Do HIPAA penalties apply to offshore business associates?

The recent breach at Cogent Healthcare, in which an India-based transcription service exposed data on 32,000 patients when its firewall was down, illustrates the problem of HIPAA compliance among business associates (BA) outside the United States. 

Although the new HIPAA omnibus rule that applies to business associates goes into effect Sept. 23, it's not clear whether the U.S. Department of Health and Human Services can pursue an enforcement action against an offshore contractor.

"It's a mess. There's lots of uncertainty," Kirk Nahra, a privacy and security attorney at law firm Wiley Rein LLP says in a Healthcare Info Security story. "HIPAA doesn't say a word about offshore. But a BA is a BA is a BA."

Healthcare organizations rely on offshore vendors for an array of services, including medical transcription, radiology readings, billing and clinical decision support. Should a breach occur, the vendor could be subject to a claim of breach of contract, but as privacy attorney Adam Greene of law firm Davis Wright Tremaine points out, "HIPAA, unlike certain other federal statutes, does not have explicit extra-territorial reach."

The answers to two questions could affect HHS' efforts to go after a non-U.S. business associate: Whether the vendor knew that sensitive data was involved and whether the entity has any U.S.-based operations. If not, the BA could fall into a grey area, according to the article.

HHS could pressure the covered healthcare organization to get the vendor to cooperate or simply scrutinize the organization's risk-management practices. With penalties of up to $1.5 million per HIPAA violation under the new rule, it certainly would have some leverage there.

Most covered entities are hard at work updating and signing agreements with their business associates, and that's not necessarily an easy task. North Carolina's CaroMont Health is calling on an array of people within the organization to help identify all its business associates.

Some providers have reported difficulty in getting electronic health record and related software vendors on board. Some seem to think the rule doesn't apply to them. But even tech vendors that have access to patients' confidential information--through Internet shared programs, installation of upgrades and staff training, for example--meet the definition of BAs.

To learn more:
- read the article