HIPAA compliance and EU tech vendors – data security when offshoring

Data security for healthtech companies is a matter of highest importance. With increasing number of enterprises offshoring their tech solutions to Europe, the matter of compliance with US health data security regulations has become a top priority. 

Table of contents

1. HIPAA compliance outside the US
2. Data security in the EU
3. Health data special treatment
4. Europe-wide data protection
5. Thorough regulation
6. Accountability
7. Severe consequences
8. Data security and software development
9. Above and beyond
10. Level ground

HIPAA compliance outside the US

For US-based health companies HIPAA compliance is mandatory when working with patient’s protected health information (PHI). When entering into a contract with a third party, a HIPAA compliant US entity must sign a  Business Associate Agreement with any entity it is planning to give PHI access to. As much as the BAA provisions are quite straightforward in the US, the matter falls into a grey area when it comes to working with entities without US presence.

HIPAA’s lack of explicit extraterritorial reach  is a cause of concern to US health service providers, as offshoring of health data by BAs is in fact commonplace. Server farms, call centres, data analytics, transcription services, software developers with access to PHI are physically and legally located overseas. 

Data security in the EU

When it comes to EU based entities, the risk in entrusting PHI to overseas BA’s has been somewhat alleviated with the introduction of General Data Protection Regulation. Although the regulation legally covers data protection and privacy of European Union citizens and residents, it serves the larger purpose of protecting sensitive data in general. GDPR was introduced with the main goals of giving control to individuals over their personal data, and simplifying the regulatory environment for international business by unifying the regulation within the EU. 

Health data special treatment

When compared, HIPAA and GDPR bear many similarities.  One could argue that the European regulation is more thorough and stringent, as it deals with all individual data, while offering special provisions when it comes to health data. In the EU all information “related to physical or mental health of an individual” is considered health data including provision of services which reveal information about a person’s health status. This data falls under even stricter regulation under GDPR than other types of personal information. Among others, an “explicit consent” is required from the subject for processing of his or her health data. 

You may also be interested in: Doing business in Germany – 15 Useful tips

Europe-wide data protection

HIPAA is defined to regulate covered entities- health care providers, health plans and clearinghouses, and extends to their contracted BAs. It does not, however, extend legal coverage to international entities. GDPR requirements apply to all organizations processing sensitive data of persons,  whether the organization is established in the EU or elsewhere. This means that any company operating in the EU falls under strict rules of GDPR when processing personal data of any type.

From a US entity’s perspective, dealing with EU based BAs can be considered safe, and standard BA contract would be sufficient to ensure relevant data protection. As Recital 14 of the GDPR noting “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.” extends the protection of sensitive data, including health data, beyond that of residents of the EU, as it refers to “persons” without specifying their citizenship or residence.  

Thorough regulation

GDPR forced all EU entities to increase safety measures concerning storage, access, portability and access to personal data. All efforts and actions regarding data security are monitored and addressed by a Data Protection officer, who must be appointed by any company processing large amounts of sensitive data. Companies all over the EU have been putting additional data security measures in place, training employees and ensuring full compliance with the Regulation.

Accountability

GDPR compliance must be appropriately documented and provable. The regulation is founded in full accountability of both Controllers and Processors of data. Here again the European rules and HIPAA compliance measures largely overlap. The roles of HIPAA compliance officer and DPO entail similar responsibilities. A HIPAA compliant company’s relation to its BA is defined similarly to GDPR’s Data Controller’s relation to a Processor.   

Under current EU law, both the data Processor and Controller are subject to liability for infringement of GDPR. this extends to damage claims by the data subject as well fines imposed by the regulator. 

Severe consequences

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.Although HIPAA violation fines are calculated differently to GDPR’s, the european regulator is taking matters quite seriously and a violating party is sure to feel the pain of a fine. The severity of penalty is more than an effective deterrent- it also serves as a stimulant for companies to work on improving their data security beyond compliance. 

Check one of our previous articles: Language barrier in Germany? 7 things you need to know before entering the German market

Data security and software development

Software vendors, development companies, app developers form the frontline of data security in Europe. Even before the rollout of GDPR, software vendors have been making safety and security of entrusted data their top priority. For most companies, introducing the new requirements was a matter of adjusting the existing processes to comply with the Regulation. Software production is inherently prone to data theft, hacking, breaching attempts and other data-safety related hazards. Maintaining up-to-date, high levels of security is thus of utmost importance. Software houses possess extensive experience and relevant resources to address data protection. Having IT professionals at their disposal enables constant adjustments and improvements to security without the need to employ third parties.

Above and beyond

Data protection is important to developers and extends far beyond the in-house policies and GDPR requirements. The security of produced software, clients’ confidentiality, intellectual property – all require the highest levels of security. Whenever working with sensitive information – like health data, software houses introduce additional measures to ensure safety. These include, but are not limited to: signing additional NDAs, additional training for employees on the use of entrusted data, random penetration tests, hardware and software encryption, restrictions on copying and transfer of data, access limitations, multi-level authorization. 

Level ground

As can be seen, both HIPAA and GDPR are forcing firms to prioritize data security. The overlapping of requirements and restrictions makes the European regulation a sufficient base to consider entrusting EU based vendors with sensitive data. This goes for PHI as well as any other sensitive data, as GDPR was introduced with more than health in mind. The regulation levelled the ground for international businesses and enabled competition in pricing and quality rather than focusing on issues of trust.

Join itCraft’s co-founder and telemed mobile expert, Bartosz Pieslak and AI expert and co-founder of Presagen Dr Don Perugini as they discuss the current trends and the future of e-health and what you need to consider if you are launching a telemed startup or if you are looking to modernize your current medical practice.