A UK-based clinical research organisation receives a contract from a Boston hospital. The contract includes a 47-page Business Associate Agreement, references to 45 CFR Parts 160 and 164, and a requirement to notify the covered entity within 60 days of any breach. The UK firm's data protection officer, fluent in UK GDPR, has never signed a HIPAA BAA. The contract is worth a significant sum. The deadline to return it signed is Friday.
This scenario plays out across UK medical transcription firms, clinical SaaS vendors, telehealth platforms, pharmaceutical CROs, and healthcare AI startups every week. HIPAA — the US Health Insurance Portability and Accountability Act of 1996, as amended by HITECH (2009) and the Omnibus Rule (2013) — has extraterritorial reach the moment a UK organisation touches Protected Health Information (PHI) on behalf of a US covered entity.
The UK GDPR alone does not satisfy HIPAA. Our consultants see UK firms lose US contracts, and occasionally face HHS Office for Civil Rights investigations, because they assumed otherwise. Here is what HIPAA compliance for UK firms handling US patient data actually requires.
When HIPAA applies to a UK firm
HIPAA imposes obligations on two categories: covered entities (US health plans, healthcare providers, and healthcare clearinghouses) and business associates (anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity). A UK firm becomes a business associate the moment it signs a BAA — or starts processing PHI without one, which is itself a violation.
Subcontractors of business associates are also bound. If your UK firm processes PHI received from a US-based business associate, you are a downstream business associate and HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule apply directly to you. The 2013 Omnibus Rule made this explicit, extending liability through the entire subcontractor chain.
Geography is irrelevant. The HHS Office for Civil Rights has jurisdiction over any entity processing US PHI regardless of where the servers sit or where the staff work. Brexit changed nothing here. Neither does the UK Data Protection Act 2018. A UK firm processing PHI for a US covered entity is directly subject to HIPAA enforcement.
What the Security Rule actually demands
The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires administrative, physical, and technical safeguards for electronic PHI. Unlike UK GDPR's principle-based approach, the Security Rule is prescriptive. Specifications are either "required" or "addressable" — and "addressable" does not mean optional. It means you must implement it, document an equivalent measure, or document why it is not reasonable and appropriate. Each addressable specification requires a written rationale.
The technical safeguards include access controls with unique user identification, automatic logoff, encryption of ePHI at rest and in transit, audit controls capturing system activity, and integrity controls. Unlike UK GDPR's broader data security obligations, the Security Rule specifies the mechanisms — automatic logoff within a defined inactivity period, encryption with specified algorithms, audit logs with defined retention.
The administrative safeguards mandate a designated Security Official, workforce training, a formal risk analysis (this is the one OCR enforces hardest), contingency planning, and incident response procedures. The risk analysis must be conducted in accordance with the NIST methodology specified in the HIPAA Security Series guidance, not a generic risk assessment framework.
The Breach Notification Rule (45 CFR §164.410) gives business associates 60 days from discovery to notify the covered entity. Not 72 hours like UK GDPR. The clock starts when any workforce member should reasonably have known — a lower threshold than "actual knowledge" and one that requires documented awareness training to defend.
Why this matters now
OCR enforcement has tightened significantly. The HHS resolution agreements published throughout 2024 and 2025 show a clear pattern: failure to conduct an accurate and thorough risk analysis is the single most cited violation, followed by missing or inadequate BAAs. Settlements for US entities regularly reach substantial figures, and OCR has shown willingness to pursue international business associates.
Separately, the HHS proposed updates to the Security Rule published in the Federal Register on 6 January 2025 would, if finalised, remove the "addressable" category entirely, mandate multi-factor authentication, require encryption of all ePHI, and introduce 72-hour restoration requirements. These changes, if enacted, would meaningfully increase the compliance burden for UK business associates. UK firms should track this rulemaking and assume the floor is rising.
For UK firms, the intersection of HIPAA and UK GDPR creates dual-compliance complexity. A PHI breach triggers both HIPAA's 60-day notification to the covered entity and UK GDPR's 72-hour notification to the ICO. The two regulatory responses must be coordinated, and the UK organisation's incident response plan must account for both timelines simultaneously.
Practical implementation steps
For UK firms onboarding US healthcare data clients, work in this order:
- Conduct a HIPAA Security Risk Analysis covering every system, application, and process that will touch PHI. Document threats, vulnerabilities, likelihood, impact, and remediation. This is the document OCR will demand first in any investigation. Use the HHS Office for Civil Rights Security Risk Assessment Tool as a starting point — it provides the methodology OCR expects.
- Negotiate the BAA carefully. Many US covered entities include indemnification clauses, audit rights, and breach notification windows shorter than the statutory 60 days. Read every clause. Push back on unreasonable terms. The standard US healthcare BAA is a starting point for negotiation, not a take-it-or-leave-it document.
- Map data flows. Identify exactly where PHI enters, where it is stored, who accesses it, and where it leaves. UK firms using US-region AWS or Azure tenants must verify the cloud BAA covers your specific services — and that the cloud provider has a signed BAA with you, not just with your US customer.
- Implement the workforce sanctions policy. HIPAA requires documented disciplinary procedures for workforce violations — from verbal warnings through termination. Your existing UK HR policies likely do not satisfy this requirement without amendment.
- Build the audit log. HIPAA requires six years of retention for documentation. Not six months. Ensure your logging infrastructure can store and search HIPAA-relevant audit trails across that retention period before you accept any PHI.
Common mistakes we see
UK firms treat HIPAA as "GDPR with American spelling." It is not. UK GDPR focuses on lawful basis and data subject rights; HIPAA focuses on safeguards and accountability mechanisms. The overlap is partial, and the gap areas are where enforcement action concentrates.
Teams assume ISO 27001 certification proves HIPAA compliance. It does not. ISO 27001 is an excellent foundation and reduces the implementation lift considerably, but HIPAA has specific requirements — particularly around workforce training content, BAA management, security risk analysis methodology, and sanctions policies — that ISO 27001 does not directly address. Our consultants typically find 15-25% additional control effort is required on top of a mature ISO 27001 ISMS.
Firms forget the international data transfer dimension. Sending PHI from the US to the UK triggers HIPAA's safeguard requirements. Sending it onward to a sub-processor in India, the Philippines, or another jurisdiction triggers a chain of BAAs that must be documented and maintained. Each link in the chain must hold a signed BAA that meets HIPAA's requirements.
Frequently asked questions about HIPAA for UK firms
Do we need a US presence to be a HIPAA business associate?
No. Geography is irrelevant to HIPAA jurisdiction. A UK firm with no US office, US staff, or US infrastructure is directly subject to HIPAA obligations the moment it processes PHI on behalf of a US covered entity. The HHS Office for Civil Rights has jurisdiction over any entity handling US patient data, regardless of where it is based.
Does UK GDPR already cover what HIPAA requires?
Partially, but the gaps are significant. UK GDPR and HIPAA share principles around data security, access controls, and breach notification, but HIPAA is more prescriptive on specific safeguards (risk analysis methodology, workforce training content, BAA requirements) and has different notification timeframes. Our consultants recommend a side-by-side gap analysis rather than assuming UK GDPR programmes satisfy HIPAA requirements.
What happens if we violate HIPAA as a UK business associate?
OCR can impose civil monetary penalties, enter into a resolution agreement with corrective action requirements, and pursue injunctive relief through the US Department of Justice. While OCR has historically focused on US entities, the agency's jurisdiction clearly extends to international business associates, and enforcement activity in this area has increased. UK firms should also consider the reputational consequence — losing the ability to serve US healthcare clients is a material business risk.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team builds HIPAA business associate compliance programmes for UK healthcare technology firms, CROs, and SaaS vendors entering the US market.
We conduct the formal Security Risk Analysis to OCR's expected standard, draft and review Business Associate Agreements, design the administrative and technical safeguards, and run workforce training tailored to UK staff handling US healthcare data. Our CloudAuditX platform provides continuous monitoring of the cloud environment supporting your HIPAA programme, reducing the manual evidence burden between OCR investigations or customer audits.