Think offshoring PHI is safe? You may not be covered if a business associate breaches data
As if there wasn't enough to think about when conducting a HIPAA risk assessment and crafting a business associate agreement, there's another complicated wrinkle to privacy and security that many providers don't even think about: What happens when a vendor keeps your patient data in an offshore location?
"It's something that happens, and has historically happened," said Erin Whaley, a partner at Richmond, Virginia-based Troutman Sanders. "And it doesn't get a whole lot of discussion."
Data offshoring in healthcare is more common than we would think, she added. Many companies use resources that are based overseas, or employ foreign subcontractors.
"It could be server farms, it could be call centers," said Whaley. "It could be the actual transcriptionist, the folks who are doing the revenue cycle management work, or running the data analytics."
And without due diligence, many HIPAA-bound providers may not even realize their vendor contractors are doing it.
"Covered entities face challenges with vendor management under the best of circumstances," she said. "They just typically do not have the bandwidth and the budget to manage all of their vendors in the way that they would like to, so they select the most important vendors – those that have the most data – and really drill down on those. But they don't look at some of their other ones with the same scrutiny."
Learn more at the Privacy & Security Forum in Boston, December 5-7, 2016.
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ A CISO, consultant and infosec vendor nail down cybersecurity best practice lists
There's no law that said vendors who offshore data must disclose that fact, said Whaley. That means the onus is on the covered entity clarify that in their contracts.
"It's really up to the provider to establish their policy – what is their policy on use of offshore resources? – and then to make sure that that policy is reflected in their contracts, and to enforce their contracts," she said.
"There are certainly some covered entities who put a clause in their service contract or their BAA that said, 'You won't send my data offshore, you won't use offshore resources.' Or, 'You won't do it without my consent.' In which case, the vendor has to come back to say, 'Here's what we want to do, here are the resources we want to use,' and the CE either agrees or doesn't – it's within their discretion."
Writing about offshoring protected health information for HIMSS, Gerry Hinkley and Allen Briskin, healthcare attorneys with San Francisco-based Pillsbury, noted that, "when considering appropriate contractual measures for offshore activities," it's worthwhile to keep a few issues in mind:
- Are policies/procedures in place to ensure that PHI and other personal data stays secure?
- Is unnecessary offshore access to PHI prohibited?
- Can the offshore activities be terminated immediately upon discovery of a significant breach? (they note that CMS does not "require that such termination rights necessarily be exercised")
- How and how often will audits be conducted? (Here they suggest that CMS "appears to recommend annual audits").
With OCR hesitant to go after offshoring vendors, providers could be 'on the hook'
None of this is to say that there's anything inherently bad about PHI offshoring – just that it adds another layer of complexity to an already challenging task.
"There are plenty of articles out there that will tell you the offshore companies do a better job with data security than onshore companies, because there are lots of other countries that have stricter laws than we do, and have had them in place longer than we do, and so they do security better," said Whaley.
"But there are plenty of places that don't. So making sure that that risk is evaluated as part of the covered entity's risk analysis is very important."
Even though offshoring has been around for some time, it's still an area that's relatively untested – at least with regard to post-breach consequences.
"The reach of OCR's enforcement power hasn't really been tested," she said. "They haven't gone after any offshore business associates as far as I know. Part of it may be that they don't have the resources or appetite to do that – they've got enough to deal with domestically. Or maybe there just hasn't been a big enough event yet to warrant them doing that. That's kind of an interesting gray area in the law, and we don't know what OCR would do.
Given the cost and logistical difficulty involved, Whaley's hunch is that OCR "probably wouldn't go after an offshore company unless it was phenomenally egregious," she said. "More likely they'd go after the covered entities involved: If they hadn't appropriately accounted for that in their risk analysis, then it would be they who are on the hook."
That's why conducting a risk analysis is absolutely essential.
The first step is surveying all associates and vendors to determine whether each is offshoring data or using offshore resources that might be able to touch their health data.
"We're seeing offshore resources used but the data is never actually sent offshore: You may have a call center in India, and the data never actually goes there, but the folks in India connect to the data that's housed in the U.S.,” Whaley explained. “They're able to access that data even though they're not stateside.”
While gaining a deep understanding of those relationships is the first step, the second is determining what policies those partners have in place around that practice.
Whaley advised HIPAA-covered entities to look at what the partner will permit, what they will not, and then make sure those policies are documented and incorporate into the agreement.
Those basic strategies hold true, whether for a large health system or a small physician practice. Beyond that, the rigor with which a provider does research on their vendors largely depends on resources.
"Large health systems may go out to a vendors' data center and look at it, they may review a vendor's security policies. They may have a 15-page questionnaire that they have a vendor fill out," said Whaley. "A small physician practice is just not going to do that. They just don't have the resources of the expertise. So that's where they have to do a risk analysis that makes sense for them."
Helpful advice on planning your purchase of IDS and IPS tools:
- How to know if your intrusion detection and prevention solution meets HIPAA compliance rules
- 3 key factors to plan your budget for an intrusion protection system
- What to watch: IDS and IPS features to consider when comparing different vendors products