Understanding data sovereignty

A journal article published in Big Data & Society states that data sovereignty “typically relates in some way to meaningful control, ownership, and other claims to data or data infrastructures.” Digital information is subject to the laws and regulations of the country it is physically stored in.

With cloud computing and global data transfers in prominent sectors, organizations need to understand various jurisdictions' data sovereignty and the way sensitive data is handled in that specific country. 

How data sovereignty can impact the U.S healthcare

Since data sovereignty laws require data to be stored and governed under the jurisdiction of the country where it is located, healthcare organizations are placed in a precarious position. Covered organizations must ensure the security of protected health information (PHI) in compliance with HIPAA even when stored on servers abroad. It creates a challenge as countries with conflicting or lax privacy regulations make it difficult to ensure cross-border compliance. 

An example is when hospitals in the U.S. use cloud service providers with data centers in multiple countries. Suppose one of these servers where PHI is stored is located in Europe, the European Union’s General Data Protection Regulation (GDPR) would apply. GDPR has stricter rules that apply to the processing and transfer of personal data than U.S. law.

How data sovereignty applies to HIPAA compliant email

If email service providers store data in foreign countries with different sovereignty laws, there is the risk of routing emails through international servers creating vulnerabilities that could lead to breaches. It is common in cases where data may be subject to legal demands of foreign governments or compromised by weaker privacy standards. 

A Journal of Artificial Intelligence and Cloud Computing study states, “Cloud providers, by virtue of the extended access they have to customer data and metadata required for service delivery, could at one point use such access for unethical things such as incorrectly sharing without consent or profiling illegally.” To avoid these risks healthcare organizations need to assess where the servers of their cloud service providers are located and how the physical location of the servers impacts data access and vulnerability. 

Related: How cloud storage location affects HIPAA compliance

Best practices for the consideration of data sovereignty in email policies and procedures

Data localization:

• Use HIPAA compliant email providers that store and process data only within U.S borders or with strong international safeguards and clear policies on the impact of their servers being located in foreign countries. 

Jurisdictional transparency: 

• Clearly define in policies where email data is stored, processed, and routed. 
• Make sure the organization and email service providers disclose the physical location of data centers. 

Provider contract clauses:

• Include specific contractual terms with email providers that address data sovereignty issues including jurisdiction-specific legislation. 
• The contract should outline who is responsible for complying with local laws in cases where data may cross international boundaries. 

Secondary data use limitations: 

• Ensure email providers are contractually bound not to use customer data for secondary purposes like marketing or analytics. 

Clear response plans:

• Develop and maintain incident response plans that address breaches or unauthorized access to email data across different jurisdictions. 

Related: What is HIPAA compliant hosting?

FAQs

What is hosting? 

It refers to the service of storing and delivering websites, applications, and data on servers so they can be accessed over the internet. 

What is the difference between HIPAA and GDPR? 

HIPAA focuses on protecting health information while GDPR regulates data privacy for all individuals within the European Union.

What is PHI?

It refers to any information related to a person’s health status, healthcare provisions, or payments for healthcare.