HIPAA/HITECH
,
Standards, Regulations & Compliance
State: Medicare Enrollee Data Sent to Unlicensed Firms in India, Philippines
Florida insurance regulators suspended a third-party health administrator firm for unlawfully offshoring sensitive claims and other data of more than 23,000 Medicare enrollees to unlicensed companies in India and the Philippines.
See Also: Using the Netskope HIPAA Mapping Guide
Under a Florida Office of Insurance Regulation order published Monday, Mirra Health’s certificate of authority has been immediately suspended for up to one year.
Regulators said Mirra Health delegated the offshore services involving Medicare Advantage enrollees’ information without advanced written approval or notification.
Mirra Health threatened “the safety and welfare of Florida residents,” regulators said.
Exposed sensitive health information pertains to predominately to Medicare enrollees with “chronic condition special needs” plans, the investigation found. That includes individuals needing long-term skilled nursing care or patients who have intellectual disabilities and require care in an intermediate facility. Affected individuals also included those who are federally entitled to both Medicare and Medicaid due to health conditions.
“Mirra Health’s business practices are extremely reckless, especially when it comes to exposing the sensitive health information of vulnerable Florida residents,” said Mike Yaworsky, Florida’s insurance commissioner.
Federal regulations don’t prohibit offshoring protected health information but companies are responsible for what happens to that data whether in or outside the U.S., said attorney Elizabeth Hodge, a partner at the law firm Akerman.
“Therefore, if an offshore business associate has a breach, though that company may be beyond the Department of Health and Human Services’ Office for Civil Rights’ jurisdiction, the covered entity is not,” she said.
Other certain HIPAA considerations also can be pertinent to offshored data. For instance, HIPAA can apply to government procurement contracts, regulatory attorney Rachel Rose said.
“A general concern, even under HIPAA and basic contract law, is what other laws a company is exposing itself to by not keeping data in the U.S.,” she said.
Any firm considering offshoring work to third-party companies that involves U.S. patient data should double check state law, said Rose.
“Whether Florida’s requirement to have certain contractual language or Texas’ requirement to keep data within the U.S. and its territories, there are express limitations,” to what various states allow, she said. A new Texas law that went into effect in last September requires covered organizations to ensure that patients’ electronic health records are physically maintained in the United States.