For an application that stores US patient data, does HIPAA require that US data stays on US servers?
Asked
Active
Viewed 948 times
4
1 Answers
4
No. This is governed by the HIPAA Security Rule which was a regulation that the HIPAA statute required the Department of Health and Human Services to adopt.
The Rule does require someone covered by HIPAA to have a "Business Associate Agreement" (BAA) and a Service Level Agreement (SLA) with any cloud storage provider (which would be the usual way that a U.S. health care provider subject to HIPAA would have a foreign server), but the Rule does not require that a server be physically located in the United States.
The lack of this requirement is a good one, because when you are transmitting data (which the Security Rule requires be done in a secure fashion), you can't know which servers the information will end up on in a trip from source to destination. Email and all other Internet content travels through what amounts to a pony express. It goes through a variety in intermediate server nodes which can change during the course of a session, and generally speaking, you never know which intermediate nodes are used. You could be seeing this answer via a server in China, for example, and you would never know it.
ohwilleke
- 257,510
- 16
- 506
- 896