Is HIPAA International?

When Does HIPAA Apply Internationally?

HIPAA applies to international businesses under certain circumstances. When a business that operates outside of the United States works with companies that have access to the health information of United States residents, HIPAA can apply. 

Let’s make this simple. 

If you create, receive, transmit, or store patient protected health information (PHI) on behalf of your healthcare clients, you are a business associate and HIPAA applies. Common examples of international businesses that are subject to HIPAA include software providers, call centers, and IT.

Rules for HIPAA International Data Transfer

What are the rules for HIPAA international data transfer? The HIPAA Security Rule requires organizations to ensure the confidentiality, integrity, and availability of PHI. As such, there are specific measures that must be taken to keep PHI secure during an international data transfer.

Before an international data transfer can occur, you must have a signed business associate agreement in place, have implemented end to end encryption, user authentication, access controls, audit logs, and disaster recovery.

HIPAA allows international organizations to handle PHI, if they are HIPAA compliant. Even if the international business cannot view PHI and they simply store the information, they must be HIPAA compliant.

What Are HIPAA International Requirements?

As a HIPAA business associate, there are certain things you must do before you can work with healthcare organizations in the United States. 

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

HIPAA Training

HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training must be provided to each employee that has the potential to access PHI. HIPAA training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material. 

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.