Carolyn Metnick, Michael Sutton, and Lotan Barbaresso of SheppardMullin write:
With technology rapidly evolving and jurisdictions appearing blurred, it is increasingly important to be mindful of data flow and use. This is particularly true where patient data is being accessed by offshore subcontractors.
Simply put, offshoring occurs where a party contracts for services to be rendered, in whole or in part, by another party located outside of the United States and its territories. Within the healthcare industry, offshore contractors are commonly used for claims processing, call center staffing, and technical support, as offshoring contractors generally provide cost savings. These activities inherently involve mass amounts of patient data.
As healthcare businesses contract with third parties to provide support services, software, and other offerings, particularly where offshore resources will be utilized, it is vital that the parties carefully navigate the interplay of laws, regulations, and guidance, which are complex and often inconsistent, to ensure compliance. This Blog provides a high level summary of some material considerations applicable to offshoring activities.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations are ordinarily at the forefront of most conversations about the privacy and security of patient data. Interestingly, however, HIPAA does not explicitly prohibit offshoring of patient data. HIPAA does, however, require that regulated entities implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the privacy and security of protected health information,[1] that business associate agreements are executed where appropriate,[2] among a number of other compliance measures. As a result, regulated parties must take steps to ensure compliance with HIPAA, particularly when using offshore resources which may present unique privacy and security considerations. Further, offshore companies may not be versed in HIPAA or have a HIPAA compliant infrastructure in place. HIPAA specifically prohibits a covered entity from engaging with a business associate or subcontractor that it knows is not in compliance with HIPAA.[3]
Read more about other legal authorities to be considered such as Medicare, Medicaid, state authorities, and contractual obligations at SheppardMullin.
via JDSupra