By Chad Schiffman
We Must Be More Than Just Aware of
Navigating regulations overseas.
The digital revolution is in full swing, as paper processes disappear across industries. Mail volumes declined by 5 billion pieces, or almost 4 percent, in 2017, according to the United States Postal Service. Online shopping increased six times faster than brick-and-mortar shopping during the 2017 holiday shopping season (First Data), while a record 7,000 retail stores closed or were set to close in 2017 (Fung Global Retail and Technology). The world we live in is being shaped by tech giants like Apple, Amazon, and Uber who are giving us access to more and more at our fingertips. Yet the healthcare industry has somehow managed to resist the digital revolution and continue to rely on inefficient paper processes.
Not too long ago, we were asked a question regarding a CMS requirement for plan sponsors to account for the identification of offshore vendors. Specifically, does the requirement of identification of offshore vendors and activities apply to RCM companies?
This question was sparked by an article we published regarding a final rule issued by the CMS stating certain requirements for plan sponsors and their first tier, downstream, and related entities (FDRs) being removed. In recent years, CMS has required plan sponsors to oversee their FDRs; and from there, plan sponsors would ask for FDRs to attest to have the following compliance elements implemented:
Of these elements, as of 2019, CMS is no longer requiring plan sponsors to ensure that annual general compliance and FWA training on unmodified CMS content is being completed by FDRs and their employees. However, CMS did mention that plan sponsors may develop and distribute training materials to FDRs, and still require FDRs to attest that the training was completed. For that reason, training on general compliance and FWA is still encouraged to ensure organizations are remaining compliant.
All other elements are still requirements and important for healthcare organizations that directly or indirectly contract with federal programs to have in place. The reason I mention healthcare organizations is the requirements not only extend to first-tier entities, etc. In fact, these requirements extend to downstream and related entities, and identification of offshore vendors is not excluded.
In other words, organizations that send PHI offshore may have limited means of enforcing provisions of a BAA. Therefore, relying on a BAA alone is not enough and may not be of much value to ensure that PHI is adequately protected.
In summary, the OCR answered this question by saying yes as long as a BAA is entered with the CSP and otherwise complies with the applicable requirements of the HIPAA rules. Also, while the HIPAA rules do not include requirements specific to ePHI processed or stored by a CSP, or other business associates or subcontractors processed or stored outside of the United States, “OCR notes that the risks to such ePHI may vary greatly depending on its geographic location.” From there, the OCR said that “outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data.” To asses these risks, the OCR suggests taking them into consideration when conducting a security risk analysis (SRA) and risk management that is required by the HIPAA security rule. This includes determining such risks as whether the ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks. If so, these risks should be considered significant and appropriate technical safeguards to address such threats must be implemented.
After several months of working together, the medical professional and vendors had a falling out. As a result, work was not being performed, payments were not being made, and communications were cut, including with the offshore vendor responsible for storing the medical records. In fact, the offshore vendor was never located and the whereabouts of thousands of medical records is still unknown.
Ultimately, the provider and vendors had no idea who this offshore vendor really was and failed to have anything in place to ensure the information would be properly safeguarded. It’s this type of scenario that explains why CMS, OIG, and the OCR are very concerned with offshore vendor activities.
When Might Your Organization Be Asked to
Lately, we have seen organizations being required to provide additional information. In other words, simply identifying the vendors is not enough. Plan sponsors have been asking FDRs to provide the information regarding offshore vendors they contract with such as:
Organizations are also being asked to attest that they have offshore arrangements that ensure policies and procedures for safeguarding PHI and other personal information. And, in some instances, attesting that the arrangement prohibits access to any data beyond what is necessary for offshore functions, an agreement and process that allows for immediate termination upon discovery of a significant breach, and other HIPAA requirements.
We recommend RCM companies take a few moments to consider what PHI is being used or stored by all their vendors, including offshore vendors. Have you made sure BAAs are in place? Have you determined if PHI and data being used or stored is necessary for the intended functions of the vendors? Have you made sure vendors have a compliance plan in place that addresses all HIPAA requirements? By completing these steps, RCM companies can demonstrate they are doing their due diligence and are more than just aware of all vendors, including offshore vendors.
Chad Schiffman joined Healthcare Compliance Pros in 2014 as the director of compliance. Schiffman’s seasoned background includes over 20 years combined experience in healthcare, information technology, and compliance consulting services. He is primarily involved in consulting with healthcare clients about their HIPAA and HIPAA HITECH-related issues, including breach determination, breach mitigation, and corporate compliance.