Q&A: Storing PHI outside the United States

Q: Does HIPAA allow a covered entity or business associate to use a cloud services provider (CSP) that stores protected health information (PHI) on servers outside the United States?

A:  Yes, as long as a business associate agreement is executed between the covered entity or business associate and the CSP. A number of covered entities prohibit PHI from being stored outside the U.S., but this would be a contractual term and not a HIPAA mandate. It’s advisable to make sure there are no laws in the country where the data will be stored that permits the sharing of PHI by the CSP other than as permitted pursuant to HIPAA. Also, HIPAA does not directly regulate overseas vendors. HIPAA is enforced in this case by contract.

Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.