HIPAA Business Associate Agreements for International Vendors

By BAA Generator Editorial  ·  Published Apr 20, 2026  ·  Last reviewed Apr 20, 2026  ·  5 min read

Why HIPAA Applies to Offshore Vendors

The HIPAA Privacy Rule and Security Rule regulate covered entities — healthcare providers, health plans, and clearinghouses — and their business associates. A business associate is defined as any person or entity that performs functions involving the use or disclosure of PHI on behalf of a covered entity. HIPAA contains no language exempting foreign entities from this definition.

OCR's enforcement authority extends to covered entities. If you, as a covered entity, share PHI with an offshore vendor without a BAA in place, you are in violation of HIPAA — regardless of whether the vendor's own jurisdiction would hold them accountable. The obligation sits with you, not just with the vendor.

In practice, this means that if your medical billing is handled by a company in the Philippines, your transcription is done by a team in India, or your EHR is hosted by a cloud provider in Europe, each of those arrangements requires a BAA before any PHI is transferred.

Common International Vendor Types That Require BAAs

• Offshore medical billing companies — Frequently used by small and mid-size practices for cost reduction; they receive claim data with full PHI
• Medical transcription services — Often India- or Philippines-based; receive audio recordings containing highly sensitive PHI
• IT support and managed services — Remote IT teams may access systems containing PHI in the course of support work
• Software development contractors — Offshore development teams building or maintaining health IT systems may have access to PHI in development or test environments
• Cloud infrastructure providers — If data is hosted in EU data centers of providers like AWS, Google Cloud, or Azure, the BAA with those providers still applies (and most large cloud providers offer them)

Does a BAA Conflict with GDPR?

No — a HIPAA BAA and a GDPR Data Processing Agreement are complementary, not conflicting. If you are working with a vendor based in the EU, or a vendor that processes data about EU residents, you may need both instruments simultaneously.

A GDPR DPA governs the vendor's obligations under the General Data Protection Regulation for EU-based processing. A HIPAA BAA governs the vendor's obligations under US federal law for handling US patient PHI. The two agreements coexist and cover different legal regimes. An EU vendor who tells you their GDPR DPA is sufficient for HIPAA purposes is mistaken.

Negotiating a BAA with International Vendors

International vendors — especially those in countries with limited HIPAA awareness — may push back on signing a BAA or may present their own agreement that does not meet HIPAA's requirements. Here is how to approach this effectively:

• Send your own template first. Rather than asking the vendor if they will sign a BAA, provide a ready-to-sign document. BAA Generator produces compliant templates you can send immediately. See BAA negotiation strategies for more on this approach.
• Specify governing law. Your BAA should state that it is governed by US federal law and that HIPAA compliance is a material obligation.
• Address subcontractors explicitly. International vendors often use sub-vendors in multiple countries. Your BAA should require that they obtain BAAs from any subcontractors who will access the PHI.
• Include breach notification timelines. Offshore vendors may not be familiar with HIPAA's breach notification rules. Your BAA should specify the required notification timeline explicitly.

Subcontractor BAAs for Offshore Development Teams

If you contract with a US-based software development firm that uses offshore developers, the US firm is your business associate and must sign your BAA. However, if those offshore developers will access PHI — even in a test environment — the US firm must have its own BAAs with those subcontractors. Under the HITECH Act, subcontractors of business associates are themselves directly subject to HIPAA requirements. See subcontractor BAA requirements for the full breakdown.

A best practice when working with development teams that have offshore components is to require your US-based primary vendor to confirm in writing that their offshore team members are covered by either a BAA or equivalent written agreement meeting HIPAA's subcontractor standards.

Frequently Asked Questions

Does HIPAA apply to international business associates?

Yes. HIPAA has no geographic exemption. A covered entity's obligations apply regardless of where its business associates are located. If you share PHI with a vendor based in India, the Philippines, the EU, or anywhere else, a BAA is required. OCR enforcement targets the covered entity, so the responsibility is yours to ensure the BAA is in place.

Do offshore medical billing companies need BAAs?

Yes. Medical billing companies that access or process PHI are business associates under HIPAA, regardless of whether they operate offshore. A signed BAA is required before sharing any PHI with an offshore billing vendor. This is one of the most commonly overlooked BAA requirements in smaller practices that outsource billing internationally.

Can a GDPR Data Processing Agreement substitute for a HIPAA BAA?

No. A GDPR Data Processing Agreement (DPA) and a HIPAA BAA are separate legal instruments with different requirements. EU vendors handling US patient PHI need both: a GDPR DPA for their EU data processing obligations and a HIPAA BAA for their obligations to the covered entity under US law. The two agreements can coexist and should both be executed when working with EU-based vendors who handle PHI.

How do I negotiate a BAA with a vendor outside the US?

Start by sending your own BAA template rather than accepting the vendor's. Ensure it includes all required HIPAA elements under 45 CFR § 164.504(e), references applicable US law, specifies that HIPAA governs disputes related to PHI, and includes subcontractor BAA requirements for any third parties the vendor uses. If the vendor is unfamiliar with HIPAA, provide brief context explaining their obligations — many offshore vendors will sign a well-drafted BAA once they understand what it requires of them.