The Challenge of HIPAA enforcement for Offshore Vendors

How to Utilize Offshore Vendors without Breaking the Law

Offshore Vendors & HIPAA Protection

Years ago, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law on by President Clinton. The main objectives of HIPAA aim to improve access to health insurance, reduce fraud and abuse in the healthcare system, and standardize the privacy and security of sensitive health information. To achieve these goals, HIPAA established national standards for protecting the privacy and security of individually identifiable health information, known as Protected Health Information (PHI). In the United States, the HIPAA Privacy Rule sets standards for the use and disclosure of PHI, while the HIPAA Security Rule establishes security standards to protect electronic PHI.

A bunch of medical professionals in a office

The challenge with the HIPAA Privacy and Security Rule when offshoring services is enforcement. In other words, it is difficult for the Office of Civil Rights (OCR) to investigate a Business Associate if necessary. OCR's enforcement action for offshore vendors is limited at best, and for that reason Business Associate Agreements (BAA) offer limited protection for healthcare organizations utilizing offshore services. For organizations who would like to outsource services to an offshore vendor, there are some additional considerations:

1. Compliance with Data Protection Laws:

Offshore healthcare providers must comply with the data protection laws of the country where the data is being stored and processed. These laws may differ from the data protection laws in the country where the patient resides. It is important to ensure that the offshore provider has appropriate policies and procedures in place to protect patient privacy and comply with applicable data protection laws.

2. Security Measures:

Offshore providers must implement robust security measures to ensure patient data is kept safe and secure. This includes encryption, access controls, and regular security audits to identify vulnerabilities.

3. Confidentiality Agreements:

Confidentiality agreements should be in place between the healthcare provider and the offshore provider. These agreements should outline the terms and conditions of the relationship, including how patient data will be handled and protected.

4. Training and Education:

The offshore provider should ensure that their staff receive regular training on data privacy and security. This will help ensure that they are aware of the importance of patient privacy and understand the necessary steps to protect it.

5. Risk Management:

Healthcare providers should undertake a risk assessment to identify potential risks associated with outsourcing their services offshore. This will help to ensure that appropriate risk management strategies are put in place to mitigate these risks.

6. Monitoring and Oversight:

Healthcare providers should have appropriate mechanisms in place to monitor and oversee the offshore provider's compliance with data protection laws and security measures.

A doctor giving a presentation to her team

HIPAA Compliance Recommendations

Overall, it is important for healthcare organizations to take patient privacy considerations seriously when outsourcing their services offshore. A Business Associate Agreement (BAA) is still helpful, but it's important to understand the limitations of the agreement for offshore vendors. We recommend working with offshore vendors to ensure they have appropriate policies, procedures, and security measures in place to protect patient privacy and comply with applicable data protection laws. This will ensure offshore vendors and the services they provide can be done safely without breaking the law.


Chad Schiffman

Director of Compliance & Rick Management