Data Privacy And Offshore Business: 6 Things To Know
Francine February 24, 2022 0 comments

Data Privacy And Offshore Business: 6 Things To Know

 

Healthcare institutions and their business associates covered by the Health Insurance Portability and Accountability Act (HIPAA) have to balance between getting excellent and affordable IT services and securing the privacy and confidentiality of their patient’s personal and medical information.  

They need to outsource the design and development of their healthcare information management system. And also need to comply with the HIPAA rules and regulations. It’s further compounded by the emergence of offshore outsourcing of software development and business process operations.   

Outsourcing HIPAA Regulated Systems 

If you’re planning to outsource your healthcare information management system to nearshore or offshore vendor or contractor, click here for more information on what HIPAA requires. Here are some of the things that you need to know if you’re planning to outsource the software development or business process operations for your healthcare information management systems to nearshore or offshore vendors: 

1. What HIPAA Compliance Requires 

The HIPAA doesn’t only cover hospitals and healthcare institutions. The regulations and requirements under the HIPAA apply to all institutions and businesses that deal with electronic Protected Health Information (ePHI) of American citizens. This scope of application covers their business associates (BAs) such as professional consultants, suppliers and even nearshore and offshore vendors, and other third-party resource providers.  

Below are some of the patient’s information that healthcare institutions and their business associates are required to protect: 

  • Name of patients 
  • Addresses 
  • Relevant and inclusive dates 
  • Contact Information 
  • Vehicle Identification Numbers 
  • Device Identification 
  • Pictures and Images 
  • Biometric Data 
  • Results of medical examinations 
  • Medical imaging results 
  • Personal medical information 

The HIPAA regulations and requirements should also be complied with by nearshore and offshore companies that deal with ePHI. When US-based healthcare institutions and their business associates outsource the software development of their healthcare information management systems to nearshore or offshore companies, the third-party vendors or companies would be covered by the HIPAA compliance requirements.  

A practical example would be when a US-based hospital bids out the services for the design and development of their healthcare information management system. If the competitive process or bidding for the contract is won by a software development company based in India, Singapore, or the Philippines, the company that won the contract has to comply with the HIPAA regulations and requirements.   

Some outsource the transcription processes of their hospitals, medical centers, and other healthcare institutions to nearshore and offshore third-party vendors or contractors. 

Health Insurance Portability and accountability act HIPAA, red folder with inscription confidential, prescription pen and stethoscope on the medical documents background

2. HIPAA Rules 

Here are some of the things about the HIPAA that businesses should know if they’re planning to outsource a business process that comes in contact with ePHI to offshore or nearshore operations: 

  • Privacy Rule 

The Privacy Rule is the heart of the HIPAA. It’s the most important aspect of the rules mandated by the HIPAA. This rule mandates all businesses and institutions that handle ePHI comply with the measures required to protect patients’ data from potential or actual access by unauthorized persons.  

For covered institutions, this means that they’re supposed to make sure that the software development companies that they contract with for their healthcare information management systems and database development projects should comply with the Privacy Rule. This coverage extends to the nearshore and offshore software development companies and other subcontractors of the US-based companies that they’re directly dealing with.   

Offshore and nearshore software development contractors are required to implement measures that would safeguard the privacy and confidentiality of ePHI. The covered institutions are required to document the measures, mechanisms, and procedures that they’ve put in place to ensure that their business associates and nearshore or offshore contractors comply with the HIPAA privacy rule. 

  • Security Rule 

The Security Rule outlines and provides the various legal rules and regulations mandated by the HIPAA on how ePHI should be handled by users. It includes requirements to set up safeguard mechanisms and procedures for the storage and transmission of ePHI.   

The Security Rule also applies to nearshore or offshore companies that take on software development projects that would handle ePHI, including business process outsourcing operations. As long as the business associate or outsourcing contractor will be given access to the ePHI of American citizens, they are required to comply with the HIPAA rules and regulations.  

The practical implication of this is that US-based institutions and businesses that are covered by the HIPAA have to make sure that the third-party vendors or contractors they’re dealing with have set up their mechanisms and procedures for complying with HIPAA. And the covered institutions have to make sure that all participants have set up their measures to comply with the HIPAA rules if the business associates that they’re dealing with further subcontracted the projects to nearshore or offshore companies.  

All covered institutions and their business associates are required to implement safeguard mechanisms, measures, and procedures in three main areas. These are administrative safeguards, physical safeguards, and technical safeguards.   

3. Documentation 

The covered institutions and their business associates should require the nearshore or offshore contractors or vendors to provide a documentation system that would meet the HIPAA compliance checklist of the covered institution. This means that the nearshore or offshore contractor or vendor should document the various measures, mechanisms, and procedures that they’ve set up within their own companies to comply with the HIPAA regulations.  

The nearshore or offshore contractor or vendor should document the administrative safeguards that they’ve put in place to comply with the HIPAA regulations. For example, if they’ve come up with an internal company manual of policies and rules on data governance specifically for HIPAA compliance, they should give a copy of this document to the covered institution or business associate they’re dealing with. They should also include the point-of-contact and key offices responsible for the implementation of their internal administrative safeguards. 

The nearshore or offshore software development contractor or business processing vendor should also document the physical measures and safeguards that they’ve put in place to comply with the HIPAA regulations. They should document the barriers to physical access that they’ve put in place to properly screen the people who will have access to the ePHI of American citizens. 

An example is if they’ve put biometric access devices to screen those who can come in and out of their business operations floors and offices. They should document this and report to the covered entity or the business associate they’re dealing with. They should document if they set up CCTV cameras to monitor the ingress and egress of people. They should also document if they’ve put password and other restrictions to their computer workstations and database servers. 

The nearshore or offshore software development vendor or business processing contractor should also document if they’ve put in place technical measures, mechanisms, and procedures to safeguard the ePHI of American citizens. They should document the system of access restrictions and permissions that they’ve installed and deployed in their database servers, computer workstations, and cloud infrastructure and systems.  

An example of this is if the covered entity has given the nearshore or offshore software development vendor access to its ePHI database of American citizens. The vendor or contractor has to document what system they’ve put in place to handle how their various officers and employees are going to be given access to the ePHI database. The vendor or contractor should document how they’re going to manage the provisioning of access permissions and restrictions to the ePHI database. 

If the third-party vendor or contractor is going to set up a cloud system and infrastructure for access to the ePHI database, they should document the technical measures, mechanisms, and procedures that they’re going to put in place to safeguard technical access to the ePHI database.  

For example, they should document the access and restriction system to the cloud servers that will contain the ePHI database. They should also document how their officers and employees would be given access permissions to their cloud office user accounts where all or parts of the ePHI database could be downloaded, handled, processed, or stored. They should document how they’ve restricted the transfer of ePHI data from the cloud-based user accounts to external terminals, storage devices, buses, or drives. 

4. Training On HIPAA Compliance 

The covered institutions and their business associates are required to provide training on compliance with HIPAA rules and regulations to their nearshore or offshore software development vendors or business processing contractors. They should make sure that their business associates and third-party vendors are given the proper training on the rules and regulations of HIPAA.   

These training courses should cover the salient features and points of HIPAA. They should also clearly convey the legal and technical requirements expected of the covered institutions and their business associates to comply with HIPAA. The roles, functions, responsibilities, and obligations of the business associates, as well as the nearshore and offshore third-party vendors should also be included in the training courses. The nearshore or offshore vendors must be informed of the things that they’re expected to observe, comply with, and implement.  

An example is when a covered institution or business associate bids out the software development or business processing project for their healthcare information management system. If the winning bidder will be given access to the ePHI database of American citizens as a necessary component of the project, then the covered institution should provide training courses on compliance with HIPAA rules and regulations to the third-party vendor who won the bidding.  

In addition, the covered institution and their business associates should make sure that the third-party vendor or contractor is trained to have the capacity to hold their training courses for their internal teams and employees on how to comply with the HIPAA rules and regulations.   

For example, if the third-party service provider or vendor who won the bidding is based in the Philippines, India, or Singapore, the covered institution that the third-party vendor or contractor can provide and deliver training courses on HIPAA compliance to their local officers, employees and workers. If they don’t have this capacity, the covered institution should facilitate the delivery of learning courses and resources to enable the third-party vendors or contractors to conduct their training courses.   

5. Action Plan 

The covered institution and their business associates, as well as all the nearshore or offshore third-party vendors or contractors, should have an action plan on how they’re going to implement their HIPAA compliance measures, mechanisms, and procedures. They and their business associates should have an action plan that covers all the compliance areas mandated by the HIPAA rules and regulations. And this action plan should meet the requirements of HIPAA on administrative, physical, and technical safeguards.  

The covered institutions should also make sure that the nearshore or offshore third-party vendors or contractors who won the software development or business processing projects should have their internal action plans on how to comply with the HIPAA rules and regulations. The action plan of third-party vendors or contractors should outline and provide enough information and detail on how they plan to meet the requirements to comply with HIPAA regulations. They should also provide points of contact responsible for implementation. 

6. Risk Assessments And Audits 

The covered institutions and their business associates should also conduct risk assessments and audits of the systems, measures, mechanisms, and procedures to safeguard the ePHI of American citizens. After all, the point of complying with HIPAA is to make sure that there would be no breach of the privacy, confidentiality, and security of the databases containing the ePHI of American citizens.   

The covered institutions and their business associates should ensure that the nearshore or offshore third-party vendors or contractors are also subjected to periodic risk assessments and audits. They can conduct risk assessments and audits on their own, or they can require the third-party vendors to conduct their internal risk assessments and audits. The point is that the covered institutions should make sure that the third-party vendors aren’t just going through the motions to feign substantial compliance with the HIPAA regulations.  

The risk assessments and audits offer a good feedback mechanism and opportunity for the covered institutions and their business associates, as well as for the nearshore and offshore third-party vendor or contractors. This allows them to identify areas for further improvement, gaps in their security systems and networks, and vulnerabilities in their cybersecurity defenses. This would also enable them to assess the potential impact on their liabilities under HIPAA if a data or security breach does happen. 

Conclusion 

The HIPAA rules and regulations don’t just apply to US-based healthcare institutions and their business associates. Nearshore and offshore third-party vendors and business process outsourcing contractors are also required to comply with the HIPAA regulations. They have to make sure that they can meet the standards and requirements under the HIPAA as well as the compliance checklist of their principal or direct clients.   

Top