From a post by Spencer Green and Stephen Page of McDermott Will & Emery:
HIPAA’s Extraterritorial Flexibility
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary federal law that protects patients’ health information. HIPAA establishes standards for the privacy and security of a patient’s health and related information, known as protected health information or PHI, by healthcare providers, health plans, and healthcare clearinghouses and their subcontractors who provide services on behalf of healthcare providers or health plans involving PHI. These subcontractors, known as “business associates”, are required to enter in Business Associate Agreements that contain provisions designed to protect PHI, and have independent obligations to protect PHI under HIPAA.
HIPAA doesn’t prohibit PHI from being accessed or stored outside the US, despite the potential risks. If a foreign vendor violates HIPAA or experiences a data breach, there is limited recourse unless there are strong, binding, international arbitration provisions, or the foreign vendor maintains a substantial US-based presence.
But here’s what we need to remember:
If a foreign vendor violates HIPAA or experiences a data breach, there is limited recourse.
In light of this risk, many US state governments, healthcare providers, and health plans have sought to limit or prohibit the offshoring of US patient data.
Read more at JDSupra.