Civil Rights (OCR) will pursue claims against foreign companies. Erin Whaley, a partner at the law firm Troutman Sanders, suggests that the OCR “probably wouldn’t go after an offshore company unless it was phenomenally egregious. More likely, they’d go after the covered entities involved. If they hadn’t appropriately accounted for that in their risk analysis, then it would be they who are on the hook.” In other words, again, it’s your responsibility as the healthcare provider to ensure data security. Not being aware of the risk, will probably not save you.
How to Avoid Sending Patient Data Offshore
1. Choose Domestic Vendors
Use vendors that work within the United States. Make sure all physical locations, equipment, and people are local. Take a look at their third-party contractors, too. Remember that your vendors’ contractors sometimes have access to your electronic protected health information.
2. Interview Your Existing Vendors
There does not appear to be any laws requiring vendors to tell you if they offshore ePHI. But, just by asking questions, you can sometimes get all the information you need. Here are specific questions to ask any vendor that works with your ePHI:
- Do they send patient data offshore?
- Are their contractors located in other countries?
- Are their servers located offshore?
- Is their staff located offshore?
3. Ask to See their Security Policy
If a vendor is truly HIPAA compliant, they should be able to show you an excellent security policy. This HIPAA policy is separate from a BAA (Business Associate Agreement). It describes all security measures from how often they change passwords to what kind of I.D. is needed when accessing their servers. If they can’t show you this, proceed with caution.
4. Negotiate (or Renegotiate) Your Contract
When you sign a contract with a third-party vendor, you can stipulate that you do not allow offshoring PHI or ePHI. Include this stipulation into all vendor contracts, including your HIPAA BAA.
5. Report Suspicions Right Away
Be proactive with any data irregularities. Your Business Associate Agreement requires that your vendor notify you of any data breaches right away. And, as a covered entity, you must call the OCR to investigate any violations as soon as they occur.
6. Look into Insurance
If, after review, you are still worried about your liability when sending patient data offshore, then you can look into cyber insurance. This new type of coverage presents its own set of complexities. As of this writing, each policy varies widely in what it covers; therefore, research is essential. If you are unable to keep patient data in the United States, a cyber policy may buy you some peace of mind.
How ReminderCall Keeps Your Data Local
The ReminderCall appointment reminder service is committed to satisfying the challenging requirements of our industry. Our Morgan Hill, CA headquarters, and United States data centers are hard at work, ensuring the integrity of your patients’ data. We understand the importance of following the rules and the value of being a trusted partner. To learn more, try our instant demo!