A fundamental aspect of risk management and HIPAA compliance is knowing where the Protected Health Information (“PHI”) you create, store, maintain, or access is located.
Where is Your PHI Stored?
A fundamental aspect of risk management and HIPAA compliance is knowing where the Protected Health Information (“PHI”) you create, store, maintain, or access is located. This means what devices it is on, as well as where those devices are located. As more PHI is shifted to being stored in the cloud, the physical location of the PHI becomes more important, especially knowing whether that data is stored offshore.
Outside Access to Your Storage
There are currently no federal prohibitions on storing PHI offshore, but several states do prevent or restrict offshore storage of PHI. Additionally, offshore PHI will likely be subject to the local laws of the country which it is stored. This can vary dramatically from HIPAA and other U.S. laws. In some instances, the local government may even be able to access data stored within its borders.
Forbid Sharing of PHI
As with any cloud storage vendor, a Business Associate Agreement would be needed prior to allowing the vendor to store the PHI. While a Business Associate Agreement would forbid the sharing of PHI with a foreign government in which the PHI is stored, it is unlikely the Business Associate Agreement would be enough to prevent the foreign government’s access. Additionally, enforcing agreements with offshore vendors can be complex and expensive.
While storing PHI is technically permitted, any benefits might be outweighed by potential risks. Whether it is the right decision for your organization is a personal one. However, before storing PHI offshore, you should make sure you have analyzed and planned for all possible risks.