Due to technological advances in recent years, many U.S. companies and their business partners (BP) are now leveraging cheaper offshore and nearshore solutions for data-related services, where private information like personal identifiable information (PII) is transferred during the course of business.
Although these business practices are increasingly becoming commonplace, there remains a lack of legal clarity to the various security and privacy issues offshoring creates when transferring such electronic data across international borders.
Specifically: no legitimate avenue exists at this time for U.S. regulators to enforce compliance of U.S. privacy laws in a foreign jurisdiction.
Ngosong Fonkem, West Virginia University College of Law 2011 (JD, MBA) and Tulane Law School 2012 (LLM), is a senior advisor at Addison-Clifton LLC, Milwaukee, where he assists U.S. and foreign companies with day-to-day compliance with U.S. trade laws and related audits, investigations, intervention, and civil enforcement proceedings, and with conducting business in Asia.
The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) trade agreement, if adopted in its current form by the U.S. government as President Trump recently hinted it may do so at a future date,1 contains a set of rules that could guide future trade agreements in addressing enforcement of a member states’ sector-specific regulation beyond its borders, thus addressing this legal gap, as is the case with U.S. the Health Information Portability and Accountability Act (HIPAA) law.2
Prior to the conclusion of the CPTPP (formally known as the TPP),3 no U.S. law existed that directly or indirectly provided a mechanism to enforce U.S. health care privacy law in the offshore context.
Although no U.S. law provided a mechanism to enforce U.S. health care privacy laws abroad, the seminal domestic regulation that addresses security and privacy information in the health care sector, which was enacted in response to the lack of a unified system for handling patient data, and the increasing usage of electronic communication of Protected Health Information (PHI) is the HIPAA.
HIPAA privacy regulations require health care providers and their BPs to develop and follow procedures that ensure the confidentiality and security of personal health information (PHI)when it is transferred, received, handled, or shared.4
Although by design, HIPAA guidelines did not provide a definitive instruction on the technologies needed to safeguard PHI, the lack of specificity provided covered entities and their BPs tremendous flexibility regarding compliance decisions based on their technological infrastructure and financial capabilities.
To remedy this problem, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted to “promote the adoption and ‘meaningful use’ of health information technology.”5
The new law included several measures designed to broaden the scope and increase the rigor of HIPAA compliance. Specifically, in 2013, the Omnibus Rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of PHI, including BPs6, subject to the same security and privacy rules as covered entities under HIPAA.7
Penalties for HIPAA Violation
The potential penalties for non-compliance under the Omnibus Rule range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision.
Additionally, egregious violations could further result in criminal charges, including jail time.8
The Problem with Offshore Data-processing – and a Potential Solution
Clearly, HIPAA violations are serious offenses that carry severe penalties, including potential jail sentences. However, this law does not apply to situations where the noncompliance issue occur outside the United States’ borders by a foreign business partner. This gap would be closed if the U.S. were to rejoin the CPTPP.
As written, the privacy provision contained in the CPTPP, when read broadly, provides U.S. regulators with the jurisdictional bridge to enforce U.S. privacy laws like HIPAA in another CPTPP member country.
The Privacy Provision
The relevant provision in the CPTPP9 dealing with privacy and security issues regarding the protection of personal information is Article 14.8, the protection of personal data.
This provision requires each member country to “adopt or maintain a legal framework that provides for the protection of personal information of the users of electronic commerce.”10 The CPTPP further provides some guidance on how member countries can comply with this regulation.11
Specifically, footnote 6 in Article 14 clarifies that:
“Party may comply with the obligation . . . by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.”12
Based on a liberal interpretation on this language, it is reasonable to conclude that the combined HIPAA and HITECH regulations meet this obligation. Accordingly, if the U.S. were to rejoin the CPTPP, as President Trump stated it could do so, and Congress ratified the agreement, the enforcement mechanisms in HIPAA and HITECH would apply to a CPTPP member countries, many of whom are important players in the business process outsourcing (BPO) and e-commerce industries.
Congressional ratification of the CPTPP would allow U.S. regulators to enforce HIPAA compliance beyond U.S. borders in another CPTPP member country as it would be enforcing a CPTPP privacy law. Further, this would solve a legal problem inherent to the outsourcing of data-related services to BPs domiciled in foreign jurisdictions as the enforcement mechanisms bridging a CPTPP member’s domestic law to another CPTPP’s member’s jurisdiction exposes the foreign BP to U.S. government prosecution for violation of U.S. HIPAA laws.
Risks Mitigating Internal Controls
Although President Trump’s statements were significant, nothing, however, has changed. The U.S. is not a party to CPTPP at this time.
Thus, U.S. entities should continue to implement internal control measures to reduce the inherent risks involved in outsourcing of business services. A recommended solution could be to mandate that their BPs undertake the same duty of a care as the law require for U.S. entity. Such internal control measures could include:
1) diligently vet the privacy and security practices of potential foreign BPs to ensure that they meet HIPAA standards as part of the client and vendor selection process;
2) conduct the necessary due diligence screening to ensure that potential BPs in the supply chain are domiciled in a CPTPP member country;
3) if the foreign BP intends to subcontract certain services, determine whether those potential subcontractors are also domiciled in a CPTPP member country;
4) conduct ongoing assessments and audits throughout the lifecycle of the business relations; and
5) have a well-crafted business associate agreement inclusive of the applicable risk reducing indemnity and liability provisions.
1 Trump Hints at TPP Regret, but the Train is Leaving the Station, The Hill.
2 Note that, the General Data Protection Regulation (GDPR) which is slated to go into effect in May 2018, is the European Union’s attempt to address the export of personal data within and outside the EU. The GDPR aims primarily to simplify the regulatory environment for international business by unifying the regulation within the EU.
3 Note that the CPTPP in its current form was signed on March 8, 2018, in Chile. Its earlier version the Trans-Pacific Partnership (TPP) was signed on Feb. 4, 2016, but it did not enter into force as the U.S. withdrew from it in January 2017.
4 Summary of the HIPAA Security Rule.
5 HITECH Act Rulemaking and Implementation Update.
6 Breaking Down HIPAA Rules and Regulations: The Omnibus Rule.
7Prior to the enactment of the HITECH Act, BPs were not directly subject to the HIPAA Privacy and Security Rules. HIPAA applied only indirectly to the BPs through their contractual duties and obligations imposed by covered entities. BPs only risked being held accountable for damages flowing from a contractual breach, and thus were not subject to the penalties imposed by HIPAA for failure to comply with the Privacy and Security Rules.
8 HIPAA Violations & Enforcement.
9 Note that the applicable clause is derived from the original TPP text as the full text of CPTPP is yet to be release as of Feb. 9, 2018. However, based on Annex II of the Ministerial Statement released on Nov.11, 2017, it appears most of the original TPP text remains unchanged, only 20 TPP items are “suspended” in the CPTPP to reflect the concerns of the remaining member countries. The suspended provisions do not form the backbone of the CPTPP and will not be implemented by the parties until they agree to do so. Thus, it reasonable to conclude that the privacy provision in the original TPP text remains intact in the CPTPP.
10The TPP has defined “personal information” in Article 14.1 broadly to mean “any information, including data, about an identified or identifiable natural person.”USTR TPP, The TPP has defined “personal information” in Article 14.1 broadly to mean “any information, including data, about an identified or identifiable natural person.”USTR TPP, Chapter 14: Electronic Commerce.
11 Id. The TPP advises member countries to take into account principles and guidelines of relevant international bodies and to “encourage the development of mechanisms to promote compatibility between different regimes.”
12 USTR. TPP. Footnote . “For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.”Chapter 14: Electronic Commerce.