Health Information Compliance Alert

Published on Tue Oct 27, 2009 PDF

Is offshoring an option for you? Here's how to find out.

Your first question when contemplating the release of your patients' protected health information (PHI) to non-U.S. workers should be: What's the worst thing that could happen and how would we deal with it?

The problem: State after state has attempted to pass legislation barring organizations from sending PHI and other confidential information to workers in other countries. And like dominoes, many of those bills have failed.

However, advocates of anti-offshoring legislation have not given up their quest to mandate stricter policies for how companies can handle sensitive information.

Heed these expert tips to ensure that you enter offshoring arrangements safely and prepare for the extremely likely potential that something will go wrong.

You need to come up with some financial number that represents the amount of risk involved in sending PHI offshore, says Barry Herrin, an attorney with Smith Moore, Atlanta.

Add up these numbers to determine your total risk:

• What likely financial penalty could be associated with a breach of the agreement? For example, if there is a Health Insurance Portability and Accountability Act (HIPAA) security violation, you would factor $100 per wrongful act up to a maximum of $25,000 for that particular wrongful act.

• How often have others been successful in obtaining judgments against offshore companies for a breach of the agreement? Find out the number of zeros successful judgments contain, Herrin suggests.

• How much will it cost to find this same service domestically? What is the difference in how much you'll actually pay?

• How much will it cost if you have to go to court in the country where the PHI resides? This would include the cost of tracking down the entity, getting them into court, getting awarded the amount you want and making the entity pay that amount, explains Sue Miller of Sue Miller's HIPAA and Healthcare Services, Concord, MA.

When you're processing a large volume of information, those numbers add up quickly, Herrin notes. And that means your total risk in an offshore arrangement could be astronomical.

If you decide that you're willing to accept the financial risk of an offshore service agreement, you must find a way to make that service provider establish some risk, too.

Here's how: "Ask them to make a large deposit, a security bond, an irrevocable letter of credit or an insurance policy in the U.S.," Herrin emphasizes. That financial stake may not equal exactly what you'd be entitled to in a worst-case scenario, but it would be something you could go against in a lawsuit.

Think of it like this: "A ruling in your favor is only as good as the assets you can reach," Herrin says. If you have to travel to Pakistan to recoup your judgment, you may be out of luck. Demanding some type of financial stake is similar to physicians taking out a malpractice insurance policy. If there's a ruling against the physician, that policy absorbs the brunt -- and the other party receives their judgment, he explains.

While a contract won't force an offshore service provider into abiding by your terms, it does prove that you've made your best effort to ensure you're protecting the information being sent to offshore workers, Miller says.

And you shouldn't rely on the HIPAA regulation's business associate agreement provisions. "That language is just another provision of the contract," Miller says. That means you can create a contract that outlines how the service providers will handle the information you send them -- from inception to termination.

Remember: The legal system is different in other countries, so while something may seem obvious under U.S. law, it may not be so under the law of the country where your patients' PHI will reside.

The most important part of this contract is the dispute resolution clause. You must work with your chosen service provider to determine not only how you'll resolve any disputes, but also where you'll do it. For example, one of Herrin's clients agreed to travel to London to resolve any potential disputes with an Israeli service provider.

Important: You must always remember: "Bad people will do bad things regardless of what they say in a contract," Herrin says. If your offshore company refuses to appear in your chosen arbitration location, you're on the losing side.

The bottom line: Before you enter into an information-sharing arrangement with an offshore worker or company, be sure you have tallied up your risks. And if you aren't certain that your savings will outweigh your risks, don't do it, experts urge.