Legal Corner: Use of Protected Health Information Outside the United States Can Raise Regulatory and Other Privacy Issues

By Gerry Hinkley and Allen Briskin

Gerry Hinkley  
Allen Briskin  

Health information exchange participants are increasingly facing concerns regarding arrangements under which their business associates or health information exchange participants store, process or otherwise handle or use protected health information (“PHI”) outside the United States and its territories (commonly referred to as “Offshore Activities”). For example, a health care provider may demand that the HIE or a technology or information services vendor enter into a business associate agreement that prohibits the storage of PHI “offshore,” and prohibits members of an offshore contractor’s workforce from having access to PHI. Or, an HIE data sharing participant (e.g., a health plan) may seek to require that other HIE participants (e.g., health care providers) refrain from entering into data processing or other services arrangements with vendors that engage in Offshore Activities involving health plan members. Sometimes, a party may grant exceptions to these prohibitions, but only if the other party agrees to a number of specific contractual provisions that seek to protect the privacy and security of PHI and/or allocate legal and other risks to the party that conducts Offshore Activities; sometimes, these provisions must be incorporated into contracts with offshore vendors (and even their subcontractors), which likely involves complex and costly renegotiation of existing arrangements.

A number of parties, including the Centers for Medicare and Medicaid Services (“CMS”), believe that Offshore Activities involving PHI raise unique privacy and security risks. Commonly expressed concerns include the possibility that an offshore contractor’s workforce will not have sufficient training or experience with health care privacy rules and customs observed in the U.S., and that an organization in the U.S. will find it more difficult and costly to monitor Offshore Activities’ compliance with business associate agreements and other privacy and security requirements. Moreover, some express concern that, regardless of what the applicable business associate and other contracts may provide, offshore parties will not necessarily be subject directly to U.S. laws such as HIPAA, or will not be compelled by the courts of their own countries to comply with U.S. legal requirements.

Neither HIPAA nor any other federal law prohibits a covered entity or a business associate from engaging in or contracting with others to perform Offshore Activities involving PHI. CMS has imposed limited demands upon the health plans it regulates through its contracts with them, i.e., Medicare Advantage (Part C) and Prescription Drug (Part D) plans, in connection with Offshore Activities. However, neither CMS nor any other federal agency has prohibited Offshore Activities involving PHI or imposed specific requirements that go beyond HIPAA’s requirements for covered entities and business associates.

For almost five years, CMS has been requiring its contracting health plans to collect and report information regarding the Offshore Activities of their health care providers, vendors and other subcontractors. In memoranda issued in 2007, CMS mandated the collection and reporting by Part C and Part D plans of limited information regarding Offshore Activities, and has encouraged those plans to adopt what it has described as “extraordinary” measures to protect PHI that is handled offshore.

CMS’s requirements help identify some of the regulatory and other legal concerns that Offshore Activities can raise. CMS requires that its regulated plans identify and report the following:

  • all contractors and subcontractors that engage in Offshore Activities involving PHI;
  • the type(s) of PHI provided to the offshore contractor;
  • the functions that the contractor performs offshore that involve PHI;
  • whether Offshore Activities involving PHI are necessary, and whether alternatives to those Offshore Activities were considered; and
  • the contracting arrangement’s safeguards to protect PHI, and provisions for audits of the offshore contractors’ compliance with those safeguards.

CMS suggests, but does not require, that its health plans conduct on-site audits of their offshore contractors’ activities. So-called “desk audits” conducted from within the U.S. are acceptable, though CMS has cautioned plans that they are expected to adopt audit standards substantial enough to ensure the appropriate protection of PHI.

When considering appropriate contractual measures for Offshore Activities, the following issues identified by CMS are helpful:

  • Are policies and procedures in place to ensure that PHI and other personal information remain secure?
  • Is unnecessary offshore access to PHI prohibited?
  • Can the Offshore Activities be terminated immediately upon discovery of a significant security breach? (CMS does not, however, require that such termination rights necessarily be exercised)
  • How and how often will audits be conducted? (CMS appears to recommend annual audits).