Storing Protected Health Information (“PHI”) in the cloud can be a very useful thing for covered entities and business associates. As we know, HIPAA does permit storing PHI in the cloud if the cloud storage provider executes a Business Associate Agreement. However, do you know exactly where that PHI is stored by the cloud provider? In some instances the cloud storage vendor might store, backup, or process the PHI in an overseas location. How do you protect the PHI, and yourself, in such a situation?
HIPAA does not specifically forbid storing PHI in an offshore location (some states do forbid storing Medicaid data offshore), but it does create challenges. First, you must determine where your cloud vendors will be storing the information, and whether it will be offshore or not. If it is offshore, you need to determine the specific location and what local rules might apply to the PHI. Local laws in the international jurisdiction where PHI might be stored might actually allow for access to the data that would be in violation of HIPAA. The duty is on you, as you contract with the cloud provider, to determine if the security efforts are sufficient or if the location of the data will pose any risks. Furthermore, offshore cloud providers might not be bound by HIPAA, but you – presumably operating in the United States – are. If your international cloud provider is at fault for a breach but cannot be held accountable, you might determined to be liable even if the only action you took was selecting the wrong vendor.
Without question, storing PHI offshore brings unique challenges. Whether they are worth it or not can only be answered by you. However, if you are considering a vendor that will store PHI internationally, be sure to conduct a risk assessment to ensure you are not putting PHI in increased or unnecessary risk.