Safeguard
Compliance

Is HIPAA International? How U.S. Health Privacy Rules Reach Overseas

HIPAA is a U.S. law, not an international standard, but its obligations follow protected health information across borders through covered entities and business associates.

Safeguard Research Team
Research
5 min read

HIPAA is not an international standard. It is a U.S. federal law, but its obligations can follow protected health information (PHI) across borders whenever a covered entity or business associate handles that data, regardless of where the organization or its servers sit. So the honest answer to "is HIPAA international" is: no by default, yes in effect for anyone in the chain of handling U.S. PHI. That distinction matters for any company outside the United States that works with American healthcare data.

HIPAA attaches to roles, not geography

The Health Insurance Portability and Accountability Act regulates two categories of actor. A covered entity is a healthcare provider, health plan, or clearinghouse. A business associate is anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity. HIPAA's rules apply based on which of those roles you occupy and what you do with PHI, not based on the country you operate from.

That is the key mental model. If your company is a business associate handling PHI for a U.S. covered entity, your HIPAA duties apply whether your office is in Boston or Bangalore. The law follows the data and the relationship, not the map.

When a foreign company falls under HIPAA

A company based outside the United States becomes subject to HIPAA obligations when it acts as a business associate to a U.S. covered entity or another business associate. Common real-world examples:

  • An overseas teleradiology group reading scans for a U.S. hospital.
  • A foreign medical transcription vendor processing U.S. clinical notes.
  • An offshore software or cloud service that stores or processes PHI for a U.S. health app.
  • A support or billing operation handling U.S. patient records.

In each case, the foreign vendor is expected to sign a Business Associate Agreement (BAA) and takes on direct responsibility for the relevant HIPAA requirements. By contrast, a healthcare provider outside the U.S. treating its own local patients is governed by its local privacy laws, not HIPAA, because there is no U.S. covered-entity relationship in play.

Does HIPAA restrict storing PHI abroad?

This surprises people: HIPAA does not prohibit transferring or storing PHI outside the United States. The U.S. Department of Health and Human Services has been explicit that the rules permit using a cloud service provider that stores electronic PHI on servers outside the U.S., as long as the HIPAA safeguards are met. The law cares about the obligations (access controls, encryption, breach notification, a signed BAA), not the physical location of the bytes.

There is a practical caveat HHS notes: storing PHI overseas can introduce additional risks that your risk analysis must account for, such as differing legal regimes for government access. So while HIPAA permits it, your Security Rule risk assessment should address it deliberately.

HIPAA versus international privacy laws

Because HIPAA is jurisdiction-specific, a global healthcare operation often has to satisfy several regimes at once. HIPAA governs U.S. PHI handling; the EU's GDPR governs personal data of people in the EU; other countries have their own health-data rules. These frameworks overlap in spirit (safeguard sensitive data, limit use, notify on breach) but differ in scope, definitions, and enforcement. HIPAA is narrow and sector-specific; GDPR is broad and applies to nearly all personal data. Complying with one does not automatically satisfy the other, and a business associate serving both U.S. and EU clients must map controls to both.

What this means operationally

If you are outside the U.S. and touch American PHI, treat HIPAA as in scope and act accordingly: sign the BAA, implement the Administrative, Physical, and Technical Safeguards of the Security Rule, encrypt PHI in transit and at rest, maintain access logging, and have a breach-notification process. A lot of that overlaps with controls you likely already run for SOC 2 or ISO 27001, so the incremental work is often mapping and documentation rather than net-new engineering. Our academy has material on reconciling overlapping compliance frameworks so you build a control once and map it to many.

FAQ

Is HIPAA an international law?

No. HIPAA is a U.S. federal law. It is not an international standard, but its obligations extend to any covered entity or business associate handling U.S. protected health information, including organizations located outside the United States.

Does HIPAA apply to companies outside the United States?

It can. A foreign company that acts as a business associate, creating, receiving, maintaining, or transmitting PHI on behalf of a U.S. covered entity, is subject to HIPAA obligations and is expected to sign a Business Associate Agreement.

Can protected health information be stored on servers outside the U.S.?

Yes. HIPAA does not prohibit storing PHI abroad. HHS has confirmed that a cloud provider may store electronic PHI on overseas servers provided the HIPAA safeguards are met, though your risk analysis should account for the added jurisdictional risk.

Does HIPAA compliance satisfy GDPR?

No. HIPAA and GDPR are separate regimes with different scope and definitions. HIPAA is narrow and health-sector specific, while GDPR covers nearly all personal data of people in the EU. An organization serving both markets must map its controls to each framework independently.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.