It's important, then, that healthcare organizations using the services of foreign companies spell out in contracts their HIPAA compliance expectations, says Wu, a partner specializing in data security at law firm Cooke Kubrick and Wu LLP. That way, compliance can be enforced as a contractual obligation, he says.
Under the HIPAA Omnibus Rule, business associates are now directly liable for HIPAA compliance. But the rule makes no mention of offshore vendors, Wu notes.
"There's a loophole that covered entities are allowed to outsource to [offshore] business associates, and the [Department of Health and Human Services] could not go after those foreign business associates if there is a violation," Wu says in an interview with Information Security Media Group.
A Supreme Court decision in a case outside of healthcare makes it "very doubtful" that U.S. regulators would be able to take HIPAA enforcement actions against offshore vendors even if U.S. patient data is exposed in a security incident, he notes.
Steps to Take
Healthcare organizations must keep in mind administrative, legal and technical issues to address when doing their due diligence with offshore business associates, Wu says.
For example, organizations should carefully scrutinize the privacy practices of the vendor to ensure they meet the HIPAA standards; conduct ongoing assessments to make sure the vendor continues to meet those requirements; and make sure those requirements also flow down to the BA's subcontractors - both domestic and offshore, he says.
Covered entities also should require that the vendor implement technical controls to prevent data loss. "There could be containerization or virtualization of the information on local machines in the foreign country ... to minimize the risk of data leakage," he says.
The attorney also advises covered entities to investigate whether the laws in the nation where the offshore company is located protect the security and privacy of health data.
In the interview, Wu also discusses:
- The legal complexities involved with HIPAA Omnibus and offshore BA relationships;
- International health data privacy laws that might apply to vendors serving U.S. healthcare organizations;
- Provisions to include in contracts with offshore vendors.
Wu is former chair of the American Bar Association Section of Science & Technology Law and co-chair of its Information Security Committee. He has written or co-authored five books on data security law, including "A Guide to HIPAA Security and the Law," and "A Legal Guide to Enterprise Mobile Device Management: Managing Bring Your Own Device," a recently released book on handling mobile devices in the enterprise.