Can HIPAA Data Be Stored Outside the US? (w/Examples) + FAQs

Yes, HIPAA data can be stored outside the United States. The Health Insurance Portability and Accountability Act does not contain a data-residency rule that forces protected health information (PHI) to stay on U.S. soil. That surprises most people, because privacy laws in Europe, Canada, and Asia often do require local storage.

The real problem is that HIPAA holds the covered entity or business associate fully responsible for every byte of PHI, no matter where it lives. The HIPAA Security Rule at 45 CFR Part 164 Subpart C and the Privacy Rule at Subpart E require safeguards, a signed business associate agreement (BAA), and a clear chain of custody for PHI. If a foreign vendor loses the data, the U.S. entity pays the fine.

The HHS Office for Civil Rights (OCR) has warned since its 2012 guidance that offshoring PHI raises risk, and enforcement actions against offshore vendors keep climbing. The 2024 HIPAA Journal breach report notes that more than 168 million healthcare records were exposed in 2023 alone, a record number, with several incidents tied to offshore subcontractors.

Here is what you will learn in this guide:

• ⚖️ The exact federal rules that let PHI cross borders, and the limits on that freedom
• 🌍 How HIPAA interacts with GDPR, UK DPA 2018, PIPEDA, and India’s DPDPA
• 🧾 The BAA clauses, flow-down terms, and cross-border data-transfer language you must include
• 🏥 Real enforcement actions, including the CHSPSC and Premera Blue Cross cases
• 🗺️ State laws such as Texas HB 300, the California CMIA, and the New York SHIELD Act that add storage limits on top of HIPAA

The Short Answer: No Geographic Ban, But Heavy Strings Attached

HIPAA’s text, found throughout 45 CFR Parts 160 and 164, never mentions a country, a border, or a data-residency line. Congress wrote the law in 1996 to protect the information itself, not the dirt it sits on. That is why a hospital in Ohio can lawfully place patient records on a server in Ireland, so long as it follows the rest of the rulebook.

The plain-English version is simple: HIPAA follows the data. If a U.S. hospital sends PHI to a cloud region in Frankfurt, the hospital still owns the HIPAA duty. The German data center is now a business associate, and every HIPAA safeguard applies as if the data never left Ohio.

The consequence of ignoring this point is large. A covered entity that assumes “foreign = not covered” will skip the BAA, skip the risk analysis, and end up on the OCR Breach Portal. Civil money penalties now reach $2,134,831 per violation category per year after the 2024 inflation adjustment.

A real-world example shows the stakes. Dr. Lena Ramirez, a primary-care physician in Austin, signs up for a low-cost transcription service based in the Philippines. She never asks about a BAA, never reviews the vendor’s safeguards, and never tells her patients. When the vendor leaks 40,000 notes, OCR opens a case against Dr. Ramirez, not the vendor, because she is the covered entity.

A common misconception is that “the cloud handles HIPAA.” It does not. AWS, Microsoft Azure, Google Cloud, and Oracle Cloud all sign BAAs and offer HIPAA-eligible services, yet the customer still owns the access controls, the encryption keys, and the audit trail.

The Statutory Framework Behind Cross-Border PHI Storage

The Privacy Rule and the Silence on Geography

The Privacy Rule focuses on uses and disclosures, not location. It tells covered entities when they may share PHI and with whom, but it never ties those choices to a map. The rule’s silence is a feature, not a bug, because Congress wanted the law to survive changes in technology.

The consequence of that silence is that any lawful use or disclosure under 45 CFR 164.502 can cross a border. A U.S. insurer can send claim records to an analytics team in Bangalore, as long as the purpose is treatment, payment, health care operations, or a permitted disclosure.

A quick scenario: Northlake Health Plan moves its claims platform to a vendor in Costa Rica. The move is a “health care operation” under the rule, so no patient authorization is needed. The plan still signs a BAA, still runs a risk analysis, and still lists the vendor in its Notice of Privacy Practices if required.

A common misconception is that patients must consent to offshore storage. They do not, unless a state law like the California CMIA layers on extra consent duties.

The Security Rule and Technical Safeguards

The Security Rule is where cross-border storage gets real. It demands administrative, physical, and technical safeguards for electronic PHI (ePHI). Encryption, access control, audit logs, and workforce training apply wherever the server sits.

The consequence of weak safeguards abroad is a presumed breach. Under the Breach Notification Rule at 45 CFR 164.400-414, any unsecured PHI that is accessed without authorization triggers notice to patients, HHS, and sometimes the media.

Harbor Medical Group learns this the hard way. It stores ePHI in a Singapore data center but skips encryption at rest. A disgruntled contractor copies the drive, and Harbor must notify 85,000 patients. The fine lands at $1.3 million, and the corrective action plan runs five years.

A common misconception is that foreign encryption laws excuse weaker controls. They do not. If a country bans strong crypto, the covered entity must either choose a different region or accept the risk and document it in the risk analysis required by 45 CFR 164.308(a)(1)(ii)(A).

The Breach Notification Rule Across Borders

The Breach Notification Rule treats a breach the same whether the data lived in Dallas or Dublin. The 60-day clock starts when the covered entity knows, or should have known, about the incident.

The consequence of a late notice is steep. OCR has issued multiple settlements for notification delays, including a $4.3 million penalty against Cignet Health and a $1 million settlement with Presence Health for slow reporting.

A common misconception is that foreign breach laws can replace U.S. notice duties. They cannot. A covered entity may owe notice under GDPR and HIPAA, and it must meet both deadlines.

How HIPAA Interacts With Foreign Privacy Laws

The moment PHI crosses a border, at least two privacy regimes apply. HIPAA still binds the U.S. entity, and the destination country’s law binds the local vendor. The layered duties can multiply paperwork, shrink vendor choices, and raise costs.

GDPR and the EU-U.S. Data Privacy Framework

The General Data Protection Regulation (GDPR) treats health data as a “special category” under Article 9. Any PHI sent to an EU vendor counts as a transfer into the EU, which is fine, but the return trip out of the EU must use a lawful transfer tool.

The consequence of skipping a transfer tool is a GDPR fine up to 4% of global turnover. The 2020 Schrems II ruling struck down the old Privacy Shield, and the new EU-U.S. Data Privacy Framework took effect in July 2023.

BrightCare Analytics, a U.S. business associate, processes claim data in Dublin. It must either self-certify under the DPF, use Standard Contractual Clauses, or complete Binding Corporate Rules to move the data back to a U.S. analyst.

A common misconception is that a BAA equals GDPR compliance. It does not. A BAA covers HIPAA duties, while a Data Processing Agreement under GDPR Article 28 covers GDPR duties. Most vendors now sign both.

UK GDPR and the UK Data Protection Act 2018

After Brexit, the United Kingdom kept its own UK GDPR alongside the Data Protection Act 2018. The rules mirror EU GDPR, with a separate “UK Extension to the DPF” for U.S. transfers.

The consequence of using the wrong tool is a fine from the Information Commissioner’s Office. The ICO fined a pharmacy chain £275,000 in 2019 for weak health-data controls, showing it will act on sector-specific lapses.

MedLink UK Ltd., a business associate serving a Boston hospital, signs both a BAA and a UK International Data Transfer Agreement. The dual contract keeps HHS and the ICO happy.

PIPEDA in Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most private-sector health data. It allows cross-border transfers but requires notice to the patient and a contract with the vendor.

The consequence of ignoring PIPEDA is an investigation by the Office of the Privacy Commissioner. British Columbia and Quebec add their own rules; Quebec’s Law 25 took full effect in September 2023 and restricts transfers to countries without equivalent protection.

CrossBorder Radiology, a U.S. teleradiology firm, reads scans for a Montreal hospital. The firm must comply with Quebec Law 25, sign a HIPAA BAA, and notify patients that images travel to Texas.

India’s Digital Personal Data Protection Act

India enacted the Digital Personal Data Protection Act, 2023 (DPDPA) on August 11, 2023. The law permits cross-border transfers except to countries on a future blacklist. Health data is sensitive, and breach fines can reach ₹250 crore (about $30 million).

Chennai HealthOps, a transcription vendor for a Chicago clinic, now has to meet DPDPA consent rules and HIPAA flow-down terms. The clinic’s BAA must name the DPDPA obligations to preserve HIPAA’s chain of custody.

A common misconception is that HIPAA “overrides” foreign law. It does not. Each law applies on its own terms, and conflicts are resolved by choosing a vendor that can meet the strictest rule.

Business Associate Agreements and Cross-Border Clauses

The BAA is required by 45 CFR 164.504(e). Without a signed BAA, any disclosure to a vendor, foreign or domestic, is unlawful. HHS posts a sample BAA that covers the baseline, yet cross-border deals need extra clauses.

Flow-Down Terms for Subcontractors

The HITECH Act of 2009 and the 2013 Omnibus Rule extended HIPAA to subcontractors. A vendor in Manila that hires a sub-vendor in Mumbai must flow every HIPAA duty down the chain.

The consequence of a missing flow-down is vicarious liability for the covered entity. The CHSPSC settlement of $2.3 million stemmed from weak oversight of a business-associate relationship that exposed 6.1 million records.

Capital Care Insurers signs a BAA with a vendor in Dublin, and the BAA requires identical terms for every sub. When the Dublin vendor hires a coder in Bulgaria, the Bulgarian firm signs the same contract. The chain holds.

A common misconception is that one BAA covers the whole tech stack. It does not. Each link in the chain needs its own contract.

Cross-Border Transfer Language

Cross-border clauses should name the destination country, the lawful transfer tool, the encryption standard, the breach-notice timeline, and a right to audit. The NIST SP 800-66r2 guide suggests mapping each clause to a specific Security Rule standard.

The consequence of vague language is a dispute at the worst possible moment, right after a breach. Clear contracts let lawyers act in hours, not weeks.

HealthSignal Inc. writes its BAA to require AWS-EU regions, AES-256 encryption, customer-managed keys, and a 24-hour breach-notice window. When a misconfigured bucket leaks data, the vendor notifies in 14 hours, and HealthSignal meets the 60-day rule easily.

Three Common Offshore Storage Scenarios

Three Named Examples of Cross-Border HIPAA Storage

Example 1: Dr. Aaron Kim and the Manila Billing Vendor

Dr. Aaron Kim runs a cardiology clinic in San Diego. He hires MetroBill Philippines to handle coding, signs a BAA, and requires AES-256 encryption plus SOC 2 Type II reports. When a phishing attack hits the vendor, the encrypted files stay unreadable, and no breach notice is needed under the safe-harbor guidance. Dr. Kim saves 60% on billing costs and keeps patients safe.

Example 2: Sofia Patel, CTO of a Telehealth Startup

Sofia Patel builds a telehealth app on Microsoft Azure and stores PHI in the East US region while replicating backups to North Europe. She signs Microsoft’s BAA, enables Customer Lockbox, and certifies under the DPF. A GDPR audit finds no gap, and an OCR inquiry closes without fine.

Example 3: Marcus Lee and the Canadian Research Partnership

Marcus Lee, a research director at a Boston hospital, ships de-identified data plus a limited data set to a McGill University team. He uses a data use agreement under 45 CFR 164.514(e), complies with PIPEDA, and registers the study under Quebec Law 25. The cross-border flow stays lawful.

Mistakes to Avoid When Storing PHI Abroad

1. Skipping the BAA because the vendor is “just infrastructure.” Every vendor that touches PHI needs one, and missing contracts drive most OCR settlements.
2. Assuming the cloud provider handles compliance. The shared responsibility model leaves access control, key management, and logging to the customer.
3. Ignoring the risk analysis. The OCR guidance on risk analysis makes it the single most cited failure in enforcement actions.
4. Forgetting subcontractor flow-down. A missing link means the covered entity inherits the whole risk.
5. Using weak encryption or letting the vendor hold the keys. Customer-managed keys are the industry standard for cross-border deals.
6. Missing foreign breach-notice timelines. GDPR demands 72-hour notice, while HIPAA gives 60 days; the faster clock wins.
7. Relying on outdated transfer tools. Privacy Shield is dead, and old SCCs had to be replaced by June 2021.
8. Overlooking state law. Texas HB 300, California CMIA, and New York SHIELD add duties HIPAA does not mention.
9. Failing to train a global workforce. HIPAA training under 45 CFR 164.530(b) must reach every worker who sees PHI, in any country.
10. Not updating the Notice of Privacy Practices. If offshore processing changes how data is used, the notice must reflect it.

Do’s and Don’ts for Cross-Border HIPAA Storage

Do’s

• Do sign a BAA with every vendor, because missing BAAs trigger automatic violations.
• Do run a written risk analysis, because OCR asks for it first in every audit.
• Do pick cloud regions that align with both HIPAA and local law, because alignment avoids fines in two jurisdictions.
• Do use customer-managed encryption keys, because control over keys preserves the safe harbor.
• Do keep audit logs for at least six years, because 45 CFR 164.530(j) requires that retention.

Don’ts

• Don’t assume HIPAA applies abroad by default; it applies through the U.S. entity, so build the contracts.
• Don’t share encryption keys over email, because key leakage is the fastest path to a breach.
• Don’t skip vendor due diligence, because OCR treats weak vetting as willful neglect.
• Don’t rely on verbal assurances from a vendor, because only signed terms hold up in court.
• Don’t forget to revise your Notice of Privacy Practices, because silent changes invite complaints.

Pros and Cons of Offshore PHI Storage

Pros

• Lower labor and hosting costs, because offshore rates often run 40-70% below U.S. rates.
• Round-the-clock processing, because time-zone coverage shortens claim cycles.
• Access to global talent, because specialized coders and analysts live worldwide.
• Disaster-recovery options, because geographically diverse backups survive regional outages.
• Faster feature roll-outs, because global teams ship on parallel schedules.

Cons

• Layered legal duties, because every country adds rules.
• Longer breach-response chains, because time zones and language barriers slow triage.
• Audit complexity, because auditors must travel or rely on third-party reports.
• Currency and political risk, because regulations can change overnight.
• Reputational risk, because patients often object when they learn data leaves the country.

OCR Enforcement Actions That Shaped Offshore Practice

CHSPSC LLC (2020)

The CHSPSC settlement reached $2.3 million after an APT group exfiltrated PHI of 6.1 million people. OCR cited weak risk analysis, weak access controls, and weak audit logs. The ruling shows that business associates, foreign or domestic, carry direct HIPAA liability.

Premera Blue Cross (2020)

The Premera Blue Cross settlement hit $6.85 million for a breach of 10.4 million records. Nation-state attackers lived in the network for nine months. The case warns covered entities to monitor any environment, including offshore subcontractors.

Anthem Inc. (2018)

The Anthem settlement of $16 million remains the largest HIPAA fine. Attackers targeted data replicated across multiple regions. Global replication without matching safeguards was a key finding.

Advocate Health Care (2016)

The Advocate settlement of $5.55 million penalized the system for weak oversight of a business associate. The order showed that vendor governance sits squarely with the covered entity, no matter where the vendor sits.

State Law Overlays That Affect Offshore Storage

Texas HB 300

Texas HB 300 expands HIPAA’s reach inside Texas, with training deadlines, tighter consent rules, and penalties up to $1.5 million per year. The statute applies to any entity that handles Texas residents’ PHI, even a vendor in Poland.

The consequence of ignoring HB 300 is a civil penalty layered on top of any HIPAA fine. Texas hospitals often add Texas-specific clauses to every BAA.

TexHealth Systems sends data to a Polish analytics firm. The Polish firm signs a BAA plus a Texas addendum that includes the HB 300 training clause. The setup passes both reviews.

California CMIA and CCPA/CPRA

The California Confidentiality of Medical Information Act (CMIA) adds per-record damages and a private right of action. The California Consumer Privacy Act (CCPA), as amended by the CPRA, covers health data that falls outside HIPAA.

The consequence is double exposure: OCR can fine the entity, and patients can sue under the CMIA. A California class action can reach tens of millions of dollars quickly.

GoldenGate Health in San Francisco stores research data in Tokyo. Because the data includes identifiers that HIPAA does not cover, the CCPA applies. The hospital updates its privacy notice and honors deletion requests.

New York SHIELD Act

The New York SHIELD Act requires “reasonable” administrative, technical, and physical safeguards for any private data of New Yorkers. The Act applies to out-of-state vendors that hold New York records, including offshore firms.

The consequence of a SHIELD lapse is a civil penalty up to $250,000. New York providers often demand SHIELD-specific attestations from offshore vendors.

Empire Pediatrics hosts ePHI with a vendor in Ireland. The vendor signs a BAA plus a SHIELD compliance rider. The hospital files the rider with its security officer and maps each control to the Act.

Other States Watching the Border

Illinois, Washington, Connecticut, and Colorado have expanded health-privacy laws in the past three years. Washington’s My Health My Data Act of 2023 reaches far beyond HIPAA and applies to any consumer health data, including data sent abroad.

Key Entities You Need to Know

• HHS Office for Civil Rights (OCR): the federal agency that enforces HIPAA, investigates breaches, and writes guidance.
• Covered Entities: providers, health plans, and clearinghouses defined at 45 CFR 160.103.
• Business Associates: any person or firm that creates, receives, maintains, or transmits PHI for a covered entity.
• National Institute of Standards and Technology (NIST): publishes SP 800-66r2, the primary guide for Security Rule implementation.
• European Data Protection Board (EDPB): issues guidance on GDPR transfers and the DPF.
• U.S. Department of Commerce: runs the Data Privacy Framework program for EU, UK, and Swiss transfers.
• Office of the Privacy Commissioner of Canada: enforces PIPEDA and investigates cross-border flows.
• India’s Data Protection Board: the forthcoming regulator under the DPDPA.

The Risk Analysis Process Step-By-Step

Step 1: Scope the ePHI Inventory

Map every system that holds ePHI, noting location, vendor, data type, and volume. Include every foreign region, every replica, and every backup. The OCR risk-analysis guidance calls this step a prerequisite.

A missing system is the most common audit finding. Auditors often ask for network diagrams that show country-level flows.

Step 2: Identify Threats and Vulnerabilities

List threats such as ransomware, insider misuse, foreign surveillance, and supply-chain attacks. Rank each against likelihood and impact. The NIST SP 800-30 methodology is the standard.

Offshore storage adds threats like local seizure orders. U.S. entities should know which countries allow government access without judicial review.

Step 3: Evaluate Existing Controls

Score current controls for each threat. Use SOC 2 Type II reports, ISO 27001 audits, and HITRUST r2 certifications as evidence.

A missing control translates to a documented risk, which must be either mitigated or accepted in writing.

Step 4: Document, Remediate, and Repeat

The final step is a written report signed by the security officer. Update it at least annually, and after any major change, including a new vendor or region.

Forms and Documents That Matter

• BAA: based on the HHS sample.
• Data Processing Agreement (DPA): GDPR Article 28 contract.
• Standard Contractual Clauses (SCCs): the current 2021 modules.
• UK International Data Transfer Agreement (IDTA): the ICO-approved form.
• Transfer Impact Assessment (TIA): required after Schrems II.
• Data Use Agreement (DUA): for limited data sets under 45 CFR 164.514(e).
• Notice of Privacy Practices: updated to note offshore processing when relevant.

Court Rulings and Regulatory Decisions to Know

The Schrems II ruling (C-311/18) shaped every EU-to-U.S. transfer today. The court held that U.S. surveillance law, including FISA 702, conflicts with GDPR, unless supplemental safeguards are added. Covered entities now pair SCCs with encryption, pseudonymization, and TIAs.

In the United States, Ciox Health v. Azar (D.D.C. 2020) narrowed HHS’s third-party fee guidance but confirmed the strength of HIPAA’s patient-access rule. The ruling still matters for cross-border vendors that handle access requests.

The University of Rochester Medical Center settlement of $3 million confirms that encryption lapses are a fast track to fines. The lesson applies with equal force to foreign laptops and foreign servers.

The Lifespan settlement of $1.04 million adds the same point from 2020, and shows OCR’s long attention span on encryption.

FAQs

Does HIPAA forbid storing PHI outside the United States?

No. HIPAA contains no geographic restriction, but the covered entity stays fully responsible for safeguards, contracts, and breach notice wherever the data lives.

Can a covered entity use AWS, Azure, or Google Cloud regions outside the U.S.?

Yes. All three providers sign BAAs and list HIPAA-eligible services that run in non-U.S. regions, as long as the customer follows the shared-responsibility model.

Must patients consent to offshore storage?

No. HIPAA does not require patient consent for offshore storage, but state laws like the California CMIA can add consent duties in some cases.

Is a Business Associate Agreement required with a foreign vendor?

Yes. Every vendor that creates, receives, maintains, or transmits PHI needs a signed BAA under 45 CFR 164.504(e), no matter the country.

Does GDPR apply when a U.S. hospital stores data in the EU?

Yes. GDPR applies to any processing that takes place in the EU, so the hospital and its EU vendor share duties under both GDPR and HIPAA.

Can state laws block offshore storage of health data?

Yes. Texas HB 300, California CMIA, New York SHIELD, and Washington’s My Health My Data Act each add rules that can limit or shape offshore processing.

Are offshore breaches treated the same as domestic ones under HIPAA?

Yes. The Breach Notification Rule applies the same way to any unsecured PHI incident, and the 60-day notice clock starts on discovery.

Can I avoid HIPAA duties by de-identifying data before sending it abroad?

Yes. Data that meets the de-identification standard at 45 CFR 164.514(b) is no longer PHI, so HIPAA does not follow it, though other laws still might.

Does the EU-U.S. Data Privacy Framework cover HIPAA data?

Yes. The DPF covers personal data transferred to self-certified U.S. organizations, including PHI, as long as the organization meets both DPF and HIPAA duties.

Can OCR investigate a foreign vendor directly?

Yes. OCR can investigate any business associate that touches U.S. PHI, foreign or domestic, and the 2013 Omnibus Rule gave it direct jurisdiction.

Is encryption alone enough to satisfy HIPAA abroad?

No. Encryption helps, and often unlocks the breach safe harbor, yet HIPAA still requires risk analysis, access control, audit logs, training, and a signed BAA.

Does HIPAA preempt foreign privacy law?

No. HIPAA applies to U.S. entities, and it does not override foreign law; when laws conflict, the strictest rule usually controls.