Offshoring PHI? Risk analysis is key
Risk assessment may be the most important aspect of patient health information security planning when contracting with foreign firms, said healthcare legal experts Monday at the 2015 HIMSS Annual Conference & Exhibition.
“You may not know it, but anytime you have a business associate agreement, you have just opted into HIPAA,” said Julia Hesse, an attorney at Choate, Hall & Stewart LLP in Boston, and panelist at a HIMSS15 data security session.
Hesse explained to attendees — most of whom identified themselves as security officers at healthcare IT firms — the complexities of HIPAA definitions of the Business Associate category, particularly regarding offshore developers. She said organizations must take particular care to protect themselves from HIPAA enforcement actions by adequately assessing their security relationships with outside firms.
“You know that onshore entities are subject to HIPAA as covered entities or business associates, but offshore vendors do meet the BA definition,” she said.
It’s uncertain how the U.S. Office of Civil Rights (OCR) would enforce extraterritorial HIPAA violations, as it would be “difficult, expensive and in some cases impossible,” Hesse said. Still, firms cannot afford to risk exposure, and be left “holding the bag.”
Amy Leopard, an attorney at Bradley Arant Boult Cummings LLP in Nashville, said healthcare IT firms should take a hard look at whether offshoring made strategic sense, given the legal risk of a breach.
“The cost and complexity of using offshore providers is becoming a real issue,” she said. “You have to inventory your vulnerabilities, prioritize your risk and come up with a game plan in an enforcement context.”
A comprehensive risk analysis is crucial, because “after a breach, the first thing OCR will ask is for your risk analysis,” she said.
If, after a risk analysis, an organization has identified a security vulnerability and not fixed it, the OCR will not accept any excuses. Every reported vulnerability must be remediated.
Organizations need an audit response team that has a deep understanding of the OCR process, said Kathryn Coburn, an attorney at Cooke Kobrick Wu LLP in Santa Monica, California. “You have 10 days to respond to an OCR letter, and people will look to you when a crisis occurs,” she noted, addressing security officers in the audience.
In addition to offshoring, the panel addressed risk control in cloud data storage and mobile devices and the legal implications. Because covered entities and their BAs are legally responsible for reasonable and appropriate security and confidentiality of PIH, firms must undertake due diligence before selecting a provider.
“Does the cloud service provider have adequate insurance coverage, and have you reviewed your own insurance to assure that you are covered in the event of failure of the host?” Coburn asked the audience.