What is considered Outside the US (or International):
For purposes of EHNAC accreditation, a location other than a State of the United States, the District of Columbia, Puerto Rico, or U.S. Virgin Islands are considered outside the US (or International). [Insular areas such as American Samoa, Guam, and Northern Mariana Islands are also deemed to be “Outside the US” locations].
Organizations Based or headquartered Outside the US
Organizations based outside the US may apply for accreditation, and must follow EHNAC’s provisions for functions performed outside the US. (see “Sites that are Outside the US”, below).
Organizations Based or Headquartered in the US with Sites outside the US
EHNAC normally accredits organizations whose main operations are in the United States, and must follow EHNAC’s provisions for functions performed outside the US. (see “Sites that are Outside the US”, below).
Sites that are Outside the US
- Site Visits Required – The following In-Scope sites must in all cases be visited, whether owned or outsourced, even if they are located outside the US:
- CA Operations
- Corporate Main Operations
- Data Center Facilities hosting the Production services
- HIE Technical Operations
- HISP Operations
- Lockbox Operations
- RA Operations
- Facilities where PHI (or, for DTAAP programs, where PII and/or cryptographic keys) is created, received, maintained or transmitted that was ever unencrypted outside of the United States. This includes, for example, support offices that have ongoing access to PHI.
- Sites Not Required — All sites handling PHI are to be reported through the application process. In certain cases, as determined by EHNAC during the application process, there may be In-scope sites that are located outside the US that are not required to be visited (such as certain support and development offices with no or minimum access to PHI).
- In such a case, EHNAC will annotate its website to disclose that the Organization has sites outside the US that were not physically reviewed.
- In the case where an In-scope site is located outside the US and is not visited (as permitted above), the Organization must provide documentation to substantiate that:
- It fully and accurately discloses to its business partners and customers that it performs services in a location(s) outside the US.
- It makes available upon request to a business partner or customer a reasonable description of all measures the Organization takes to ensure the confidentiality, integrity and availability of protected health information (as those terms are defined by 45 C.F.R. Parts 160, 162, and 164) that the Organization transmits or receives from an site outside the US.
Sites that do not require a site visit, irrespective of whether they are outsourced, include:
- Human Resources (HR)
- Product Development – where PHI and DTAAP PII or cryptographic information is not accessed and where the function is not necessary to the business for accreditation.
- Customer Service – where PHI and DTAAP PII or cryptographic information is not handled and the function is not necessary to the business for accreditation.
Site Visit Fees for a site outside the US are $4000 per day in addition to the standard Site Visit per day Fees (plus travel expenses). Fee information can be found in the Fees page and in the Accreditation Guidelines.
Some key items related to International travel are:
- Site Reviewers will travel to sites outside the US in Business class
- The candidate organization must arrange for a car and an English-speaking driver to allow for effective transportation to/from hotels, airports, and the candidate organization’s facilities.
- If English is not the primary language as referenced here: http://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language then the candidate organization must make accommodations for a translator to accompany the Site Reviewer for the duration of the time in the destination country.
- If the destination countries require airport exit fees or visa fees, those fees will be reimbursed by the candidate organization.
- The candidate organization must provide a cell phone with a local number to the Site Reviewer for the entire duration of the visit. If possible, the candidate should mail the phone to the Site Reviewer prior to the travel begin date. The candidate should also pre-load contact names and phone numbers into the phone prior to providing it to the Site Reviewer.
- In the event a particular destination country is on the US Department of State’s travel warnings website (http://travel.state.gov/content/passports/english/alertswarnings.html) the candidate organization is responsible for the Site Reviewer’s security for the duration of stay in such destination country. Security detail must be paid for by the candidate organization.
For more detail please see the EHNAC “Site Visit” Page.