Driven by inflation and declining Medicare reimbursements, U.S. medical practices are turning to an expanding pool of offshore "virtual assistants" to reduce costs.

Industry data indicates there are now approximately 1.5 million Filipinos registered on international freelancing platforms, mainly serving clients in the U.S., the U.K. and Australia. However, in the rush to profit from this unregulated gig economy, the health care sector is walking into a significant federal liability trap.

The market is flooded with entities calling themselves "marketing agencies" or "staffing connectors," promising "HIPAA compliant" support staff for a fraction of the cost of a U.S. employee. Yet, this booming industry is largely based on a dangerous deception. Most of these agencies are not management companies and do not employ the workers they assign. They simply act as brokers, earning a commission by connecting U.S. doctors with independent, unsupervised individuals working from home. After the introduction, the agency disclaims responsibility, leaving physicians to hand over protected health information (PHI) to a stranger who is essentially invisible to the U.S. legal system.

The biggest mistake doctors make is thinking they can "vet" these operations remotely. A shiny website is easy to fake. Saying you're "HIPAA certified" is meaningless, as no government-sanctioned certification exists. Without physically inspecting an offshore facility, a doctor cannot verify whether clean-desk policies, biometric locks or on-site supervision actually exist.

In reality, physicians often hire phantom entities. The "U.S. headquarters" is frequently just a rented mailbox, and the actual worker is an unsupervised freelancer handling sensitive records on a personal laptop in a shared living room.

Today, this risk goes beyond back-office processing; "virtual assistants" are now taking patient histories over the phone, creating PHI in real time. Without a physical facility, U.S. practices have no control over the environment where their patients' most private secrets are discussed.

This physical vulnerability is compounded by a massive legal void. A concerning reality of the offshore freelancer market is that many freelancers operate entirely in the underground economy.

In the Philippines, a major hub for this labor, legitimate independent contractors are legally required to register with the Bureau of Internal Revenue and pay taxes. Furthermore, anyone handling personal data is subject to the Philippine Data Privacy Act of 2012, which mandates strict physical and technical security measures.

Yet, a vast number of direct-hire "digital nomads" never register and have no permanent address. They operate as legal ghosts, bypassing local licensing laws, evading taxes and ignoring their own country's privacy regulations to maximize profit. Furthermore, they cannot practically comply with data privacy laws. As freelancers, they lack the secure systems and infrastructure required to protect their clients' data, treating the work as merely casual "gigs."

For a U.S. physician, this situation is disastrous. A business associate agreement (BAA), which HIPAA requires, is rendered useless if signed with an unregistered, legally non-existent foreign entity. In the event of a breach, regulators cannot subpoena or audit a business that doesn't legally exist. By employing these workers, doctors are handing PHI to an unregulated, unlicensed or illegal organization. For a Department of Justice prosecutor, this is the textbook definition of willful neglect.

The stakes could not be higher. Cybersecurity experts estimate that a complete medical record is worth 10 to 50 times more on the dark web than a stolen credit card number. A credit card can be canceled; a medical history is permanent.

Federal regulators are aggressively targeting private practices that cut corners on vendor vetting. Advanced Care Hospitalists recently agreed to pay $500,000 to the Office for Civil Rights after failing to properly vet an individual contractor's security protocols. Similarly, Heritage Valley Health System agreed to a $950,000 settlement following a breach caused by a third-party vendor. You cannot outsource your liability.

The risk extends beyond civil fines to federal criminal charges. Under 42 U.S.C. § 1320d-6, the unauthorized access to or disclosure of health information is a federal crime punishable by one to 10 years in prison. In United States v. Huping Zhou (9th Cir. 2012), a researcher was sentenced to prison simply for accessing patient records without permission. The government did not have to prove intent to sell; "knowingly" accessing the files was enough.

When you hand network credentials to an unvetted gig worker, you are inviting a criminal investigation that will trace directly back to you.

It is true that no system is entirely immune to threats. However, the law distinguishes between a sophisticated breach and gross negligence. Professional offshore management firms heavily invest in state-of-the-art security, leveraging enterprise platforms like Microsoft Azure to monitor, detect and respond to threats in real time. A freelancer working from a home router does not have the infrastructure to detect an intrusion, much less stop one.

To protect their practices, physicians must demand the same standard of care offshore as they do domestically. This requires engaging a vendor with a verifiable physical presence — one that employs its staff directly within a controlled structure, backed by U.S.-based assets and U.S. jurisdiction.

Hiring an unsupervised independent contractor might save a practice $5 an hour. But saving $40 a day is not worth risking a medical license, a reputation and personal freedom. You cannot sue an overseas freelancer who has no U.S. assets. If a data breach occurs, federal regulators will not be looking for the worker abroad. They will be looking for someone they can reach in the U.S.

Fred Kumetz is a California attorney with more than 40 years of legal experience and 25 years of operational expertise in the international outsourcing industry. Alexander Cabrera is an attorney, a certified public accountant and the former chairman and managing partner of PricewaterhouseCoopers Philippines.