Data residency, flow, and sovereignty is an area where the rules are evolving quickly. For example, there used to be a safe harbor agreement between the EU and the USA called Privacy Shield, but it was recently annulled by the EU.
MedStack Control supports provisioning clusters across many cloud provider regions around the world.
- Data residency is where the data lives and is stored.
- Cross-border data flow is where data is transmitted across a boundary between countries or any regions where the laws are different.
- Data sovereignty is a governing body's right to control access to and disclosure of its digital information within its laws.
When you create a cluster, the simplest approach is create it in a region that's in the geographical boundary as the laws governing the PHI you are storing and processing.
We always recommend consulting with a privacy professional, particularly if you are looking at a different approach.
- In the United States, HIPAA does not mandate that PHI has to reside in the USA (see for example this FAQ). But, we have seen that a lot of hospitals and insurance companies do require that the data be stored in the USA.
- Canadian provinces generally require health data to be in Canada. (And also public sector data.)
- GDPR requires that data be resident in places that have equivalent protections to the GDPR. Since the USA currently does not have an equivalent federal privacy law, as of this writing you cannot store EU data in the USA.
Cross-border data flow
- Since HIPAA does not mandate data residency, it follows that cross-border transfers are also not affected. However again, many Covered Entities have their own rules prohibiting cross-border transfers.
- In Canada it varies by province, for example, Quebec has a rule similar to the EU, British Columbia restricts government providers specifically. In some cases, users must be informed or their consent must be given.
- GDPR has an equivalent requirement to their data residency requirement, so in general, processing must be done in the EU.
- Note that HIPAA has something called the conduit exception for services that only act as something like a postal service or a telephone carrier. For example, a VoIP provider does not need to be HIPAA compliant as long as they are not recording the sessions.