False Security: HIPAA OFF USA SOIL
Are USA-based hospitals, vendors and physicians being lulled into a false sense of security?
Per the HIPAA laws, if these entities enter into an agreement with an offshore entity to handle Protected Health Information (think Medical Coding and Medical Billing), they sign a Business Associate’s Agreement. Fair enough. However, if a USA-based entity finds themselves in a medical breach where HPI is released into the wrong hands either publicly or privately, penalties and fines are mandated, often into the hundreds of thousands of dollars.
For off-shore entities who breach these same laws simply lose business to the USA, re-route their contracts, start a new company and voila, back in business again. Articles like this one will tell truth but then lead the reader down the garden path because if the reader follows these little guidelines, they’ll be safe. Seriously, we have to ask again: is it reallllly worth the risk?
“HIPAA essentially doesn’t care directly about sending PHI offshore any more than it cares about a disclosure to Pittsburgh,” Nahra says. “If it is a [PHI] disclosure to a vendor, that vendor is subject to the same rules as a vendor in the U.S. A non-U.S. vendor would need to execute a business associate agreement, and would – at least in theory – be subject to HIPAA enforcement. And presumably, if [the vendor] resisted this enforcement authority, [the vendor] would cease to get business from U.S. companies.”
But attorney Stephen Wu of Silicon Valley Law Group warns that even if a U.S.-based covered entity has a business associate agreement with an offshore vendor that subsequently has a breach, the covered entity could be out of luck if the vendor is located “in a lawless jurisdiction.” In such situations, “if you offshore PHI to a [vendor in a] lawless jurisdiction, there’s no way to enforce what’s in the contract.”
To read how you, too, can do your “due diligence” that really amounts to no protection for USA-based hospitals, physicians and clinicians who sell their accounts to people who do not live in the USA, whose people cannot LEGALLY be held accountable like the rest of us, read the rest of the article here: http://www.careersinfosecurity.com/offshoring-phi-addressing-security-issues-a-10530
As always, opinions are welcome