hipaaiconDisaster Recovery-as-a-Service (DRaaS) ensures the continuity of your business during any disaster. However, choosing the right DRaaS provider for a secure business environment can be tricky, especially if you’re an organization covered by HIPAA and HITECH regulations.

If you’re considering international hosting and recovery, consider these questions first:

What If the Current Regulations Change?

Technically, you are able to select a hosting provider outside the United States. As of right now, the rules of HIPAA and HITECH fail to address the international aspect, leaving no requirements but also no protections. Many expect changes soon, since cloud hosting has become more common. If regulations are updated, will you have to move your data home? If so, how long would it take and what kind of exposure would you risk during this move? What would that cost your business?

Consider the recent drama around Safe Harbor. The EU decided it was no longer a valid mechanism to regulate safe transmission of EU Personal Data, and failed to immediately provide an alternative. This policy strike down left the entire world in a lurch. What happens if the same occurs for HIPAA?

Who Knows the Regulations Better?

An international provider might not understand the rules already in place. While there would be fewer vendors to choose from when selecting a domestic option, DRaaS providers based within the US will be more familiar with HIPAA regulations.

Also, what about other standards? Security laws of the hosting country might differ from those in the US. Make sure their encryption is up to par. If the standards of protection are different, your data may be vulnerable to a breach. Do they run employee background checks? Costs on paper don’t always match reality.

Will You Know Where the Data is Going?

Some DRaaS providers will send backups between datacenters or to other vendors. With global providers, your data could be traveling overseas on a regular basis. If you decide to terminate your relationship with an international provider, how will you locate and retrieve your data?

Healthcare companies require a certificate of destruction when terminating data. This ensures the data will not arrive into unwanted hands. Select a provider who understands the intricacies of this requirement and has a track record of being able to deliver.

Who is Liable?

HIPAA is not an international standard, therefore it isn’t governed by an international body. If you do business with an international hosting provider and a breach occurs, is that hosting provider legally obligated to comply with penalties and fines? If your international vendor can’t or won’t pay the fines, they still have to get paid. Make sure your contracts are air tight. When you select a domestic provider, the laws apply to both parties.

If there’s a breach and the international provider will not cover the costs, would your insurance cover it? Choose a provider that will sign a BAA (business associated agreement), which makes them liable to the protection of that data. (Not all domestic providers will sign a BAA.)

Can You Communicate with the Provider in Emergency?

With drastically different time zones, your daily operations might not align with an international provider. Will they respond to you and your clients’ needs during routine business operations, let alone during an emergency? This might mean less-than-proactive support.

Consider which option would encourage communication between parties. An international provider might not speak the same language or understand cultural nuances. What would be the impact of this in a time of crisis? Having clear communications ensures fewer missteps and delays, which leads to faster recovery.


When choosing a DRaaS solution to meet your HIPAA compliance needs, choose a provider that offers the most flexible solutions for your healthcare business, both in terms of technology and security. Bluelock only has US datacenters, so you can rest assured data won’t leave the US. We sign BAAs and have a history of performing complex DRaaS for healthcare organizations covered by HIPAA HITECH regulations.

For more information on how DRaaS supports compliance download this guide >> How to Achieve HIPAA’s 5 Contingency Plan Requirements with Disaster Recovery-as-a-Service



Blog Post

Compliance Needs? They’re Covered with Bluelock

When searching for the right solution to protect your sensitive data under compliance, it’s important to consider all of your options.

View Blog Post
Blog Post

Top Considerations for Healthcare IT When Considering Cloud

One of the biggest challenges facing healthcare organizations and providers today is the need to meet goals of healthcare reform and deliver safe, high-quality care at a lower cost.

View Blog Post
Blog Post

Disaster Recovery for Sensitive Data

Many organizations are investing in the security of their primary datacenter, but what about their disaster recovery infrastructure?

View Blog Post