Question: Our company uses a small cloud services provider (CSP) based in Canada. Does HIPAA still apply to our business arrangement? Tennessee Subscriber Answer: Yes, and all the rules about electronic protected health information (ePHI), including the need for business associate agreements (BAAs), still apply. Remember that the HHS Office for Civil Rights (OCR) warns of increased risk to ePHI processed or stored outside of the United States, especially if the server is in a country where cybersecurity risk is high. More cloud service providers are touching ePHI every day. While the OCR provides sample business associate contract provisions as they relate to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules, it doesn’t state specifically how the contracted parties can be sure that the provisions are followed.
Therefore, you should proceed with your CSP just as you would any U.S.-based contractor or vendor, and pay careful attention to their privacy practices to ensure that your patients’ information is protected.