HIPAA FAQ — ePHI Storage

This series of blog posts features FAQs regarding the HIPAA Security Rule.

Can Electronic Protected Health Information (ePHI) be stored outside the US?

The Affordable Care Act changed the reimbursement model and has forced providers to cut costs. Health IT (HIT) is turning to the cloud so they can do more with less in modern healthcare. Infrastructure as a Service (IAAS), Platform as a Service (PAAS), and Software as a Service (SAAS) offerings raise several HIPAA compliance questions. I have been asked by several clients if HIPAA requires ePHI to be stored within the borders of the United States. Although HIPAA does not require ePHI to be stored domestically, it can be very difficult in respect to issues of personal jurisdiction, venue, service of process, conflicts of laws, and significantly different data protection laws.

Just because ePHI crosses the border, does not mean that HIPAA security rule requirements do not apply. Covered Entities (CEs) and Business Associates (BAs) are still responsible for reasonable protection of ePHI. I have often cautioned clients to keep data stateside, if possible. Covered entities should always document the business associate’s level of access and which party is responsible for what implementation specification. Some cloud providers will argue that they should be considered a conduit and not a business associate under HIPAA. I will cover more of the conduit vs. business associate in another post. A cautious, covered entity should require a business associate agreement of anyone that could impact the confidentiality, integrity, or availability of ePHI.

Additional Resources
Health Plans, the Cloud, and HIPAA Privacy and Security (americanbar.org)