Q&A: Outsourcing and privacy and security
Q. We’re looking into have our coding outsourced to a company based in India. I’m assuming that HIPAA does not apply to a foreign company. What are the potential HIPAA risks for us? If we discover that the outsourced company experienced a breach, would we still be liable? What do we need to be aware of in terms of HIPAA compliance?
A. You are correct in assuming that the HIPAA Privacy Rule does not apply to offshore companies, such as a coding company in India. The law defines three covered entities (CE) that must comply with HIPAA:
- Healthcare providers that transmit health information in electronic form using standard transactions
- Health plans (with the exception of workers’ compensation programs)
- Healthcare clearinghouses
There are several risks associated with outsourcing your coding to a foreign company, including:
- Data breaches (the company or its agents may disclose or sell your data)
- Data held hostage (the company or its agents may refuse to return your data as required under the contract unless you meet their demands)
- Poor-quality coding (incorrect or incomplete assignment of diagnosis and procedure codes, negatively impacting your reimbursement or subjecting your organization to increased scrutiny by reviewers)
Clearly, this is a major decision that must be considered carefully, in discussion with legal counsel and your compliance staff. Your contract with the coding company should be carefully constructed to comply with HIPAA requirements for business associates (BA) and data security. Consider a severability clause that allows you to terminate the contract at any time with or without cause in a minimum period of time. You should also restrict the data to which the company’s agents have access, to limit the impact of potential data breaches.
As a CE, your organization is responsible for protecting individually identifiable health information. Your organization is liable for any data breaches caused by your BAs, including those located outside the U.S.
Editor's note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.