GovInfoSecurity reports on the issues around storing personal information on offshore servers. For health care organizations that rely on offshore vendors to handle protected health information, it is important to understand that while U.S.-based entities are not prohibited from such practices, there are parts of HIPAA, as well as other privacy laws, that apply, the report states. Kirk Nahra, CIPP/US, explained, “There are a handful of rules in various other parts of the healthcare system — some Medicare Advantage and Part D provisions — that impose other limitations, but there is a lot of confusion about this." David Holtzman, CIPP/G, vice president at CynergisTek, said, "There needs to be a sound, effective program for identifying and managing the risks associated with offshore vendors who will be creating, maintaining or transmitting electronic-PHI."
If you want to comment on this post, you need to login.