Offshoring protected health information (PHI) occurs anytime a patient’s health information is accessed, stored, or transmitted outside the United States or its territories. With the growing use of global resources, this is becoming increasingly common so it’s important for compliance officers to understand the implications of offshore activities utilizing their organization’s protected health information.
Does HIPAA allow offshoring?
HIPAA does not prohibit offshoring PHI. However, if PHI is stored or accessed abroad, organizations should address that risk in their HIPAA risk assessment and implement safeguards to mitigate potential exposure.
State laws may be stricter
While HIPAA permits offshoring, certain states have imposed their own restrictions. For example, Florida and Texas both have restrictions on offshore storage of health data. If your organization operates in multiple states, it’s essential to check all applicable state requirements.
Medicare Advantage Rules
CMS requires Medicare Advantage organizations to obtain attestations from offshore subcontractors that handle beneficiary health information. Many Medicare Advantage plans extend this requirement to participating providers, sometimes prohibiting offshoring altogether unless prior authorization is obtained.
If your organization contracts with Medicare Advantage plans, review your agreements closely – many require notice, authorization, or the submission of specific attestation forms in connection with offshore activities.
For tips on how to address these and other risks associated with offshoring PHI check out this week’s podcast.
For free resources from previous episodes are, click here.