HIPAA for Italian companies:
what it actually takes

In short: if your company handles health data on behalf of US clients — software, language services, life science, hosting — you are most likely a Business Associate under HIPAA (Health Insurance Portability and Accountability Act), the US federal health privacy law. The obligations arrive by contract: you need a BAA (Business Associate Agreement), you do not need to move data to the United States, and “HIPAA certification” does not exist. Here is what it actually takes — and why companies that already run an ISO 27001 system start ahead.

HIPAA in a nutshell: why it reaches Italian companies

HIPAA protects PHI (Protected Health Information): health information that can be traced back to a person — medical records, reports, clinical trial and pharmacovigilance data, healthcare billing data. In electronic form it is called ePHI. The operational rules sit in two implementing regulations: the Privacy Rule (permitted uses and disclosures) and the Security Rule (security measures for ePHI), codified in 45 CFR Parts 160 and 164.

The law applies directly to Covered Entities — US healthcare providers, health plans and clearinghouses — and to their Business Associates: anyone who creates, receives, maintains or transmits PHI on their behalf. The chain does not stop at the first link: a Business Associate’s subcontractor is in turn subject to the same obligations.

HIPAA is not Italian law, and the OCR (Office for Civil Rights) of the HHS (Department of Health and Human Services) has no direct jurisdiction over a company in Piacenza or Milan. The constraint arrives by contract — and through the market: without HIPAA guarantees in writing, your American client cannot entrust you with health data.

The BAA: the contract that triggers the obligations

The Business Associate Agreement is the contract HIPAA mandates between a Covered Entity and a Business Associate — and, downstream, between a Business Associate and its subcontractors. It contains the elements the regulation expressly requires: permitted uses and disclosures of PHI, appropriate security safeguards, the obligation to report breaches and incidents to the client, the conditions for engaging subcontractors (bound in writing in turn) and the return or destruction of data at the end of the relationship.

The typical example: a US hospital or life science company (a Covered Entity, or itself a Business Associate) entrusts an Italian company with services that touch health data — medical translations, software development, data analysis, application hosting. The Italian company signs the BAA with its client; its own suppliers who see that data sign with it. It is the same transparency logic we apply to our public list of subcontractors: every link in the chain answers for the next one.

The right time to sign is before any PHI starts flowing: well-run US clients ask for it during due diligence, together with evidence of your security controls.

Myth to debunk: the data must stay in the US

HIPAA contains no data residency requirement whatsoever. The HHS guidance on cloud computing does not prohibit storage outside the United States: it requires the cloud service provider to sign a BAA and the risks — including jurisdictional ones — to be covered by the risk analysis.

For an Italian company, keeping data in European datacenters is often the most sensible choice: processing carried out in the EU remains subject to the GDPR anyway, and a single data residency simplifies both fronts. HIPAA and GDPR coexist without conflict — the former arrives by contract, the latter by law. If an American client demands US residency, that is their internal policy or a negotiating clause: legitimate, but not a HIPAA obligation.

Security Rule: the mapping to ISO 27001, 27017 and 27018

The Security Rule organises ePHI measures into three families: administrative safeguards (risk analysis, training, workforce and access management, incident response), physical safeguards (access to facilities, workstations and media) and technical safeguards (access control, auditing, integrity, encryption in transit).

Companies running an ISO/IEC 27001 ISMS already have the organisational machine: risk assessment, policies, access control, incident management, business continuity. The cloud controls of ISO/IEC 27017 and the protection of personal data in the cloud of ISO/IEC 27018 cover the cloud-specific ground. The official mapping guide is NIST SP 800-66 Rev. 2 (February 2024), which translates the Security Rule into concrete security controls: it is the starting point for comparing HIPAA requirements with your own Statement of Applicability.

HIPAA-specific requirements with no direct ISO equivalent remain: the BAA, the minimum necessary principle (processing only the minimum PHI needed for the purpose) and breach notification to the Covered Entity under the Breach Notification Rule: without unreasonable delay and in any case within 60 days of discovery — a regulatory ceiling that contracts typically tighten. These are the first points a US client’s audit will focus on.

The Security Rule update: MFA and encryption becoming mandatory

On 6 January 2025 the HHS published the proposed revision of the Security Rule in the Federal Register (NPRM, Notice of Proposed Rulemaking): the first substantial change since 2013. The key points: mandatory multi-factor authentication, encryption of ePHI at rest and in transit, removal of the distinction between “required” and “addressable” specifications (today many measures are effectively negotiable, tomorrow they will not be), a technology asset inventory with a network map of ePHI flows, and an annual compliance review.

Status as of June 2026: the final rule was expected by May and has not yet been published. The direction, however, is clear, and it pays to design against the proposed requirements now: MFA and encryption are good practice anyway — and for companies within the NIS2 perimeter they are largely legal obligations already.

Cloud stack and HIPAA: what Microsoft covers, what stays with you

Microsoft includes its Business Associate commitments in its Data Protection Addendum: Azure and Microsoft 365 services can therefore host ePHI under the Microsoft BAA, including on European regions — the ones we use each offer 3 availability zones.

Mind the perimeter, though: the cloud provider’s BAA covers the infrastructure, not how you use it. Access configuration, multi-factor authentication, encryption, audit log retention, staff training and incident management remain the responsibility of whoever delivers the service to the end client — the shared responsibility model that applies to all cloud services. Signing the right BAA and then leaving an admin account without MFA is the fastest way to turn compliance into paper.

Digital sovereignty: a contrarian note

The European debate on digital sovereignty often slides into maximalism: “we need European software”, “away from American providers”, as if the United States were a strategic adversary. The industrial reality is less ideological: in cloud, security and digital health, the world’s specialisation is largely concentrated in the US — where, incidentally, a great many Italian professionals work — and a huge share of Italy’s B2B economy lives on transatlantic relationships, including the many Italian companies owned by American groups.

For these businesses, the fear of “data in Europe but governed by American law” is often a false problem: if the parent company is American, US jurisdiction over the group exists anyway, by corporate structure, before data location even enters the picture. And Italy entrusts the United States with technology far more critical than a cloud ERP: the F-35 fighters, whose logistics and software updates depend on American infrastructure — public debate even reached a supposed “kill switch”, officially denied. Demanding European purism on SaaS while national defence flies on US platforms says a lot about how much the discussion has become more ideological than technical.

Pragmatism does not mean inattention: we know the effects of the CLOUD Act, we run Transfer Impact Assessments (TIA) when transfers require them, and we follow the European Data Act and AI Act closely. But data residency remains a tool, not a flag: we propose European datacenters when they simplify contracts and compliance — GDPR first — and we work comfortably within American corporate and regulatory chains when that is what the client requires, without marrying a single philosophy or taking sides. HIPAA, after all, works exactly like that: it follows contracts, not borders.

How AtWorkStudio helps

Transparency first: HIPAA certification does not exist, and no serious provider can claim to be “HIPAA certified”. What we do is bring the method of our certified management system to the HIPAA terrain: risk analysis, technical and organisational measures, verifiable documentation, a contractual chain with subcontractors. We already serve Italian businesses with users in the United States on managed cloud infrastructures.

We have been operating from Piacenza since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN (Italian National Cybersecurity Agency) qualified for cloud services, members of Clusit (Italian Association for Information Security) and affiliated to Confindustria Piacenza in the RICT cluster.