From a compliance exposure perspective, we believe that the HIPAA risk associated with sending PHI abroad is simply untenable. HIPAA is an American law that does not extend beyond our borders. The only way to ensure HIPAA protection abroad is to do so contractually via a BAA. There is no regulatory authority abroad for the US Government to prosecute for violations of HIPAA.
Having a BAA in place with an offshore entity may afford you the appearance of contractual protections for the disposition of PHI, however this can prove illusory. If an offshore entity breaches their BAA with a healthcare provider, the only option for the Covered Entity to attain protection is to point to the Business Associates’ contractual guarantees. However, if the offshore entity does not have US assets they can simply refuse to comply and the only recourse left to the Covered Entity is to try and sue a foreign company. This process is typically unsuccessful and at the very least costly and time consuming. The OIG will hold the Covered Entity responsible for the HIPAA breach. On top of all of this, the countries for which offshore coding predominantly takes place are some of the world leaders in identity theft.
If your goal is to get cheaper offshore coding, that means the coders abroad are being paid low wages and will therefore have an incentive to appropriate PHI, which is far more valuable than their pay. All of these factors provide a greater risk than the possible savings afforded by cheap offshore coding.