Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Issued by: Office for Civil Rights (OCR)
Do the HIPAA Rules
allow a covered entity or business associate to use a CSP that stores
ePHI on servers outside of the United States?
Answer:
Yes, provided the covered entity (or business associate) enters into a
business associate agreement (BAA) with the CSP and otherwise complies
with the applicable requirements of the HIPAA Rules. However, while the
HIPAA Rules do not include requirements specific to protection of
electronic protected health information (ePHI) processed or stored by a
CSP or any other business associate outside of the United States, OCR
notes that the risks to such ePHI may vary greatly depending on its
geographic location. In particular, outsourcing storage or other
services for ePHI overseas may increase the risks and vulnerabilities to
the information or present special considerations with respect to
enforceability of privacy and security protections over the data.
Covered entities (and business associates, including the CSP) should
take these risks into account when conducting the risk analysis and risk
management required by the Security Rule. See 45 CFR §§
164.308(a)(1)(ii)(A) and (a)(1)(ii)(B). For example, if ePHI is
maintained in a country where there are documented increased attempts at
hacking or other malware attacks, such risks should be considered, and
entities must implement reasonable and appropriate technical safeguards
to address such threats.
| Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. ...read more |
| Wednesday, November 9, 2022 A federal grand jury in Newark, New Jersey, returned an indictment today charging an Indian national for fraudulently obtaining millions of dollars in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. According to court documents, Abhishek Krishnan, 40, previously resided in Wake County, North Carolina, before returning to his home country of India. After returning to India, Krishnan allegedly submitted numerous fraudulent PPP loan applications to federally insured banks, including on behalf of purported companies that were not registered business entities. ...read more |
| Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Covered Entity: Pharmacies Issue: Safeguards A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. OCR issued a written analysis and a demand for compliance. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the ...read more |
| Pharmacy Chain Revises Process for Disclosures to Law Enforcement Covered Entity: Pharmacies Issue: Impermissible Uses and Disclosures A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from ...read more |
|
June 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
BAA (4)
EHR Fraud (1)
Telehealth (1)
Covered Entity (40)
HIPAA Enforcement (3)
Data Breach (1)
PPP Fraud (1)
ePHI (2)
HIPAA (2)
|
