Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login

We Must Be More Than Just Aware of Our Offshore Vendors
By Chad Schiffman
HBMA RCM Advisor: The Journal of the Healthcare Business Management Association


We Must Be More Than Just Aware of
Our Offshore Vendors

Navigating regulations overseas.

The digital revolution is in full swing, as paper processes disappear across industries. Mail volumes declined by 5 billion pieces, or almost 4 percent, in 2017, according to the United States Postal Service. Online shopping increased six times faster than brick-and-mortar shopping during the 2017 holiday shopping season (First Data), while a record 7,000 retail stores closed or were set to close in 2017 (Fung Global Retail and Technology). The world we live in is being shaped by tech giants like Apple, Amazon, and Uber who are giving us access to more and more at our fingertips. Yet the healthcare industry has somehow managed to resist the digital revolution and continue to rely on inefficient paper processes.

Not too long ago, we were asked a question regarding a CMS requirement for plan sponsors to account for the identification of offshore vendors. Specifically, does the requirement of identification of offshore vendors and activities apply to RCM companies?

This question was sparked by an article we published regarding a final rule issued by the CMS stating certain requirements for plan sponsors and their first tier, downstream, and related entities (FDRs) being removed. In recent years, CMS has required plan sponsors to oversee their FDRs; and from there, plan sponsors would ask for FDRs to attest to have the following compliance elements implemented:

  • Written policies and procedures and standards
  • Exclusion list screening
  • The availability of a system to receive reports (reporting mechanism) of suspected noncompliance and/or fraud, waste, and abuse (FWA) that is confidential, allows anonymity, and includes a policy of non-intimidation and non-retaliation
  • Monitoring and auditing downstream entities
  • Identification of offshore contractors that are responsible for functions involving PHI
  • General compliance and FWA training (the “deeming exception” applies)

Of these elements, as of 2019, CMS is no longer requiring plan sponsors to ensure that annual general compliance and FWA training on unmodified CMS content is being completed by FDRs and their employees. However, CMS did mention that plan sponsors may develop and distribute training materials to FDRs, and still require FDRs to attest that the training was completed. For that reason, training on general compliance and FWA is still encouraged to ensure organizations are remaining compliant.

All other elements are still requirements and important for healthcare organizations that directly or indirectly contract with federal programs to have in place. The reason I mention healthcare organizations is the requirements not only extend to first-tier entities, etc. In fact, these requirements extend to downstream and related entities, and identification of offshore vendors is not excluded.

OIG Report
Almost five years ago, the OIG issued a report to CMS and OCR.1 In that report, the OIG mentioned that for PHI that went to contractors operating outside the United States, there might be limited means to enforce the provisions of the business associate agreements (BAAs). While OIG’s review was limited in scope to state Medicaid agencies, the report points out that the requirements to safeguarding PHI through reliance on BAAs alone would be the same on all HIPAA-covered entities, as well as their contractors and vendors. Some of the OIG’s specific guidance issued in the report includes the following:

  • BAAs did not specifically address the offshore outsourcing of functions involving PHI.
  • Security risks greatly increase when administrative functions that involve PHI are outsourced offshore.
  • Most countries do not have privacy protections equivalent to those of the United States to support HIPAA compliance.
  • Warehousing of data offshore highlights the risks to the confidentiality, availability, and integrity to PHI faced by healthcare organizations (including RCM companies) that send data overseas.

In other words, organizations that send PHI offshore may have limited means of enforcing provisions of a BAA. Therefore, relying on a BAA alone is not enough and may not be of much value to ensure that PHI is adequately protected.

Advertisement. Click on image to visit advertiser's website. Story continues below.

OCR Guidance
Following the OIG report—just a few years later—the OCR issued Guidance on HIPAA and cloud computing.2 As part of their guidance, the OCR stressed the importance of entering into a BAA with a cloud service provider (CSP) and acknowledged the potential risks of offshore activities. For example, the OCR’s frequently asked questions section included the following question:

Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

In summary, the OCR answered this question by saying yes as long as a BAA is entered with the CSP and otherwise complies with the applicable requirements of the HIPAA rules. Also, while the HIPAA rules do not include requirements specific to ePHI processed or stored by a CSP, or other business associates or subcontractors processed or stored outside of the United States, “OCR notes that the risks to such ePHI may vary greatly depending on its geographic location.” From there, the OCR said that “outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data.” To asses these risks, the OCR suggests taking them into consideration when conducting a security risk analysis (SRA) and risk management that is required by the HIPAA security rule. This includes determining such risks as whether the ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks. If so, these risks should be considered significant and appropriate technical safeguards to address such threats must be implemented.

Real-World Example
I had the opportunity to be an expert witness in a case, just a few short years ago, wherein a medical professional hired vendors (software engineers) to help develop the software and ensure patient data was properly managed. At some point, these software engineers decided to subcontract data storage responsibilities to an offshore vendor. The software that engineers sent offshore for storage included several years of patient medical records (that were supposed to eventually be scanned into the system). The medical professional and his vendors had a contract in place to pay for work being performed, but they failed to execute a BAA.

After several months of working together, the medical professional and vendors had a falling out. As a result, work was not being performed, payments were not being made, and communications were cut, including with the offshore vendor responsible for storing the medical records. In fact, the offshore vendor was never located and the whereabouts of thousands of medical records is still unknown.

Ultimately, the provider and vendors had no idea who this offshore vendor really was and failed to have anything in place to ensure the information would be properly safeguarded. It’s this type of scenario that explains why CMS, OIG, and the OCR are very concerned with offshore vendor activities.

When Might Your Organization Be Asked to
Identify Offshore Vendors?

While very few RCM companies may be asked to actually complete an attestation from a plan sponsor, RCM companies usually are considered downstream entities. We like to think of this as a “not if, but when” situation. In other words, RCM companies should be prepared in the event they are required to attest. Usually, this would be in the form of an attestation to a provider; however, on rare occasions, plan sponsors may contact an RCM company directly and for identification offshore vendors and attestation, PHI is being used for functions offshore or overseas in a HIPAA compliant manner. For example, at a minimum, you may be asked for the following:

  • Do you contract with a vendor that operates in an offshore location (non-U.S. location) that handles PHI as defined under HIPAA?
  • If yes, please provide a list including vendor name (e.g., ACME Billing Company), their functions (e.g., billing and coding), location, and if a BAA is signed.

Lately, we have seen organizations being required to provide additional information. In other words, simply identifying the vendors is not enough. Plan sponsors have been asking FDRs to provide the information regarding offshore vendors they contract with such as:

  • Describe the PHI that will be provided to the offshore vendor.
  • Discuss why providing PHI is necessary to accomplish offshore vendor objective.

Organizations are also being asked to attest that they have offshore arrangements that ensure policies and procedures for safeguarding PHI and other personal information. And, in some instances, attesting that the arrangement prohibits access to any data beyond what is necessary for offshore functions, an agreement and process that allows for immediate termination upon discovery of a significant breach, and other HIPAA requirements.

Healthcare organizations, including RCM companies, may be required to identify their offshore vendors. As part of that process, you may be asked to attest making sure PHI is being used in accordance with HIPAA requirements. And while it is very difficult for enforcement of HIPAA requirements overseas, healthcare organizations may be held accountable for the functions or activities that involve the use and storage of PHI and other data outside of the United States.

We recommend RCM companies take a few moments to consider what PHI is being used or stored by all their vendors, including offshore vendors. Have you made sure BAAs are in place? Have you determined if PHI and data being used or stored is necessary for the intended functions of the vendors? Have you made sure vendors have a compliance plan in place that addresses all HIPAA requirements? By completing these steps, RCM companies can demonstrate they are doing their due diligence and are more than just aware of all vendors, including offshore vendors.

Chad Schiffman joined Healthcare Compliance Pros in 2014 as the director of compliance. Schiffman’s seasoned background includes over 20 years combined experience in healthcare, information technology, and compliance consulting services. He is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues, including breach determination, breach mitigation, and corporate compliance. 






 Return to Issue Index