By Dr. Jose I. Delgado
During the last couple of years, I have been approached by multiple healthcare professionals and organizations asking about the legalities of using companies that do not reside in the USA (offshore businesses) to handle electronic protected health information (EPHI). While there are recommendations we would like for anyone to consider prior to hiring any of these companies the reality is that HIPAA does not discriminate between US businesses and offshore companies.
In other words, HIPAA does not prohibit contracting with companies that don’t reside in the USA. HIPAA, the HITECH Act, and the Omnibus Rules do specify the requirements these subcontractors and their subcontractors must follow but nothing in these regulations prevents the use of them.1
The Department of Health and Human Services (HHS) actually posted:
“HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP (Communications Service Provider) or any other business associate outside of the United States.” 2
Let’s be clear that offshore companies that meet the definition of a Business Associate must also follow the Business Associate requirements established by HIPAA. In other words, make sure that you have a Business Associate agreement before any information is shared. We also would recommend obtaining a copy of the offshore company’s Security Risk Analysis as an assurance that they are aware and complying with HIPAA, the HITECH Act, and the Omnibus Rule.
1 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)