Offshore outsourcing a risk to personal health information, OIG report warns

State Medicaid agencies that outsource administrative functions to foreign contractors could be putting personal health information (PHI) at risk, warns a report from the Office of the Inspector General. 

A poll of the nation's 56 Medicaid agencies found that 11 allow offshore outsourcing of administrative functions and four agencies ban it. The remaining 41 Medicaid agencies have no specific requirements on the practice, but do not send any work offshore. Fifteen agencies have state regulations addressing offshore outsourcing.

Of the 11 that allow offshoring, nine put few restrictions on the practice and two allow it only under limited circumstances.

Seven state agencies--Florida, Massachusetts, Mississippi, Montana, North Dakota, Rhode Island and Missouri--reported that they outsource offshore through subcontractors, but said they do not send personal health information offshore.

All 11 agencies that allow offshore outsourcing have Business Associate Agreements with their contractors as required under HIPAA, according to the report. However, it warns that some countries have limited privacy laws that won't ensure the confidentiality of that information.

 "Medicaid agencies or domestic contractors who send PHI offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI," the report says.

The Medicare program requires agencies to get written government approval before work is sent offshore. There are no similar regulations with Medicaid, though the Centers for Medicare and Medicaid Services has issued guidance allowing the practice in accordance with the Affordable Care Act.

The HIPAA audit program will resume this fall, though the U.S. Department of Health & Human Services' Office for Civil Rights says the focus will be narrower, with fewer on-site visits.

An indemnity clause is vital in business associate agreements, according to David M. Vaughn of Vaughn & Associates, LLC, in Louisiana. Such a clause states that if the BA is responsible for the breach, it's also responsible for the fine. Otherwise, your own organization could be left holding the bag.

To learn more:
- find the report (.pdf)


Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine health research database project has enrolled 230,000 participants.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.