Read the situation below and decide how you would handle it before you compare it to our expert's advice. Question: We're a large physician practice that's considering having our medical transcription done overseas. Do we need to be concerned about HIPAA's requirements if one of our business associates should end up being a non-U.S. company?
Answer: The fact that your transcription service isn't based in the U.S. doesn't change your obligations and your business associates under HIPAA, says Robyn Meinhardt, an attorney with Foley & Lardner in Denver. "The privacy rules don't distinguish where your business associates are located - the same rules apply," she states.
In order to do business and share your patients' protected health information with a foreign vendor, you would still need to acquire a business associate agreement, Meinhardt maintains.
An interesting aspect of the BA requirements that's been spelled out in the preamble to the regs is that a covered entity is not obligated to monitor its BAs, she adds. However, "if it becomes aware of a breach or a pattern or practice which breaches the privacy provisions, then it has to take certain steps" to address the situation, Meinhardt says.
Crucial: This is an important point to keep in mind if you're considering outsourcing any functions to a foreign business associate, since the remoteness of your BAs might make it more difficult for you to become aware of any such breaches, she suggests.
Additionally, one of the big concerns raised over outsourcing such tasks to non-U.S. companies is whether the country where the work is being done affords appropriate privacy protections of its own.
Countries such as India are on the verge of "adopting a set of privacy laws that are very much like the European Union's privacy laws," notes Meinhardt. And while such laws may not be more stringent than HIPAA, they are nonetheless more stringent than general U.S. privacy laws, she remarks.
So, in addition to your business associate provisions, these non-U.S. vendors generally will be beholden to their own national privacy legislation as well, explains Meinhardt.