|
|
HIPAA/LAW:
February 2004
"HIPAA and Foreign Outsourcing"
By Steve Fox & Rebekah A. Z. Monson, Esqs.,
Pepper Hamilton LLP
In an effort to control spiraling costs, there is a growing trend
among healthcare providers, insurers, and others to outsource to
companies located in foreign countries (such as India, Mexico, or
the Philippines) a variety of operations including medical transcription,
healthcare data entry and processing, and billing and coding, all
of which involve the disclosure of protected health information
("PHI"). Foreign outsourcing has also been generating
controversy, particularly after a recent well-publicized allegation
that a Pakistani woman providing medical transcription services
for an American medical billing company threatened to post patient
files on the Internet unless one of the company's clients in California
paid her money she claimed was owed to her. As a result, California
State Senator Liz Figueroa, has stated that she will propose legislation
prohibiting overseas transfer of medical information (as of this
writing the legislation has not been introduced).
QUESTION: To what extent does the HIPAA Privacy
Rule (the "Privacy Rule") govern contracts with foreign
contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether
foreign or domestic, are generally not directly covered by the Privacy
Rule. However, the business associate agreement requirements imposed
on covered entities with respect to their business associates will
usually apply. The Privacy Rule (as we all know by now) applies
to covered entities, i.e., health plans, clearinghouses, and providers
who transmit health information in electronic form in connection
with a HIPAA covered transaction. A covered entity is permitted
to disclose PHI to a business associate if the covered entity obtains
satisfactory assurances in the form of a written contract or agreement
that the business associate will "appropriately safeguard"
the information.
The Privacy Rule describes two different scenarios in which a HIPAA-related
business association may arise. First, when the right to use, disclose,
create, or obtain PHI is delegated to a third party for use on behalf
of the covered entity. Second, where a third party provides certain
specified services to a covered entity and the provision of those
services involves the disclosure of PHI by the covered entity to
such third party. The specified services are legal, actuarial, accounting,
consulting, management, administrative, accreditation, data aggregation,
and financial services. It is important to note that each and every
relationship between a covered entity and a third party does not
constitute a business association that gives rise to the requirement
for a business associate agreement as set forth under the Privacy
Rule.
By executing a business associate agreement, a business associate
contractually obligates itself to protect the PHI and to not use
or further disclose the PHI other than as permitted or required
under the agreement or as required by law (American). The Privacy
Rule includes required components for a business associate agreement.
One of these provisions is the requirement that any agents or subcontractors
of the business associate must agree to the same restrictions and
conditions agreed to by the business associate.
Enforcement of such agreements is a frequently voiced concern when
the business associate or subcontractor is in a foreign country.
Under the Privacy Rule, the US Department of Health and Human Services
only has enforcement authority over covered entities (unless a business
associate happens to also be a covered entity). Furthermore, while
a business associate or subcontractor must contractually agree to
protect PHI and comply with the Privacy Rule to the same extent
as the covered entity, the problem with these types of arrangements
arises if the foreign business associate breaches the agreement.
Depending on the legal system of the foreign country, which may
range from comparable to that of the United States to non-existent,
the covered entity may well have difficulty enforcing such an agreement
in foreign courts. Even if the business associate agreement requires
US law to apply and provides that all disputes be settled in US
courts, if the contractor is situated in another country and has
no property or contacts in the US, such a provision will offer small
comfort.
Under the Privacy Rule, covered entities are required to mitigate
any harmful effects of a wrongful use or disclosure of PHI by the
covered entity or its business associates. And although covered
entities must terminate business associate agreements when they
"know" of a pattern of activity which is a material violation
of the agreement and are unable to cure it, the Privacy Rule does
not require covered entities to monitor the activities of their
business associates. In spite of this seeming protection, as a practical
matter, it is likely that patients who have been damaged by a business
associate's breach of an agreement will seek compensation from the
covered entity, who chose to entrust its patients' PHI to an apparently
unreliable or dishonest business associate. Moreover, the patient
may argue that such an arrangement was inherently problematic, since
the covered entity knew (or should have known) of the potential
contract enforcement difficulties.
Consequently, when deciding to outsource services to a company
in a foreign country, covered entities should closely scrutinize
the company, its operations and procedures, its reputation in the
industry and compliance plans for handling PHI. Additionally, covered
entities can utilize various methods to ensure confidentiality such
as storing medical records and documents on a secure server and
not providing access to external email, printers or disk drives
so as to limit further disclosure of the PHI. Finally, covered entities
can (and should) contractually require their business associates
to take additional measures to ensure confidentiality, such as requiring
the business associate to train their employees worldwide on HIPAA
compliance.
Despite all of these precautions, however, all extra-territorial
contracts must be carefully analyzed, negotiated, and approached
with extreme caution.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP, www.pepperlaw.com  .
This article was co-authored by Rebekah A. Z. Monson, Esq., an associate
of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com.
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
|
 |
 |
