Can international companies be business associates?

Although they are internationally based, business associates working for US-based companies are subject to HIPAA’s regulation, just like domestic business associates. These regulations include: 

The Privacy Rule

This rule sets standards for how PHI should be used and disclosed, ensuring that PHI is accessed and shared only as necessary for international business associates. They must also guarantee that individuals' health information rights, such as obtaining and reviewing their health records, are respected.

The Security Rule

This rule requires business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). For an international company, this might involve using secure communication channels, providing data encryption, implementing access controls and audit trails, and regularly evaluating security practices to manage potential risks and vulnerabilities.

The Breach Notification Rule

Under this rule, business associates must report any breach of unsecured PHI to the covered entity they serve and, in certain circumstances, to the affected individuals and the U.S. Department of Health and Human Services (HHS). This notification must occur without unreasonable delay and in no case later than 60 days following the discovery of the breach.

See also: Do international companies have to abide by HIPAA?

How to ensure your business associate is HIPAA compliant

Conduct thorough vetting before partnership

Research the potential business associate's history with HIPAA compliance. Ask for references or case studies demonstrating their compliance with past clients or projects.

Review Their HIPAA compliance policies

Request to see their written HIPAA compliance policies and procedures. Ensure they have up-to-date and comprehensive policies covering the Privacy, Security, and Breach Notification Rules.

Ensure a Signed Business Associate Agreement (BAA)

Draft or review a BAA that explicitly outlines the responsibilities and expectations regarding PHI. Ensure the agreement includes terms about how PHI will be used, safeguarded, and disclosed.

Monitor breach notification protocols

Verify their process for detecting, reporting, and responding to PHI breaches. Review whether they have a clear protocol for notifying you in the event of a breach.

Establish clear communication channels

Have designated contacts within the organization for HIPAA-related inquiries and issues. Ensure that they use HIPAA compliant email to provide additional protection.

See also: What does it mean to be a business associate?