I am still looking for laws that give the patient the right to dictate who can or cannot process their medical record, but came across this and thought it might be of interest.Excerpts from the current issue of : H I P A A / LAW: Legal Q/A
*** HIPAA and Foreign Outsourcing ***
By Steve Fox & Rebekah A. Z. Monson, Esqs., Pepper Hamilton LLP
In an effort to control spiraling costs, there is a growing trend among healthcare providers, insurers, and others to outsource to companies located in foreign countries (such as India, Mexico, or the Philippines) a variety of operations including medical transcription, healthcare data entry and processing, and billing and coding, all of which involve the disclosure of protected health information ("PHI"). Foreign outsourcing has also been generating controversy, particularly after a recent well-publicized allegation that a Pakistani woman providing medical transcription services for an American medical billing company threatened to post patient files on the Internet unless one of the company's clients in California paid her money she claimed was owed to her. As a result, California State Senator Liz Figueroa, has stated that she will propose legislation prohibiting overseas transfer of medical information...
QUESTION: To what extent does the HIPAA Privacy Rule (the "Privacy Rule") govern contracts with foreign contractors and subcontractors?
ANSWER: Contractors and subcontractors, whether foreign or domestic, are generally not directly covered by the Privacy Rule. However, the business associate agreement requirements imposed on covered entities with respect to their business associates will usually apply.
... A covered entity is permitted to disclose PHI to a business associate if the covered entity obtains satisfactory assurances in the form of a written contract or agreement that the business associate will "appropriately safeguard" the information.
...Consequently, when deciding to outsource services to a company in a foreign country, covered entities should closely scrutinize the company, its operations and procedures, its reputation in the industry and compliance plans for handling PHI. Additionally, covered entities can utilize various methods to ensure confidentiality such as storing medical records and documents on a secure server and not providing access to external email, printers or disk drives so as to limit further disclosure of the PHI. Finally, covered entities can (and should) contractually require their business associates to take additional measures to ensure confidentiality, such as requiring the business associate to train their employees worldwide on HIPAA compliance.
Despite all of these precautions, however, all extra-territorial contracts must be carefully analyzed, negotiated, and approached with extreme caution.
Read past HIPAA Legal Q/A articles:
HIPPA LAW/OUTSOURCING
HIPAA Advisory website
Nae
[ 02-23-2004: Message edited by: Nae ]
