US healthcare offshoring: Navigating patient data privacy laws and regulations

As healthcare companies in the United States seek sustainable strategies to reduce administrative costs, offshoring administrative, non-clinical functions has emerged as an increasingly attractive option. Global labour markets offer access to skilled professionals at wages that may be lower than in the US, which enables cost efficiencies for US providers and health plans.

However, because of patient data privacy concerns, healthcare offshoring presents a unique legal and regulatory challenge. Companies must navigate the web of US state restrictions on the access or storage of patient data outside the US.

HIPAA’s Extraterritorial Flexibility

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary federal law that protects patients’ health information. HIPAA establishes standards for the privacy and security of a patient’s health and related information, known as protected health information or PHI, by healthcare providers, health plans, and healthcare clearinghouses and their subcontractors who provide services on behalf of healthcare providers or health plans involving PHI. These subcontractors, known as “business associates”, are required to enter in Business Associate Agreements that contain provisions designed to protect PHI, and have independent obligations to protect PHI under HIPAA.

HIPAA doesn’t prohibit PHI from being accessed or stored outside the US, despite the potential risks. If a foreign vendor violates HIPAA or experiences a data breach, there is limited recourse unless there are strong, binding, international arbitration provisions, or the foreign vendor maintains a substantial US-based presence.

If a foreign vendor violates HIPAA or experiences a data breach, there is limited recourse.

In light of this risk, many US state governments, healthcare providers, and health plans have sought to limit or prohibit the offshoring of US patient data.

Data Localisation Clauses

The most common means by which states seek to control risk is through data localisation provisions within contracts with state agencies, and through Medicaid regulatory restrictions.

In some cases, these contractual provisions require both the storage of patient data and the performance of the services to occur in the US. For example, Wisconsin prohibits contractors and subcontractors from performing work outside the US that involves access to or disclosure of patient health and related information. Similarly, Texas’ Uniform Managed Care Contract requires Managed Care Organisations (MCOs) to provide all services within the US. It further requires that all information obtained by the MCO or a subcontractor pursuant to the Managed Care Contract be “stored and maintained within the United States”.
Examples of other states with regulatory or executive order restrictions that prohibit offshoring include Arizona’s Health Care Cost Containment System programme, and executive orders in Ohio, Missouri, and New Jersey.

The most common means by which states seek to control risk is through data localisation provisions.

Legislative Prohibitions on US Healthcare Offshoring

The most direct manner in which regulation has sought to prevent the storage of patient data outside the US is state legislation that simply prohibits it.

Florida’s Electronic Health Records Exchange Act, for example, requires healthcare providers that are using certified electronic health record technology to ensure that patient information in qualified electronic health records stored in an offsite physical or virtual environment is physically maintained in the continental US, its territories, or Canada. A healthcare provider’s license is conditioned on submission of an affidavit regarding compliance with this requirement, and a failure to maintain compliance could result in professional discipline.

In Texas, Senate Bill 1188 has passed the Senate and, if enacted, will require that certain medical facilities, healthcare providers, and governmental entities ensure that electronic health record information of Texas residents is stored in the US.

Both states are attempting to balance the risks associated with exporting US patient data to other jurisdictions while also permitting access to that information abroad, as long as the storage or physical maintenance of the information remains inside the US.

Comprehensive Consumer Privacy Laws Impacting Healthcare Offshoring

A growing number of US states have enacted, or are in the process of enacting, broad-based consumer privacy laws that, although not focused on the offshoring of patient data, could spill over to prohibit or restrict those sorts of data transfers. These comprehensive privacy laws may be broad enough to encompass practices relating to the treatment of patient health information and, in some cases, specifically provide that health information is within scope.

California Civil Code Section 1798.140(ae)(2), for example, defines “sensitive personal information” to include “personal information collected and analyzed concerning a consumer’s health”. Recent bills in Connecticut, Iowa, and Montana reflect the wave of broad privacy protections that states have enacted, and the trend includes more than 20 other states.

Healthcare companies should therefore consider the applicability of comprehensive state privacy regimes to the potential offshoring of patient information.

CMS Guidance and Federal Contractual Oversight Relating to Medicare Advantage Plans

The Centers for Medicare & Medicaid Services (CMS) has not prohibited offshoring but has issued guidance that increases compliance expectations for federal healthcare contractors and Medicare Advantage Plans.

CMS requires Medicare Advantage Organisations (MAOs) to obtain from healthcare providers who use offshore vendors detailed information regarding the offshore vendors’ safeguards protecting patient information. The provider must submit a signed attestation certificate to the MAO, to meet CMS requirements under 42 C.F.R. § 422.503. CMS maintains the authority to audit compliance and may penalise MAOs for failing to manage offshore risks adequately. These provisions are included in downstream contracts with healthcare providers and require the healthcare providers to ensure their downstream subcontractors or business associates comply with them.

Contractual Barriers to Healthcare Offshoring

Even where HIPAA and state law permit offshoring, many healthcare providers’ and health plans’ contracts include restrictions on their business associates. Payers and provider networks may include terms that prohibit PHI from leaving US territory or accessing PHI outside the US, or require that subcontractors meet specific additional security requirements. Such contract clauses often impose stricter obligations than those otherwise mandated by law.

Healthcare providers’ and health plans’ contracts include restrictions on their business associates.

Best Practices for Offshoring Patient Data

US healthcare companies can mitigate risk and maximise value from offshore operations by adopting the following best practices.

Adopt an Offshore Policy

Healthcare organisations and their vendors should adopt measures to collect, document, and maintain relevant information to identify offshore arrangements, impose appropriate measures in a consistent and orderly way, monitor compliance, and take action if problems arise.

Enter Into an Offshore Business Associate Agreement

Healthcare businesses should enter into a Business Associate Agreement with any offshore vendors that will access or store patient information, and develop and implement appropriate measures to address privacy and security issues not addressed by HIPAA that are unique to offshore entities.

In addition to the standard Business Associate Agreement requirements, healthcare businesses should consider including robust international arbitration clauses and requirements around cyber liability insurance coverage.

Establish Minimum Necessary Access, Encryption, and Data Retention Policies

Offshore contracting arrangements should prohibit the offshore contractor’s access to data not required to perform its services, essentially extending HIPAA’s minimum necessary rule to a broader range of protected information, and limiting the ability of offshore personnel to print and archive data locally.

Additionally, healthcare companies should confirm that data retention periods by the offshore entity are set forth in the contract and do not involve the offshore entity storing data for longer than needed. Healthcare providers may consider requiring the offshore entity to encrypt data at rest or in transit at appropriate encryption levels.

Prepare for Data Breaches

Offshoring contracts should include policies and procedures to address the offshore organisation’s response to data breaches or other matters of non-compliance. These should cover, for example, the time frame for reporting, the level of co-operation, and identifying who is responsible for determining if a reportable data breach has occurred.

HIPAA requires that a Business Associate contract be subject to termination if the business associate violates a material contractual term. US healthcare organisations should consider whether further or not expanded termination rights are appropriate when offshoring is involved, such as permitting termination following a data breach, even absent proof that a violation of the Business Associate contract caused the breach.

Comply With All Applicable Laws

Contracts with offshore vendors should include all language required by applicable laws and regulations, including the HIPAA Privacy and Security rules and, if applicable, the Medicare Advantage downstream provider requirements and state Medicaid requirements for offshoring. Healthcare companies should include a broad indemnity to cover non-compliance with applicable law and make sure the indemnity is not subject to low limitations of liability.

Undertake Annual Audits

US healthcare organisations should audit offshore subcontracts at least annually, and use those audit results to evaluate whether to continue their relationship with the vendor or take corrective action or other measures if appropriate.

Considerations for Non-US Vendors

Offshore vendors seeking to work with US healthcare companies must adapt to this fragmented and evolving landscape.

Vendors should conduct jurisdictional analyses to identify states and client types, e.g., commercial versus Medicare/Medicaid, where offshoring is viable. Proposals by vendors to US healthcare companies should be tailored to reflect this legal context and should appropriately consider the type of information being offshored, as well as the payor type.

Offshore vendors must be able to demonstrate HIPAA compliance via documented policies and training, robust security, and experience working within multi-jurisdictional legal environments.

In higher-risk jurisdictions, vendors might consider establishing US-based operations or collaborating with domestic intermediaries to minimise risk. Many offshore vendors have obtained third party certifications such as through the Health Information Trust Alliance as a means of demonstrating their commitment to the appropriate handling of patient information.