Report to OCR and CMS Says Reliance on BA Agreements is Not Enough
Healthcare, like many other industries, allows offshore outsourcing of information technology help desk functions, healthcare claims processing and medical transcription services. However, organizations that are considering the offshoring of health information should consider the liability associated with managing business agreements meant to provide satisfactory assurance that patient information is protected against unauthorized use or disclosure.
The Inspector General of the Department of Health & Human Services (OIG) recently issued a report to the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) reviewing practices of state and territorial Medicaid agencies safeguarding protected health information (PHI) that is sent to contractors operating outside the United States. The report concludes that if PHI was sent to an offshore contractor there might be limited means to enforce the provisions of the business associate (BA) agreements. While OIG’s review was limited in scope to state Medicaid agencies, the report points out that the requirements to safeguarding PHI through reliance on BA agreements alone would be the same on all HIPAA covered entities, as well as their contractors and vendors.
The OIG found that eleven state Medicaid agencies have provisions to allow offshore outsourcing of administrative functions. The report found that BA agreements used did not specifically address the offshore outsourcing of administrative functions involving PHI. The OIG cautioned that security risks greatly increase when Medicaid agencies engage in offshore outsourcing of administrative functions that involve PHI. For example, Medicaid agencies or domestic contractors who send PHI offshore may have limited means of enforcing provisions of BA agreements. Most countries do not have privacy protections equivalent to those of the United States to support HIPAA compliance.
The OIG’s review, focused on offshoring of administrative functions and warehousing of data, highlights the risks to the confidentiality, availability and integrity to PHI that all HIPAA covered entities and their contractors and vendors who subcontract with vendors or send data overseas face. When there is no remedy for enforcement, the written BA agreement may not be of much value and ensure that PHI is protected.
The good news is that a number of countries have adopted data protection and privacy laws. While these trends are encouraging, the potential for abuse still exists. If there were conformity in regulations and remedies, full disclosure of policies, procedures and incident reporting, and a recognized standard for technical safeguards, the healthcare sector, and their regulators, could feel some sort of assurance. Until that is achieved, we all must be mindful to the risk faced when relying on written assurances for safeguarding PHI when engaging service providers outside of the United States.