Senior Communications Manager
Kirk Nahra Discusses HIPAA Compliance Questions Involving Offshore Vendors
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted in a HealthcareInfoSecurity article today about enforcement questions involving the offshore business associates of U.S. companies that must begin complying with new federal health privacy regulations next month.
Health care providers and insurance companies, known as covered entities (CEs), are subject to the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule scheduled to take effect on September 23. Covered entities’ business associates (BAs) and subcontractors also will have to comply with certain privacy requirements.
While noncompliance could lead to penalties of up to $1.5 million per violation, health care organizations are questioning whether offshore BAs would be as likely to face such enforcement actions as their U.S. counterparts.
“It's a mess. There's lots of uncertainty,” Mr. Nahra said. “HIPAA doesn't say a word about offshore. But a BA is a BA is a BA.”
Many foreign vendors provide covered entities with services related to patient data, according to the article. But should a data breach occur, the ability of the U.S. Department of Health and Human Services (HHS) to take action against a non-U.S. contractor falls into a gray area.
If HHS’s Office of Civil Rights (OCR) did pursue enforcement against an offshore vendor, officials would have to consider whether the company had any U.S.-based operations that played a role in the incident. If the breach involved an offshore subcontractor, regulators would have to determine whether the covered entity or BA knew the company had access to sensitive data.
“If a company is in India, the Philippines, or elsewhere and it has no U.S. tentacles, but OCR wants to investigate a breach—this hasn't been explored yet,” Mr. Nahra said.
“Each situation will have its own set of facts and a million different issues, including the relationship between the CE and the BA, the history,” he added. “There are risks with all BAs, and offshore just adds to that complexity.”
Covered entities should keep in mind that many offshore vendors—particularly those with a history of dealing with U.S. health-care clients—are as good or better than U.S. companies at protecting data, Mr. Nahra said. “Dealing with a company in Pittsburgh doesn't mean security will be better than working with a company in the Philippines,” he said.
Still, U.S. health-care organizations should ensure that they provide BAs with only the “minimal necessary” data to perform the contracted service, Mr. Nahra added. “The problem is a number of BAs are given lots of sensitive information they don't need.”