Lowdown on Privacy Rule and outsourced PHI
As a means of cost cutting, healthcare providers are outsourcing medical transcription, healthcare data entry and processing, and billing and coding, all of which involve the disclosure of Protected Health Information ("PHI") to countries like India and Philippines. The Privacy Rule does not govern contractors foreign or domestic directly and enforcement of such agreements is a frequently voiced concern when the business associate or subcontractor is in a foreign country.
The Privacy Rule applies to covered entities, i.e., health plans, clearing houses, and providers who transmit health information in electronic form in connection with a HIPAA covered transaction. Under the Privacy Rule, the US Department of Health and Human Services only has authority to enforce the business associate agreements imposed on covered entities with respect to their business associates.
Therefore, such covered entities should closely scrutinize the operation and reputation of the company in a foreign country before passing on medical records. In addition to this, covered entities can employ various methods to ensure confidentiality such as storing medical records and documents on a secure server and not providing access to external email, printers, or disk drives to limit further disclosure of the PHI.
The Privacy Rule includes required components for a business associate agreement. One of these provisions is the requirement that any agents or subcontractors of the business associate must agree to the same restrictions and conditions agreed to by the business associate. Finally, covered entities can (and should) contractually require their business associates to take additional measures to ensure confidentiality, such as requiring the business associate to train their employees worldwide on HIPAA compliance.
In the event of breach of agreement by a business associate, patients damaged can seek compensation from the covered entity that chose to entrust its patients’ PHI to an apparently unreliable business associate. However, several foreign companies are up-to-date with HIPAA compliance norms.
Find out more: Why outsource to India
Subscribe to the comments for this post