Can PHI be transferred outside of the United States?

Protected health information is any individually identifiable information relating to a person's past, present, or future health condition, the provision of healthcare services, or payment for those services. This includes names, dates, addresses, Social Security numbers, medical record numbers, and even IP addresses when linked to health data. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities as well as their business associates are required to safeguard PHI against unauthorized disclosure.

A breach involving PHI can result in reputational damage, loss of patient trust, and civil or criminal penalties. Under 45 CFR §160.404, penalties range from $100 to $50,000 per violation, with annual caps reaching $1,500,000 per violation category for identical violations occurring within a calendar year.

HIPAA has no explicit ban on international transfers

HIPAA does not contain a prohibition on transferring PHI outside of the United States. The law focuses on the obligations of covered entities and business associates, not on the physical or geographic location of the data. If a U.S.-based healthcare organization shares PHI with an overseas vendor, HIPAA still applies to that covered entity.

This means that when PHI is transferred internationally, the covered entity remains legally responsible for ensuring the information is handled in accordance with HIPAA's Privacy and Security Rules. According to 45 CFR §164.306(a)(1) covered entities must, "ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits." That obligation does not diminish simply because data crosses a border.

As Carolyn V. Metnick, Michael D. Sutton, and Lotan Barbaresso of Sheppard Mullin noted in a 2024 article published in the National Law Review, HIPAA specifically prohibits a covered entity from engaging with a business associate or subcontractor that it knows is not in compliance with HIPAA, a rule that applies to offshore relationships.

Business associate agreements are non-negotiable

The Business Associate Agreement is the legal cornerstone of any international PHI transfer. Under 45 CFR §160.103(1), a business associate is defined as any person who, on behalf of a covered entity, "creates, receives, maintains, or transmits protected health information" for a regulated function or activity. This definition applies regardless of where that person or entity is physically located, meaning overseas vendors handling PHI fall within its scope.

The regulatory requirements for what a BAA must contain are explicit. Under 45 CFR §164.314(a)(2)(i), the contract must provide that the business associate will comply with applicable HIPAA requirements, ensure that any subcontractors handling electronic PHI agree to the same, and report any security incidents or breaches to the covered entity. Without a BAA that meets these requirements, transferring PHI to any third party, domestic or international, is a violation of HIPAA.

Enforcement of a BAA against an international partner can be challenging. If a breach occurs and the overseas company refuses to cooperate or cannot be held accountable under U.S. law, the covered entity in the United States bears the regulatory exposure. The severity of that exposure depends on the nature of the failure. Under 45 CFR §160.401, the most serious category of noncompliance involves "conscious, intentional failure or reckless indifference" to HIPAA obligations which carries the steepest penalties.

Medicare, Medicaid, and the Regulatory layer beneath HIPAA

According to the Sheppard Mullin authors observed in the National Law Review, offshoring arrangements involving Medicare and Medicaid data trigger program-specific requirements that go beyond general HIPAA compliance.

On the Medicare side, the National Law Review article notes that the Centers for Medicare and Medicaid Services issued guidance in 2007 describing offshoring as presenting "unique risks" and calling on Medicare Advantage Organizations and Prescription Drug Plan Sponsors to take "extraordinary measures" to protect patient data. Organizations using offshore subcontractors must submit attestations to CMS describing the identity and function of each offshore subcontractor, what PHI they can access, and what safeguards are in place, and must also take steps to audit those subcontractors directly.

On the Medicaid side, federal law under the Affordable Care Act prohibits states from making payments for healthcare items or services to entities located outside the United States. However, CMS guidance has clarified that this prohibition does not extend to administrative functions, which means that offshore contractors handling claims processing, call center operations, or data entry for Medicaid programs may still be permissible, even where they access patient data in doing so.

International data privacy laws

While HIPAA governs U.S.-based organizations, foreign jurisdictions have their own health data privacy regulations. The European Union's General Data Protection Regulation (GDPR), for example, imposes requirements on transferring personal data, including health data, outside of the European Economic Area. If a U.S. healthcare organization receives health data from an EU-based patient or partner, both HIPAA and GDPR may apply.

According to EU-US data transfers: an enduring challenge for health research collaborations, published in 2024 by Lalova-Spinks, Valcke, Ioannidis, and Huys, the practical consequences of GDPR restrictions on health research have been severe and well-documented. The authors report that 47 clinical research sites across the EU were unable to enroll patients in NIH-sponsored COVID-19 therapeutic trials because of data transfer restrictions, and that approximately 40 clinical and observational cancer studies were delayed due to the same legal obstacles. One 25-year diabetes study was derailed for 18 months. The International Genomics of Alzheimer's Project was forced to run isolated analyses rather than share data in real time.

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the United Kingdom's equivalent of GDPR post-Brexit, and similar regimes in Australia, Brazil, and Japan all create a patchwork of obligations. Organizations operating globally must map which regulations apply to which data flows and ensure they have compliance mechanisms in place for each relevant jurisdiction.

State laws

Even where federal law permits offshore data arrangements, state legislatures could have their own restrictions. The Sheppard Mullin article in the National Law Review gives an example; Florida amended its Electronic Health Records Exchange Act in 2023 to prohibit certain healthcare providers from storing qualified electronic health records outside of the United States, its territories, or Canada. This prohibition extends to records stored through third-party or subcontracted cloud service providers.

Besides healthcare specific legislation, some states have issued executive orders restricting the use of offshore contractors for any state-funded services. Ohio's Executive Order 2019-12D, for instance, applies broadly to all state agency contracts and their subcontractors.

Risks of international PHI transfers

Foreign governments may have surveillance or data access laws that could conflict with HIPAA obligations. A cloud provider headquartered in a country without strong rule-of-law protections could be compelled by its local government to disclose data in ways that would constitute a HIPAA breach from a US perspective.

Additionally, as the Sheppard Mullin authors noted, offshore companies may not be versed in HIPAA or have a HIPAA compliant infrastructure in place. Different countries have varying standards for cybersecurity infrastructure, workforce training, and breach response. An overseas partner might lack the technical controls that HIPAA's Security Rule requires.

Best practices for compliant international transfers

Organizations considering international PHI transfers should take a structured approach:

• Conduct a comprehensive risk analysis that identifies what PHI is being transferred, to whom, and under what security conditions.
• Ensure a BAA is in place that satisfies the requirements of 45 CFR §164.314(a)(2)(i), and that the foreign business associate understands and can meet its obligations.
• Consider technical safeguards such as de-identification or pseudonymization where possible to reduce the sensitivity of what is transferred. Under 45 CFR §164.514(a), health information that has been properly de-identified falls outside HIPAA's scope and can be transferred with reduced regulatory risk.
• Audit your contracts. As the Sheppard Mullin authors state, agreements with payors, Medicare Advantage Organizations, state Medicaid agencies, and other partners may independently restrict or prohibit offshoring even where no law or regulation requires it.
• Establish clear breach notification procedures. Under 45 CFR §164.404(b), a covered entity must provide notification without unreasonable delay and no later than 60 calendar days after discovery of a breach. When data is held overseas, identifying and confirming a breach may take longer.

FAQs

Can a U.S. healthcare organization be penalized for a breach caused by an overseas vendor it had no knowledge of?

Yes, if the covered entity failed to conduct due diligence before engaging the vendor, it can still face regulatory exposure regardless of where the breach originated.

Does HIPAA apply if PHI is only viewed remotely by an overseas employee rather than physically transferred?

Remote access to PHI is treated as a transfer under most regulatory frameworks and triggers the same compliance obligations as a physical data transfer.

What happens if an international business associate is acquired by a foreign government-linked entity after the BAA is signed?

The covered entity should treat such a change in ownership a development that triggers a review of the BAA.