The HIPAA privacy regulation is, of course, a U.S. federal law. However, human subject research has porous borders — some UAMS research studies involve identifiable health information originally created/collected outside the U.S. We recently reviewed a study that involved clinically created data collected outside the country and then brought to UAMS. That got us to wondering whether these data are subject to HIPAA.
Turns out the answer is yes — identifiable health information originally created or collected outside the US must comply with HIPAA once it is brought to the US. That’s because, in the words of UAMS HIPAA Compliance Officer Heather Schmiegelow, “HIPAA applies to health information we create, maintain and receive. While we did not create it, we have now received it and are maintaining it so HIPAA applies.”
We appreciate Heather’s help in clearing this question up for us.