Does HIPAA Apply Outside of the United States?

Modified on Tue, 13 Feb 2024 at 05:52 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The issue of whether HIPAA applies outside of the United States (that is, in foreign countries, to foreign countries, and/or to people or entities in foreign countries) consists of several components:

1. Can HIPAA apply to healthcare providers who provide care outside of the United States (and who do not provide care in the United States?)
2. For HIPAA to apply to a provider in (1) above, must there be present protected health information of an American resident receiving treatment from that provider?
3. Assuming HIPAA does apply outside of the U.S., can or will another country's judicial system enforce HIPAA, a U.S. law, against a company located outside of the U.S.?

Other considerations may apply in determining whether and when (if all) HIPAA can apply outside of the United States.

The text of the HIPAA laws and regulations does not address any of these issues or questions.

Covered entities and business associates who are interested in knowing whether HIPAA might apply outside of the U.S. should contact qualified legal counsel with their questions.

HHS mentions "outside of the US" concerns briefly. HHS has offered guidance on whether the HIPAA regulations permit a covered entity or business associate to use a CSP (cloud service provider) that stores ePHI on servers outside of the United States.

Per the guidance, the answer is "yes," provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, HHS notes, while the HIPAA Rules do not include requirements specific to the protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations regarding the enforceability of privacy and security protections over the data. Covered entities (and business associates, including the CSP) should take these risks into account when conducting the risk analysis and risk management required by the Security Rule. For example, if ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks, such risks should be considered, and entities must implement reasonable and appropriate technical safeguards to address such threats.