Do foreign vendors have to sign a business associate agreement?

According to the Journal of Medical Internet Research analysis on how doctors share patient data under HIPAA, “The health system is the covered entity under HIPAA and remains responsible for the privacy and security of the health information in its custody and for sending it securely to third parties only when permitted, directed, or authorized by the patient or required by law…Accordingly, the health system must make sure that its business associates, such as its EHR vendors, also abide by these rules.”

HIPAA defines a business associate as any entity, including foreign organizations, that performs functions or activities involving the use or disclosure of PHI on behalf of, or provides services to, a covered entity. This requirement is not limited by the vendor’s geographic location; rather, it is determined by the nature of the services provided and the access to PHI. 

The business associate agreement (BAA) is a legally binding document that outlines the responsibilities of the business associate to secure PHI in accordance with HIPAA’s Privacy and Security Rules. The agreement must stipulate that the foreign vendor will use appropriate safeguards to prevent unauthorized use or disclosure of PHI, report breaches, and make sure that any subcontractors also comply with HIPAA requirements. 

HIPAA’s enforcement mechanisms are primarily domestic; the obligation to execute a BAA with foreign vendors remains a compliance requirement for covered entities. Failure to have a valid BAA in place with any vendor that handles PHI can result in penalties for the covered entity, regardless of whether the vendor is outside the United States. The practical challenge arises in enforcing HIPAA provisions against foreign vendors, given jurisdictional limitations; however, the legal requirement for a BAA is clear.

The globalization of healthcare services

The globalization of healthcare services is fundamentally shaped by technological advancement, economic imperatives, and the drive for improved patient outcomes. The rapid evolution of information and communication technologies (ICT) has been a cornerstone, reducing barriers of distance, time, and cost, and enabling unprecedented global collaboration.  

One editorial article, ‘Globalization and the diffusion of ideas: why we should acknowledge the roots of mainstream ideas in global health’ by the International Journal of Health Policy and Management, shows that over 1,800 participants from more than 100 countries attended the second Global Symposium on Health Systems Research in Beijing. 

Economic incentives are also a powerful driver. The globalization of health services often involves outsourcing functions such as medical billing, radiology interpretation, and IT support to foreign vendors. Precise statistics on cost reductions vary by context, but the literature consistently notes that such outsourcing is especially attractive in an era marked by escalating healthcare costs and resource constraints. 

The above-mentioned study also cautions that the economic benefits of globalization are not evenly distributed. The imposition of health user fees, promoted by international organizations and adopted widely in low- and middle-income countries (LMICs), was intended to improve access to care but instead increased inequities and created barriers for vulnerable populations, leading many LMICs to eliminate these fees in pursuit of the health Millennium Development Goals.

Globalization also promotes a multidisciplinary approach by integrating holistic and complementary medical practices with conventional biomedicine. The exchange of information and expertise across borders enables the adoption of best practices and the creation of hybrid models of care that can address complex health challenges more effectively.

When does HIPAA apply to foreign vendors?

According to a law review paper by Grace Fleming from the University of Minnesota Law School, “HIPAA recognizes privacy as a fundamental right.20 However, it is still unclear whether this right must be recognized by U.S. organizations when they work outside of the country.”

HIPAA applies to foreign vendors when they are engaged by a US covered entity or business associate to perform functions or provide services that involve the creation, receipt, maintenance, or transmission of PHI. The determining factor is not the vendor’s physical location but rather their role and activities in relation to PHI. 

If a foreign vendor acts as a business associate, they are contractually obligated to comply with HIPAA requirements through a BAA. It includes adhering to the Privacy Rule, Security Rule, and Breach Notification Rule. 

HIPAA’s enforcement authority is primarily within the United States. US covered entities are required to ensure that all business associates, regardless of location, are contractually bound to HIPAA standards. The requirement extends to any subcontractors engaged by the foreign vendor who may also have access to PHI. 

The matter of jurisdiction 

According to the Springer study ‘Standalone Regulatory Agreements for Product-Development Collaborations in the Medical Products Industry’, which looks at the nature of contractual agreements across borders, “Medical-product companies often outsource research and manufacturing needs to contracting or partnering organizations but then must manage a challenging patchwork of regulatory activities. A standalone regulatory agreement could clarify the relationships and responsibilities between companies working jointly on a single regulated product.”

HIPAA requires that covered entities obtain BAAs from all business associates the practical ability to enforce these agreements across international borders is limited by jurisdictional constraints. US courts generally have limited authority over foreign entities, particularly if the vendor has no physical presence, assets, or operations in the United States. The limitation can make it challenging to hold foreign vendors accountable for breaches of PHI or non-compliance with HIPAA requirements. 

To mitigate these risks, BAAs with foreign vendors often include specific provisions addressing choice of law, dispute resolution mechanisms (such as arbitration), and requirements for the vendor to submit to the jurisdiction of US courts or another mutually agreed-upon forum. Covered entities may require foreign vendors to maintain insurance or other financial assurances to cover potential liabilities arising from data breaches. 

The effectiveness of these measures depends on the willingness and ability of the foreign vendor to comply with contractual obligations and the existence of reciprocal enforcement agreements between countries.

The cons of foreign vendors  

Con: New cross-border data restrictions and contractual overheads

U.S. regulators are increasingly wary of bulk transfers of sensitive health data to foreign jurisdictions. In mid-May 2025, the U.S. Department of Justice issued final rules under Executive Order 14117, banning or heavily restricting transfers of bulk U.S. sensitive personal data (including PHI) to certain countries of concern.

A Holland & Knight article by Mark H. Francis ‘U.S. Health Data Affected by New National Security Restrictions on International Data Transfers, “The DOJ Rules are the most recent federal restrictions that encompass certain health-related data, and became effective on April 8, 2025…Importantly, they apply to bulk U.S. sensitive personal data, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.”

Healthcare organizations now must revise every BAA and cloud contract that allows data to reside or transit through those jurisdictions, an expensive, time-consuming process that can stall data-sharing initiatives and force migrations between providers.

Con: Legal and liability uncertainties in case of breach

When a foreign-based email or cloud vendor suffers a breach, U.S. covered entities may find their legal recourse limited. In April 2025, pausing on the healthcare sector’s top attack vector, Paubox reported that 43.3% of all email-related breaches in 2024 involved Microsoft 365, often because data was stored or routed through non-U.S. data centers under shared responsibility models. 

Those incidents triggered stiff OCR enforcement actions and multi-million-dollar penalties, even when the ultimate breach point lay outside U.S. jurisdiction. Providers end up footing much of the remediation cost, despite having secured a BAA, because contract-enforced indemnities can be challenging to enforce against a vendor outside U.S. courts. 

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

When does an entity become a business associate?

An entity becomes a business associate when it handles PHI while performing services or functions for a covered entity, such as claims processing, data analysis, quality assurance, billing, or IT support. It does not include members of the covered entity’s workforce but third-party organizations entrusted with PHI.

What are the responsibilities of a business associate under HIPAA?

Business associates must implement administrative, physical, and technical safeguards to protect PHI’s confidentiality, integrity, and availability. They must report breaches within 60 days of discovery, comply with the terms of the Business Associate Agreement (BAA), and assist covered entities in fulfilling their HIPAA obligations.

What privacy frameworks govern international health data transfers involving foreign vendors?

Transfers of health data from the EU to the U.S. involve frameworks like the EU-U.S. Privacy Shield (currently under judicial review) and Standard Contractual Clauses (SCCs). HIPAA’s Privacy Rule aligns closely with GDPR principles, but additional protections and explicit consent may be required for international transfers involving foreign vendors.