Podcast Session 11 HIPAA Off-Shore Attestations

Welcome to the Pharmacy Compliance Guide.  If you’ve gotten comfortable with HIPAA, Look Out!!!  While there isn’t a new federal requirement, there are some entities requesting new items that you may need to know about.  Today’s topic is off-shore activities of our Business Associates.  We will be discussing who is requesting this stuff, why they are requesting it and what you can do to stay one step ahead.

I’m Becky Templeton, Director of Business Development at RJHedges and Associates and I am so very glad to be joining you all for my very first Podcast experience.

Now, you may know him as the HIPAA, the Pharmacy Compliance Guide or the man with the Disaster Recovery Plan, to help work through today’s questions Jeff Hedges, owner of RJHedges and Associates is going to be joining us. Thank you so much Jeff to be sharing your insights and opinions today.

When I first read today’s topic of Off-Shore Activities, I had visions of sitting beachside, sipping on a tropical drink with a little umbrella, my toes in the sand while working on my laptop.  Sorry if you are all daydreaming about vacation. 

Jeff, I’m sure you have several pharmacy owners that are listening that have received requests from either their PBMs or maybe possibly NCPDP asking about pharmacies to attest regarding off-shore activities concerning HIPAA.  Can you shed some light on what this actually means?

Well in legal terms, it states: “In accordance with the federal Health Insurance Portability and Accountability Act, or HIPAA, Medicaid and Medicare regulations, and guidance from the Centers for Medicaid and Medicare Services, or CMS, we are required to attest annually whether our Business Associates are or are not using Protected Health Information (PHI) regarding our patients’ Off-Shore or overseas activities.  Your Business Associate has an obligation to ensure their subcontractors and contractors who are using Protected Health Information (PHI) of our patients, are disclosing the Protected Health Information (PHI) to persons or entities located Off-Shore”.

In layman terms, you need to know how your Business Associates are using your PHI and if any of it is going overseas.

My business mantra has always been “Do what you do best and contract the rest”. Pharmacy owners are doing this all the time.  You have to give great customer and patient care. To do that, you need to utilize business associates to contract out some of the pharmacy’s workload.  Be it to other companies like billing, switches, tech or customer support,  what can pharmacy owners do now to prepare for these off-shore activity request?

To comply with these requests that are coming down from all of the PBMs, each pharmacy must contact each Business Associate that is using your PHI, especially those using  electronic PHI, and have them attest, on an annual basis, whether they are using your PHI by themselves or through contractors or subcontractors at an “Off-Shore” location.  As our wages here in the United States increase, you would be surprised how many companies, including software, customer service, call centers, billing companies, shoe companies and the list goes on, are sending your patient’s PHI overseas without your knowledge.

It’s so crazy to think about the different items pharmacies have in place to help protect patient PHI.  Everything from encrypted servers to locked cabinets, private consulting areas, work force restrictions, even auditory deterrents.  And now to find out that some of our business associates are sending our PHI overseas, it’s really nerve wracking. Jeff can you share some of why the PBMs are also concerned about this practice? 

Identify Theft, pure and simple.  Foreign nationals are not subject to our Privacy Laws.  So if an Off-Shore entity’s employee steals one of your patient’s PHI and uses their identity to set up any type of fake financial account or even worse take over your patients’ bank accounts; there is nothing the FBI or law enforcement agencies can do about it. So, you or your Business Associates, are the only ones that are culpable at this point in time.

I bet if we could poll the audience right now almost every hand would be up if we asked “are you surprised that this attestation is in place to prevent identity theft?”. An interesting fact that I’d like to share…..according to a presentation by the FBI, Federal Bureau of Investigation that’s right, at 2014 Health Care Compliance Association Conference in Orlando Florida, credit cards sell on the black market sell for just fifty cents.  Whereas a patient’s medical file is much, much  more desirable to the tune of $200 if it’s linked to a financial account.  Jeff, can you share which countries are being contracted for these off-shore services?

It’s shocking. Especially when you look at the countries that are working as subcontractors around the world.  We all know about India, Indonesia and the Philippines.  But did you know Pakistan and Iran are also subcontractors?  These two countries having your patient’s PHI should make the hair on the back of your neck stand up.  Would you trust them with your patient’s PHI?  Our government certainly doesn’t trust them. This is why you need to know where your data is going.  

You’re right.  We hear about these countries via the news media reporting some type of unscrupulous event or some type of civil unrest. It’s very scary.  Can you share some advice to our listeners on where they should start?

First review your HIPAA Business Associates.  There are some you are going to know that have no working relationships overseas, such as your assisted living facilities, Patient Safety Organizations and probably your PSAOs.

But then you’re going to have the others you will need to validate through an attestation letter.  These companies will be: billing companies, software companies, shoe companies, switches, are the top four.  Your reconciliation companies are  probably  going to fall into this group as well.

This is also a good time to look at your PHI and all your Business Associates to make sure that all of your files are up to date. All Business Associate Agreements needed to be re-issued after March 2013 and must have been updated and in place by September 2014.  If you are missing any, simply re-issue a new Business Associate Agreement to the vendor. If the Business Associate issues their own BAA for you to sign, you must READ IT FIRST.  Do not sign it without reading it.  Look for breach clauses, reporting clauses, waiver exclusions that are outside the context of the law.  If you sign it and it does not comply with the law, you are stuck with it.  The covered entity is solely responsible for issuing the Business Associate Agreement.  If you sign someone else’s agreement again, you are stuck with it.  The Business Associate Agreement is a contract between you and a vendor.

Now that you have your list together, you send an Attestation letter to each HIPAA Business Associate requesting them to attest whether they do or do not use Off-Shore employees, contractors or subcontractors to perform activities such as receiving, processing, transferring, handling, storing or accessing PHI at an Off-Shore location. 

Develop a document similar to the one the PBMs are asking you to sign and ask the Business Associate to check a box with one of the two options and then send it back to you.  Now you can truthfully answer the questions posed to you by the PBMs and NCPDP.

File this attestation with your file copy of the Business Associate Agreement, so when there is an audit, you have proof of the attestation. This will now become your annual requirement.

It sounds like now is a good time to do some housekeeping of all our Business Associate Agreement files, including the agreements, PHI protocols and correspondences.  Jeff, we really haven’t heard anyone else talk about this topic before.  Why are you trying to bring this to everyone’s attention?

Well, since I have joined NCPDP, I’ve been working on legislation and specifically on credentialing. And I want to make sure everyone knows and understands what the pharmacy needs to do now, rather when the PBMs come with their regulatory compliance demands down onto the pharmacy.  This information has been out there, but not the knowledge of the enforcement.  The attestations really isn’t that hard, it’s manageable.  I think the Business Associates are going to object, but we are paying them, so they’re going to have to get used to this attestations just like we’ve had over the last several years. Overall, as we are moving forward with electronic PHI and information transcending throughout the world, we have to know about our data.  We have to be aware of where are data is going.  We simply can’t sit wherever we are in the United States and assume it’s going to our vendor and we can trust our vendor to handle our PHI. They get our PHI and it’s out on the internet and they can transmit it to anywhere in the world in a nanosecond. So, we’re responsible for our own data and responsible for the vendors we choose. We have to ask them, we have to get an attestation. And we have to be able to make sure that we can show to the PBMs that our data is secure. We also have to be able to show our patients that their PHI is secure. The last thing we want to do is have our own patients’ data breached and not be able to tell them how it happened. It’s our responsibility to our patients as our friends.  So we take this seriously, not because it’s a PBM requirement, not because it’s a HIPAA requirement, it could also be your information, so look at it from that point of view.  So in all, let’s get ahead of the game.  Let’s do our due diligence and it’s a lot easier to start this up as a requirement this year for an attestation and this will become an annual requirement. And when the PBMs start coming in, and we all now CVS Caremark comes in, Optum comes in, and now Humana is starting on site verifications, credentialing verifications we know they’re going to ask for it. So now you’re going to have the documentation readably available, these audits and credentialing visits go a lot easier.  If you don’t it’s a painful day.

I think a great way to re-cap our conversation…Be aware, be proactive, be responsible for knowing that extra step of where your Business Associates are sending your patient’s PHI.

Jeff thank you so much for sharing your knowledge and offering your suggestions and for all you listeners out there thanks for tuning in.  And if you’d like to know what we’re discussing next I do believe the topic of employee terminations is going to be discussed by the one and only Jeff Hedges.  As it pertains to all things compliance here on the Pharmacy Compliance Guide.

Off-Shore Activities

To ensure we are in compliance with these federal mandates, please check the appropriate box below and return this signed attestation to us.  Your failure to provide this attestation, as specified herein, constitutes a material breach of your agreement with us.  An inaccurate response may constitute a violation of federal law for which penalties may apply.

Choose the appropriate statement by checking one of the boxes below:

• As your HIPAA Business Associate, our organization and our downstream and related entities DO NOT utilize Off-Shore subcontractors to perform activities that involve receiving, processing, transferring, handling, and storing or accessing PHI at an Off-Shore location(s).
• As your HIPAA Business Associate, our organization and our downstream and related entities DO utilize Off-Shore subcontractors to perform activities that involve receiving, processing, transferring, handling, and storing or accessing PHI at an Off-Shore location.