Under the HIPAA Omnibus Rule, partners/vendors are directly liable for HIPAA compliance, including penalties for data breaches. But what happens if those vendors are located outside the U.S.? HIPPA doesn’t say anything about offshore partners/vendors.
Today, the list of patient data-related services provided by offshore vendors to U.S. healthcare organizations is extensive. HIPAA, unlike certain other federal statutes, does not have explicit extra-territorial reach.
This article offers a good perspective on all these issues.