Electronic Health Records in the Global Market: Enforcing Security Overseas

Luis J. Acevedo

Abstract

ABSTRACT

As the U.S. implements its chimerical plan to contain health care costs and improve the provision of services, aided by the much desired implementation of Electronic Health Records (EHRs) technology, the possibility of an increase in the outsourcing of health care services surfaces. The ordinary citizen should be worried. The protected health information (PHI) contained in their EHRs could be at greater risk when stored, accessed or transmitted overseas. Our current federal regulatory framework does not provide adequate protection because our enforcement mechanisms to ensure the security of data do not extend beyond the U.S. borders. The remedies available to recover damages from any unauthorized use and disclosure of PHI are limited to the filing of an action for breach of contract, at the sole discretion of the covered entity or business associate.

Considering the growing trend towards the outsourcing to offshore contractors of services which provide access to personally identifiable medical data, the government should strengthen its enforcement capabilities immediately. The challenge is to toughen enforcement without excessively interfering with free trade. Amongst other alternatives available to attend to this problem, the U.S. government should amend its Medicare and Medicaid provider’s agreement, to provide an immediate measure of protection. The amendment suggested would include specific language requiring covered entities and business associates that engage in the off-shoring of health care services, as an additional condition for enrollment, to negotiate and include in their contracts with offshore providers, vendors or suppliers, a clause that would bind and subject them to the jurisdiction of the Courts of the U.S. in the interpretation and resolution of contract disputes and in the applicability of the laws regulating the security of the information contained in the EHRs of its citizens.

Furthermore, the government should amend HIPAA to address breaches occurred overseas, to impose upon such violations civil and criminal penalties and to extend its jurisdictional application overseas to allow for the possible use of extradition treaties in the enforcement and deterrence of the unauthorized use, access or disclosure of PHI contained in our citizens EHRs, under a future national EHR system.

Unless additional steps are taken to guarantee enforcement in a global market, of the security of protected electronic health information contained in our citizens’ EHRs, the physical, mental and financial well being of our citizens will be threatened.