Should You Use A Foreign Business Associate?
The HIPAA does not prevent you from using a foreign business associate (service provider); however, just because you can, doesn't mean you should. In fact, there are very good reasons to never utilize a foreign entity as your business associate.
Any entity who performs a service on your behalf, such as data storage, online scheduling, EHR, email marketing, etc., is considered your business associate. And, under the HIPAA, it is your obligation to obtain a signed Business Associate Agreement (BAA) from said entities.
The BAA is intended to provide you with "satisfactory assurances" the business associate will appropriately safeguard your information.
In 2013 the HIPAA rules expanded greatly, making domestic business associates liable to the Office for Civil Rights (OCR, the HIPAA enforcement arm), the Department of Justice (DOJ), and State attorneys' general. This is important because business associates are now directly responsible to the OCR, DOJ and State attorneys' general, and face possible civil and criminal penalties should the they expose your patient data.
In other words, the business associate must meet all HIPAA requirements themselves and must answer for decisions they make regarding the security of your patient data.
Post 2013, a signed BAA acts to both elevate a business associate's security-mindedness, and shields you from penalties when your vendor is the cause of a data breach.
These protections, however, can quickly evaporate as soon as you offshore patient data.
Why? Because the OCR, DOJ, and States have limited, if any, jurisdiction over a vendor operating from within a foreign country. And if the vendor is out of reach, you'll be the one left holding the bag—exposed to potential penalties and prosecution.
There is another reasonable argument to consider.
By choosing an offshore vendor, who we now know lacks accountability under the HIPAA, you may not be fulfilling your obligation to entrust patient information to only those vendors who properly regard and defend the information.
Think about that statement for a moment… you have to follow the law, the HIPAA requires that you use vendors who follow the law, yet an offshore vendor doesn't have to follow the law.
This contradiction has not gone unnoticed; many in the industry are pushing for government regulators to clarify the legitimacy of using foreign vendors. If this happens, there is a good chance foreign vendors may not be an option, which means you'll be forced to forge new relationships with domestic business associates.
Do your future self a favor; avoid service vendors located outside the United States.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.