As the healthcare sector becomes more globalized, local hospitals must understand the HIPAA implications of outsourcing to non-US-based organizations. While these outsourcing relationships can help providers save costs, they also introduce significant risks to the security of protected health information (PHI).
Outsourcing and the role of business associates
Under the HIPAA Omnibus Rule of 2013, any entity that comes in contact with or handles PHI on behalf of a healthcare provider is considered a business associate (BA). These service providers can include IT vendors, data storage firms, billing outsourcers, email encryption services, cloud storage services, and even housekeeping vendors. So, when hospitals outsource their operational services to these external partners, they must check that these BAs comply with U.S. federal regulations.
As MedSphere explains, "Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program."
It is especially complex when outsourced vendors operate outside the U.S. and the healthcare organization must adhere to the Health Insurance Portability and Accountability Act (HIPAA) to avoid data breaches and costly penalties.
Risks of outsourcing to non-U.S. vendors
While outsourcing to non-US vendors can help organizations save costs and improve their operational efficiencies, it also exposes healthcare organizations to major security risks. One primary concern is that non-US-based vendors might not be familiar with the complexities of HIPAA compliance or may not have adequate security measures in place to protect PHI.
Furthermore, foreign laws and regulations might not align with U.S. requirements, leading to a gap in data protection practices. HIPAA’s chain of compliance also requires the main vendor and their subcontractors (including those based outside the U.S.) to adhere to the same standards.
“If a prospective BA is contracting with downstream business associates on your hospital’s behalf, it must have BA agreements with them and impose the above data security and applicable privacy requirements on them.”
Since "subcontractors of business associates that perform business associate functions are themselves business associates", non-U.S. vendors that subcontract their duties to other organizations may inadvertently introduce additional risks.
The penalties for non-compliance
Before the Omnibus Rule, business associates were not held accountable for HIPAA violations. However, this changed in 2013, making covered entities (like hospitals) and their business associates vulnerable to penalties.
HIPAA fines can range from $100 to $50,000 per violation, with the maximum penalty reaching up to $1.5 million per year for repeated offenses.
The first significant penalty for a BA was handed down in 2015 when the Catholic Health Care Service of Philadelphia was fined $650,000 for the theft of an unencrypted smartphone that was not password protected. This breach compromised the health organization’s ability to secure PHI, even if the service was outsourced to a business associate.
Therefore, having “A HIPAA compliant risk management program addressing outsourcing vendors and other business associates (BAs) has never been more critical,” MedSphere adds.
Go deeper: Higher HIPAA penalties announced
Managing business associate risks
Healthcare organizations must implement a comprehensive business associate risk management program. The process can be broken down into these two stages:
Due diligence
Before entering into any agreement with an outsourcing vendor, healthcare organizations must assess the vendor’s ability to meet HIPAA requirements.
Healthcare organizations must confirm that the vendor is willing to sign a HIPAA business associate agreement so they’re legally bound to follow HIPAA regulations. If a vendor is not willing to comply, it is best to find another vendor.
Additionally, healthcare organizations must assess the amount of access the vendor and its subcontractors will have to PHI, as this will determine the level of risk they present.
Ongoing monitoring
After establishing a relationship with a vendor, organizations must continuously monitor their compliance with HIPAA standards. Like, ensuring that vendors maintain adequate security measures, provide regular reports on their data security practices, and are held accountable for any potential data breaches.
Another aspect of ongoing monitoring is annual privacy/security assessments. The vendor would provide these assessments to the healthcare organization to ensure that the vendor remains compliant with HIPAA.
The healthcare organization should also keep a current inventory of all business associates and have their documentation available for audits.
Addressing subcontractor compliance
According to the Omnibus Rule, a first-tier business associate must verify its subcontractors comply with HIPAA rules. As a result, healthcare organizations must check that the vendor has sufficiently vetted the subcontractor.
Maintaining HIPAA compliance abroad
Some countries impose data protection regulations that contradict HIPAA requirements. Examples include:
- The European General Data Protection Regulation (GDPR) mandates stricter rules on data transfer across borders, like restrictions on transferring personal data outside the EU to countries that do not offer "adequate" data protection.
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The Act has more lenient provisions for consent when transferring personal data outside of Canada, which can conflict with HIPAA’s stricter requirements for securing patient data, particularly around cross-border sharing of health information.
- Australia’s Privacy Act 1988 (and Australian Privacy Principles) requires entities to notify individuals if their personal data is being transferred to countries without equivalent privacy laws, whereas HIPAA does not impose similar notification requirements for international transfers.
- Brazil’s General Data Protection Law (LGPD), like GDPR’s provisions, mandates that data transfers to countries without adequate levels of protection must be justified by contractual clauses, which might not align with HIPAA's general allowances for data transfer under a BAA.
- China’s Personal Information Protection Law (PIPL) imposes strict data localization requirements, which can conflict with HIPAA’s more flexible approach to cross-border data transfers. HIPAA allows the transfer of PHI to foreign countries under specific conditions, whereas PIPL requires data about Chinese citizens to be stored within China.
- India’s proposed Personal Data Protection Bill will also impose data localization requirements, so data about Indian citizens must be stored within India, conflicting with HIPAA’s allowance for international health data transfers under certain conditions.
- Russia’s Federal Law on Personal Data also requires that the personal data of Russian citizens be stored and processed within the country. In this sense, it contradicts HIPAA’s rules on cross-border data transfers, as Russia’s laws do not recognize the adequacy of privacy protections in many other countries.
Ultimately, this creates a compliance dilemma for healthcare organizations handling international outsourcing relationships.
Navigating compliance risks
When engaging with a non-US vendor, healthcare organizations face the dual challenge of adhering to HIPAA requirements and complying with local privacy and security laws. Encrypting PHI in transit and storage helps these organizations safeguard patient information.
However, in countries with weak data protection laws, the vendor's country could hinder investigations, enforcement, or remediation following a breach, causing significant legal and operational risks.
How using a HIPAA compliant can help
Uphold U.S. federal law
HIPAA compliant solutions, like Paubox, offer advanced security measures, like encryption, multifactor authentication (MFA), and access controls to protect patient data during transit and rest.
Additionally, these services provide audit trails that track the history of email communications. These audit trails are particularly useful during U.S. Department of Health and Human Services (HHS) audits or investigations, as they provide evidence that healthcare organizations have taken the necessary steps to protect patient information.
Uphold international laws
Let’s say a healthcare provider needs to send a patient’s medical records to a European clinic for a second opinion. In this situation, the provider must comply with HIPAA and GDPR. The provider must use Paubox email to securely send these medical records and uphold HIPAA and GDPR standards.
Its built-in encryption features automatically encrypt attachments during storage and transmission, minimizing the risk of unauthorized access or potential interception. It also provides audit trails, helping the provider prove their compliance with HIPAA and GDPR in case inquiries arise.
Ultimately, these email solutions help healthcare providers manage international communications while adhering to U.S. and European privacy laws.
Go deeper: The intersection of GDPR and HIPAA
FAQs
What is a business associate agreement?
A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.
Do HIPAA compliant emails also comply with GDPR?
Yes, HIPAA compliant email practices, especially regarding data encryption and security measures, can align with GDPR’s requirements for protecting personal data.
How can providers protect patient privacy under HIPAA and GDPR?
Healthcare providers should educate staff on privacy practices, use HIPAA compliant platforms, like Paubox, to send patient data, and obtain patient consent for data processing.
Go deeper: How to obtain patient consent for email communication
