Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Issued by: Office for Civil Rights (OCR)
Do the HIPAA Rules
allow a covered entity or business associate to use a CSP that stores
ePHI on servers outside of the United States?
Answer:
Yes, provided the covered entity (or business associate) enters into a
business associate agreement (BAA) with the CSP and otherwise complies
with the applicable requirements of the HIPAA Rules. However, while the
HIPAA Rules do not include requirements specific to protection of
electronic protected health information (ePHI) processed or stored by a
CSP or any other business associate outside of the United States, OCR
notes that the risks to such ePHI may vary greatly depending on its
geographic location. In particular, outsourcing storage or other
services for ePHI overseas may increase the risks and vulnerabilities to
the information or present special considerations with respect to
enforceability of privacy and security protections over the data.
Covered entities (and business associates, including the CSP) should
take these risks into account when conducting the risk analysis and risk
management required by the Security Rule. See 45 CFR §§
164.308(a)(1)(ii)(A) and (a)(1)(ii)(B). For example, if ePHI is
maintained in a country where there are documented increased attempts at
hacking or other malware attacks, such risks should be considered, and
entities must implement reasonable and appropriate technical safeguards
to address such threats.
| Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Outpatient Facility Issue: Impermissible Uses and Disclosures An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board ...read more |
| Tuesday, November 1, 2022 Modernizing Medicine Inc. (ModMed), an electronic health record (EHR) technology vendor located in Boca Raton, Florida, has agreed to pay $45 million to resolve allegations that it violated the False Claims Act (FCA) by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments. The Anti-Kickback Statute prohibits anyone from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value — to induce referrals of items or services covered by Medicare, ...read more |
| Tuesday, November 1, 2022 Modernizing Medicine Inc. (ModMed), an electronic health record (EHR) technology vendor located in Boca Raton, Florida, has agreed to pay $45 million to resolve allegations that it violated the False Claims Act (FCA) by accepting and providing unlawful remuneration in exchange for referrals and by causing its users to report inaccurate information in connection with claims for federal incentive payments. The Anti-Kickback Statute prohibits anyone from offering or paying, directly or indirectly, any remuneration — which includes money or any other thing of value — to induce referrals of items or services covered by Medicare, ...read more |
| Private Practice Revises Process to Provide Access to Records Covered Entity: Private Practices Issue: Access A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54) January 2025 (1)
Blog Labels
Data Breach (1) EHR Fraud (1) PPP Fraud (1) HIPAA (2) Telehealth (1) BAA (4) ePHI (2) HIPAA Enforcement (3) Covered Entity (40)
|