Skip to main content

Is HIPAA Only for US Sites, or Does It Have Global Relevance?

By Joseph Abear ·

HIPAA legally binds only US covered entities and their business associates, so a website based entirely outside the US is generally outside its scope. However, any site that handles protected health information (PHI) for a US healthcare organization can be pulled into HIPAA through a Business Associate Agreement (BAA), regardless of where the server sits. Data location alone does not determine applicability.

TL;DR: Quick answer

  • HIPAA's legal reach is limited to US covered entities and their business associates.
  • A site outside the US is generally outside HIPAA unless it serves a US covered entity.
  • A BAA can impose HIPAA obligations on any vendor, anywhere.
  • Server location does not by itself decide whether HIPAA applies.

Is HIPAA only for US sites?

HIPAA applies based on who the organization is and what it does, not on where a website is hosted. If you are a US covered entity or a business associate handling PHI, HIPAA applies to that data wherever the server lives. If you are neither, a US-hosted site does not become subject to HIPAA simply because of its location.

Does server location matter?

It is a factor in security and in other privacy laws, but it does not control HIPAA applicability. A US clinic that hosts PHI on an overseas server is still subject to HIPAA. A non-US business with no US covered-entity relationship is generally not subject to HIPAA even if it hosts in the US. The relationship and the data, not the geography, decide it.

When does a global site need to comply?

  • When it is operated by a US covered entity that handles PHI.
  • When it handles PHI as a business associate for a US covered entity, under a BAA.
  • When other laws, such as the GDPR, apply alongside or instead of HIPAA based on the users served.

Frequently asked questions

Does HIPAA apply to non-US websites?

Not by default. A non-US site is subject to HIPAA only if it serves a US covered entity as a business associate or is itself a covered entity.

Can a global SaaS be HIPAA compliant?

Yes. A global SaaS can meet HIPAA requirements and sign BAAs with US healthcare customers.

Does HIPAA depend on where my server is located?

No. Applicability depends on whether you are a covered entity or business associate handling PHI, not on server location.

Where to go from here

For the broader comparison of international laws, see is HIPAA universally applicable.

This guide is general information, not legal advice.

← Back to all posts