Question: Our practice uses a small cloud services provider (CSP) based in Canada to store information. Does HIPAA still apply to our business arrangement since the vendor is outside the U.S.? Codify Subscriber Answer: Yes, HIPAA regulations still apply to this relationship. All of the rules about electronic protected health information (ePHI), including the need for business associate agreements (BAAs), are still in effect even when the partnering vendor is not based in the U.S. Expert opinion: “Be aware that HHS Office for Civil Rights [OCR] warns of increased risk to ePHI processed or stored outside of the U.S., especially if the server is in a country where cybersecurity risk is high,” says Grant Elliott, CEO of Ostendio and co-founder and president of the Healthcare Cloud Coalition (HC3). “More cloud service providers are touching ePHI every day,” Elliot continues. “While the OCR provides sample Business Associate Contract provisions as they relate to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules, it doesn’t state specifically how the contracted parties can be sure that the provisions are followed.” Review OCR guidance on writing up BAAs at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.