HIPAA Laws Unenforceable OFFSHORE!
This is an older article from 2013, but we need to really look at the implications this article states. This paragraph sticks out:
“With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Department of Health and Human Services’ (HHS) release of the Final Omnibus Rule on January 17, 2013, the extension of statutory obligation to BAs makes for an interesting twist in offshoring. The Omnibus Rule reaffirmed and strengthened the reach of HHS’s Office of Civil Rights (OCR) and Department of Justice (DOJ) with respect to BAs within the United States and its territories, but it did nothing directly to the offshoring of PHI.”
and get this:
“In recent months, the Federal Trade Commission (FTC), through its own rulings, has also laid claim on the State attorneys’ general ability to institute fines, monitor and otherwise harass CEs and BAs domestically.
So all of this is well and good, but, in reality, there is no legitimate way for the OCR, the DOJ or the FTC to reach into foreign countries and deal out civil penalties — no less criminal ones.”
Read the full article here: http://searchitchannel.techtarget.com/opinion/Unclear-HIPAA-rules-permit-healthcare-data-offshoring-for-now
So how does it feel knowing that HIPAA Laws pertain only to entities in the United States and its territories? Does it mean that our USA-based physicians could be held accountable for PHI breaches if they outsource their patients’ medical records and financial records offshore to India, Pakistan, Philippines, Dubai and who knows where? I’m not an attorney, but I might think that an enterprising one could effectively argue that the buck has to stop somewhere. Since the buck (and HIPAA enforcement) obviously stops at United States borders, the person(s) intentionally delivering PHI to entities off USA soil might be considered responsible for any breach.
Something to think about.
As always, we invite your thoughts on this subject.