A U.K. hospital inadvertently stored patient data on an offshore server for a few days. U.S.-based healthcare entities need to keep security top of mind if they use offshore services to handle protected health information. HIPAA privacy and security rules do not directly address the question of the offshoring of PHI, says privacy attorney David Holtzman. Even if a covered entity has a business associate agreement with an offshore vendor that subsequently has a breach, the vendor could be out of luck if the vendor is located “in lawless jurisdiction””]
Source: https://www.govinfosecurity.com/offshoring-phi-addressing-security-issues-a-10530