According the legal healthcare experts, risk assessment is one of the most vital aspects of patient health information security planning when working with offshore firms.
According to Julia Hesse, an attorney at Choate, Hall & Stewart LLP in Boston, companies must be very careful to protect themselves from HIPAA enforcement by properly analyzing their security relationships with outside firms. “You know that onshore entities are subject to HIPAA as covered entities or business associates, but offshore vendors do meet the BA definition,” she said.
Other experts recommended that companies weigh the pros and cons to offshoring to see if the risk is worth the legal risk in the case of a data breach. Amy Leopard, an attorney at Bradley Arant Boult Cummings LLP in Nashville, said “the cost and complexity of using offshore providers is becoming a real issue,” she said. “You have to inventory your vulnerabilities, prioritize your risk and come up with a game plan in an enforcement context.” She argues that a comprehensive risk analysis is extremely important because when a breach occurs OCR will want to see a risk analysis “and if, after a risk analysis, an organization has identified a security vulnerability and not fixed it, the OCR will not accept any excuses.” It was recommended that firms have an experienced audit response team that is well versed on the OCR process.