HIPAA Blog

[ Monday, September 16, 2024 ]

 

Offshore Outsourcing of Tech Services Can Be Problematic: A few weeks ago, HHS removed two Obamacare enrollment companies from accessing the ACA Marketplace based on concerns that the companies potentially allowed consumers' personal information to be accessed in India. The companies operate the BenefitAlign and TrueCoverage websites, and use an Indian data center.

US privacy law does not generally prohibit the use of offshore companies as business associates, as long as a business associate agreement is in place.  However, even with a BAA in place, HIPAA covered entities still have an obligation to vet their contractors and cannot turn a blind eye to whether their offshore business associates will abide by their BAA obligations.  There's always a question of whether a rogue business associate can be dragged into a US court if they violate the BAA.  

Additionally, some federal and state payment programs (including some state Medicaid programs) specifically limit the ability to use offshore contractors, if they will have access to PHI.  

Some tech companies set up elaborate systems to limit the transmission of PHI outside the US, including systems where theoretically the data never leaves the US and the offshore consultant does not technically receive the data, but is merely able to "see" it from afar (although that seems like a convenient fiction).  Certainly, most legitimate Indian, Philippine, and Pakistani tech companies have elaborate systems in place to ensure that their human staff can't take data with them (employees are not allowed to bring cameras or cell phones into the workspace and are searched coming and going, there are no USB ports or other ways to access the data system, etc.).

It's almost impossible to obtain any tech services where no aspect of the service is done outside the US.  However, you should be aware of these concerns and especially careful if you are bound by Federal Acquisition Regulations or other obligations that might restrict the offshoring of personal data.


Jeff [11:38 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template