Offshoring PHI: Addressing the Security IssuesExperts Offer Insights on Precautions to Take
When a U.K. hospital recently inadvertently stored patient data on an offshore server for a few days, it raised concerns about potential security issues. Similarly, U.S.-based healthcare entities need to keep security top of mind if they use offshore services to handle protected health information.
Electronic health records for 56 patients held by Gloucestershire Hospitals were mistakenly uploaded in October to a server in the U.S. due to a misconfigured internal setting that caused an incorrect data set to be transferred, according to the Gloucestershire Live news site.
The patient information had been erroneously copied onto a U.S. server of a technology vendor. After four days, the mistake was corrected and the data removed, the news site reports.
The incident has been reported to the U.K. Information Commissioner' Office, an independent U.K. authority, which is investigating. "We are aware of an incident involving Gloucestershire Hospitals Foundation Trust and are making inquiries," an ICO spokeswoman tells Information Security Media Group.
The U.K. incident brings to the forefront the security issues raised by storing patient information offshore.
For U.S. based covered entities and business associates, "the HIPAA privacy and security rules do not directly address the question of the offshoring of PHI," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"However, the requirements of the HIPAA rules would apply to personally identifiable health information protected by the privacy rule when created, maintained or transmitted outside of the U.S.," he says. "It is important to ensure that the HIPAA covered entity or business associate have appropriate information security safeguards to secure the data as well as to include these offshore operations in the scope of their enterprisewide information security risk analysis and risk management plans. If the PHI will be handled by an overseas contractor or vendor, there must be a business associate agreement in place to ensure that appropriate privacy and security are protecting the data."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that while HIPAA does not prohibit offshoring of PHI, subject to a business associate agreement where appropriate, cloud guidance issued last year by the Department of Health and Human Services' Office for Civil Rights "did indicate that your risk analysis should identify cases in which the offshoring may create increased risks to data security."
In addition, "some federal and state health programs potentially restrict offshoring of beneficiary data," he notes. An HHS Office of Inspector General report in 2014 described how some state Medicaid programs restrict offshoring of data," Greene points out.
"There are a handful of rules in various other parts of the healthcare system - some Medicare Advantage and Part D provisions - that impose other limitations, but there is a lot of confusion about this," says privacy attorney Kirk Nahra of the law firm Wiley Rein. The issues also get more challenging as data moves through the healthcare system to different parties, he adds.
"HIPAA essentially doesn't care directly about sending PHI offshore any more than it cares about a disclosure to Pittsburgh," Nahra says. "If it is a [PHI] disclosure to a vendor, that vendor is subject to the same rules as a vendor in the U.S. A non-U.S. vendor would need to execute a business associate agreement, and would - at least in theory - be subject to HIPAA enforcement. And presumably, if [the vendor] resisted this enforcement authority, [the vendor] would cease to get business from U.S. companies."
But attorney Stephen Wu of Silicon Valley Law Group warns that even if a U.S.-based covered entity has a business associate agreement with an offshore vendor that subsequently has a breach, the covered entity could be out of luck if the vendor is located "in a lawless jurisdiction." In such situations, "if you offshore PHI to a [vendor in a] lawless jurisdiction, there's no way to enforce what's in the contract."
So, it's vital that CE and BAs that rely on offshoring conduct due diligence of their vendors and subcontractors to have a clear understanding about issues, such as where PHI is flowing, Wu says.
Nahra offers a similar perspective: "I always encourage some additional due diligence for offshore vendors and encourage companies to consider whether there will be prohibitions on downstream offshoring - but those provisions often are difficult to obtain and/or enforce," he says. "In general, I want companies to focus on privacy and security controls, regardless of where the vendor is located. "
Some healthcare organizations rely heavily on off-shore vendors and contractors that are handling PHI outside of the U.S., Holtzman says. "Our industry needs to take a page out of the financial sector's playbook when it comes to how it manages vendor management security," he says. "There needs to be a sound, effective program for identifying and managing the risks associated with offshore vendors who will be creating, maintaining or transmitting electronic-PHI."
Healthcare organizations contemplating the use of offshore vendors that will have access to their PHI should have a well thought out program for managing the risks associated with these activities, Holtzman advises.
"This program should take a lifecycle approach that begins when conceiving the idea for the service to be provided by these offshore contractors and ends with the final disposition of the data," he says.
"The business associate agreement, while necessary to meet HIPAA requirements, is not the best vehicle for identifying and protecting your organization against risks posed when contracting with vendors that will be handling your data outside of the U.S."
Organizations should also be forewarned that while the HIPAA Breach Notification Rule makes it clear that the covered entity and their offshore business associate "are joined at the hip when it comes to responsibility for protecting patient information ... often, it is the covered entity who is left holding the bag," Holtzman adds.