As providers move to cut operational costs, many are taking their business associate (BA) dealings offshore. And while sending protected health information overseas can be a risky endeavor for patients and health care organizations, one expert says the process has built-in safeguards, including financial motivators on the BA side, which can make working with offshore business associates as safe — if not safer — than working with those in the U.S.

Services such as medical transcribing, coding and billing are commonly being outsourced these days, with cost being the major driver, says security expert Ali Pabrai, the CEO of ecfirst in Newport Beach, Calif. “You know the Thomas Friedman book The World is Flat? The only thing I would add is that it’s getting flatter,” he says, referring to the increasing opportunity for international business competition. “There’s a significant differential in getting the same services outside the U.S., purely in terms of economics.”

Offshore contracting can have operational benefits as well, according to Brian Annulis, an attorney with Meade & Roach in Chicago. In what’s known as “nighthawking,” a radiologist in Iowa can send X-rays overnight to a radiologist in India, who reads them and prepares the preliminary results. The U.S.-based radiologist comes in the next morning and reviews the pre-report from India, signs off on an order, and is able to get the results to the patient as quickly as possible. It’s a means of client management and building relationships with patients, says Annulis. The recent CMS transmittal requiring providers to report the precise location where diagnostic tests are interpreted when submitting Medicare claims could have an impact on “nighthawking,” though that impact is unclear since the U.S. doctor is ultimately signing the order.

These kinds of offshore dealings come with obvious privacy risks. In a chilling 2003 scenario, a woman in Pakistan, at the end of a long chain of subcontractors hired to do transcription for the University of California San Francisco Medical Center, threatened to expose confidential patient records on the Internet unless the university helped get her money she was owed, reported the San Francisco Chronicle. (She eventually withdrew her threat when one of the subcontractors sent money.)

Is Your PHI Going Offshore?

This highly publicized event illustrated the perils of outsourcing PHI — but did not slow the trend. The GAO released a report in 2006 stating that “federal contractors and state Medicaid agencies widely reported domestic outsourcing of services involving the use of personal health information.” And, in a finding that would prove surprising to patients, it said that “the reported extent of offshore outsourcing by vendors may be understated because many federal contractors and agencies did not know whether their domestic vendors transferred personal health information to other locations or vendors.”

Experts interviewed by RPP say that the economic downturn has contributed to the increased use of offshore business associate contracts.

U.S. Law Does Not Apply

As the GAO report highlighted, a lot of health information ends up overseas because business associates pass on work to their offshore affiliates, says Reece Hirsch, a San Francisco attorney with Morgan, Lewis & Bockius LLP. Fortunately, in these cases, the BA has a nexus in the U.S., so U.S. law is applicable and enforceable. The CE can rest easy and write a standard BA agreement that, under the HITECH Act, is subject to enforcement by the federal government.

Full story