Q&A: Applying HIPAA to cloud service providers outside of the U.S.

Q: Does HIPAA apply to cloud service providers outside of the U.S.?

A: Yes, at least from a contractual perspective. If a cloud service provider, regardless of location, uses, discloses, stores, or transmits PHI on behalf of a CE or a BA, a BAA must be executed. While HIPAA doesn’t directly regulate these vendors, HIPAA does require the execution of a BAA.

You can think of this as the same regulatory environment all BAs existed in prior to the passage of the HITECH Act in 2009 and publication of the Omnibus Rule in 2013—HIPAA compliance at that time was contractual and not regulatory. What it amounts to is if you are such a cloud service provider and you want to do business in the U.S. healthcare market, you need to comply with the provisions in the BAA, which means you’re required to comply with HIPAA by contract. If you represent the CE or BA using cloud services, you are required by HIPAA to execute a BAA and do your due diligence by evaluating vendor compliance periodically.

Editor’s note: Question answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Need expert advice? Email your questions for consideration in the Revenue Cycle Daily Advisor. Note: We do not guarantee that all questions will be answered.