Patient data is more valuable than ever. On the black market, it has become more desirable than credit card data. At the same time, storing and managing patient data offshore is becoming more common. Most doctors don’t knowingly choose to send electronic protected health information (ePHI) offshore. But today, many U.S. vendors outsource to contractors in foreign countries. Data ends up stored in offshore servers. The cheaper overhead costs allow vendors to pass the savings to healthcare providers. Unfortunately, the savings may cost you in terms of security. Offshore data management offers as many risks as it does solutions.
Offshoring ePHI: the Concerns
1. Other countries and U.S. Law
The rules and regulations for offshore vendors are both complicated and evolving. Currently, no federal agency seems to expressly prohibit using offshore vendors. Domestic and foreign companies that deal with ePHI are liable under HIPAA’s Omnibus rule and are subject to the same penalties. That said, how much do offshore entities even know about U.S. laws? Do they know about HIPAA? If an offshore company were to go out of business, would they destroy ePHI? What would happen to the data?
2. The cost of cheap
The reality is, legal counsel is expensive. Law abiding offshore entities may obey their own country’s set of laws. That doesn’t mean they can afford to keep up with the ever-changing U.S. laws pertaining to patient data.
Security is even more expensive. While foreign companies are not always less secure than domestic ones, their security is less transparent. This raises it’s own set of security risks. But although we can’t physically audit all offshore providers, we do know the following:
- In some countries governments not only spy on all data, they sometimes confiscate it.
- A very cheap provider is not going to house their servers in a state-of-the-art, high-security facility.
- Some foreign businesses are sweatshops run out of apartments with little to no security.
3. Who’s liable?
Although offshore vendors fall under HIPAA rules, experts are unsure if the Office of Civil Rights (OCR) will pursue claims against foreign companies. Erin Whaley, a partner at the law firm Troutman Sanders, suggests that the OCR “probably wouldn’t go after an offshore company unless it was phenomenally egregious. More likely they’d go after the covered entities involved. If they hadn’t appropriately accounted for that in their risk analysis, then it would be they who are on the hook.” In other words, again, it’s your responsibility as the healthcare provider to ensure data security. Not knowing, may not save you.
[bctt tweet=”Is your patient data being sent offshore?” username=”remindercall”]
How to Avoid Sending Patient Data Offshore
1. Choose Domestic Vendors
Use vendors that work within the United States. This includes all physical locations, equipment, and people. Take a look at their third-party contractors, too. Remember that your vendors’ contractors also have access to your electronic protected health information.
2. Interview Your Existing Vendors
There does not appear to be any laws requiring vendors to tell you if they offshore ePHI. But, just by asking questions, you can sometimes get all the information you need. Here are specific questions to ask any vendor that works with your ePHI:
- Do they send ePHI offshore?
- Do they employ contractors in other countries?
- Do they have equipment such as servers located offshore?
- Do they have staff located offshore?
3. Ask to see their security policy
If a vendor is truly HIPAA compliant, they should be able to show you an excellent security policy. This is separate from a BAA (Business Associate Agreement). This policy describes all security measures from how often they change passwords to what kind of I.D. is needed when accessing their servers. If they can’t show you this, proceed with caution.
4. Negotiate (or renegotiate) your contract
When you sign a contract with a third-party vendor, you can stipulate that you do not allow offshoring PHI or ePHI. Include this stipulation into all vendor contracts including your HIPAA BAA.
5. Report suspicions right away
Be proactive with any data irregularities. Your Business Associate Agreement requires that your vendor notify you of any data breaches right away. And, as a covered entity, you must call the OCR to investigate any breaches as soon as they occur.
6. Look into Insurance
If, after review you are still worried about your own liability, then you can look into cyber insurance. This is a new type of insurance and as such, presents its own set of complexities. As of this writing, each policy varies widely in what it covers, therefore scrutiny is advised. But, in this environment of security breaches, it may buy you some peace of mind.