Question: Does the HIPAA regulation apply to information gained abroad that is used or stored in the United States? Answer: Yes, once information hits the United States and becomes stored here, it becomes personal health information (PHI) and is protected.
North Dakota Subscriber
Remember: Health information is protected to the extent that it is created or maintained by a covered entity. So, even if a patient's information was not necessarily created in your office, if one of your physicians is gathering or maintaining it for use in the United States, it is PHI.
Example: If a California resident sought medical care while on vacation in Spain, and then her resulting health information was transmitted to her optometrist in Berkley, Calif., HIPAA would cover that.
Protecting the information won't cost anything. So, for those physicians practicing abroad with the intent to store information in the United States, there's no harm in providing a notice of privacy practices (NPP).
Best Practice: Get an authorization from patients in other countries if you know their information will be used and maintained here in the United States.
The Bottom Line: Once patients' health information hits United States soil, it is protected by the HIPAA privacy and security rules, experts say. To be safe, physicians who collect and maintain PHI from patients in other countries can obtain an authorization.