From HIPAA to SOC 2: Operating Cloud Infrastructure in Regulated Healthcare
Healthcare in the United States is one of the most heavily regulated industries in the world. For European companies that understand how to navigate HIPAA, BAA, and data residency requirements, this is not a barrier; it is an opportunity.
Why Is This Important?
HIPAA is not a recommendation in the United States. It is the law. It governs control, security, and accountability.
Any European company processing U.S. healthcare data becomes a Business Associate (BA) and is therefore directly subject to HIPAA obligations, regardless of where it is headquartered.
In this article, we explain why an EU company can legally work with U.S. healthcare data, how the Covered Entity → Business Associate → sub-Business Associate model works, and what this looks like in practice through our BigHeart project.
Can a European Company Work with U.S. Healthcare Data?
Yes, it can.
HIPAA protects healthcare data in the United States, but it does not restrict the geographic location of processing, require personnel to be physically located in the U.S., or prohibit offshore operating models (HIPAA, 45 CFR Part 164; HITECH Act, 2009).
HIPAA regulates how data must be protected, what security measures must be in place, how access is controlled, and who is accountable. If these requirements are fulfilled, any company, including a European one, can operate within this framework.
The key lies in the legal position.
Any company that comes into contact with Protected Health Information (PHI), including through remote access, software development, or technical support, becomes a Business Associate under HIPAA definitions.
This creates direct liability for breaches, the obligation to implement the HIPAA Security Rule, and the requirement to sign a Business Associate Agreement (BAA) with the U.S. partner. Without a BAA, the model is not legally compliant.
In our specific case with the BigHeart project, data is physically stored in the United States, operations run within a U.S.-based public cloud environment, remote access is strictly controlled, and no data is exported to the EU.
This is a standard global operating model supported by a contractual compliance framework.
What Does It Mean in Practice to Be a HIPAA-Compliant Company?
Being a Business Associate is not a certification; it is a legal status with specific obligations (HIPAA, 45 CFR Part 164; HITECH Act, 2009).
The 2026 update to the HIPAA Security Rule further tightens requirements. Encryption standards (AES-256 at rest, TLS 1.3 in transit), mandatory MFA for all systems handling ePHI, and comprehensive audit logging are becoming mandatory without exception. What was previously considered “addressable” is now mandatory (MedicalITG, March 2026; Censinet, May 2026).
For cloud infrastructure, this has a direct impact: a platform cannot be HIPAA-compliant on paper only. Regulators require demonstrable and auditable controls.
Every vendor interacting with ePHI must have a signed BAA and provide annual written confirmation that the required technical safeguards are actively enforced (Medcurity, April 2026).
In addition, the following pillars must be fulfilled:
- Data residency. HIPAA does not explicitly mandate U.S.-only storage, but in practice, virtually every U.S. covered entity requires it contractually through the BAA. In the BigHeart environment, all PHI remains within U.S.-based cloud infrastructure, no copies, no backups in the EU, no local storage. Remote access by EU personnel is permitted under controlled conditions; data export is not.
- U.S. jurisdiction. An EU company must comply with U.S. law and accept the jurisdiction of U.S. courts to ensure enforceability. (HIPAA, 45 CFR Part 164)
- Incident response. The current HIPAA Breach Notification Rule requires reporting to HHS within 60 days of discovery (45 CFR Part 164.400–414). HHS's proposed 2024 Security Rule updates would tighten this to 72 hours — a direction that reflects growing regulatory expectations for faster incident response even before the rule change takes effect."
- ISO 27001 and a mature compliance program. In the U.S. market, a strong internal compliance program is practically a prerequisite for an EU company to be accepted as a Business Associate.
At the same time, an EU company may also be subject to GDPR. This is not a conflict of regulations; it is a cumulative obligation. Both regulatory frameworks must be fulfilled simultaneously.
SOC 2 as an Entry Requirement for Enterprise Clients
HIPAA and SOC 2 are often discussed together, but they are fundamentally different tools serving different purposes (SOC 2 Auditors, April 2026).
HIPAA is the law.
SOC 2 is a voluntary audit framework that verifies whether an organization has functioning, consistently enforced security controls and can prove them to third parties.
In practice, a U.S. Covered Entity onboarding a vendor does not ask whether you are HIPAA-compliant. That is assumed.
Instead, they ask for:
- a SOC 2 Type II report (SOC 2 Auditors, April 2026),
- higher insurance coverage limits,
- direct compliance reporting,
- and stronger SLA commitments.
For an EU company entering the role of a Business Associate, not merely a sub-BA, SOC 2 Type II is effectively a market-entry requirement.
In 2026, SOC 2 audit expectations are becoming even stricter (Konfirmity, February 2026). Auditors increasingly expect zero-trust architecture, continuous monitoring, and automated evidence collection.
Having a security policy is no longer enough. Companies must demonstrate systems that are provably operational and continuously enforced.
The BigHeart Project: What This Looks Like in Production
BigHeart is a Chicago-based platform focused on patient engagement in preventive healthcare, primarily serving Medicaid recipients in Illinois.
At Touch4IT, we have been BigHeart’s long-term technology partner. Over six years, we jointly built a HIPAA-compliant platform that now serves more than one million Medicaid recipients and generates reimbursement reporting across multiple insurance providers.
This is not a pilot project. It is a production environment that operates with real patient data, state-level mandates, and strict auditability requirements, and within this ecosystem, we serve as a sub-Business Associate with controlled, audited access to PHI.
What did this specifically require from an infrastructure perspective?
- HIPAA compliance by design. The architecture was designed around ePHI requirements from the beginning - encryption, role-based access control, and audit logs for every interaction with patient data.
- Strict data residency discipline. All data remains within a U.S. public cloud environment. The EU team operates via controlled remote access only, with no copies or local storage.
- Interoperability with real healthcare systems. Integration of ADT feeds, medical devices (DexCom, Withings), and payer systems.
- Reimbursement-ready reporting. Data processing aligned with payer requirements, including payer-specific reporting protocols.
The results:
- more than 70% active participation in preventive care programs,
- 86% completion rates for chronic disease programs,
- and a 72% reduction in care delivery costs through RPM programs.
Outcomes like these are not possible without compliance-ready infrastructure operating in the background, and without a clearly defined legal framework capable of withstanding both regulatory scrutiny and enterprise client requirements.
Compliance as a Competitive Advantage
Most technology companies avoid the U.S. healthcare market because of its regulatory complexity.
That same complexity is exactly why companies capable of navigating it gain access to opportunities with significantly less competition.
We have a six-year track record in production healthcare environments and a proven operational model for an EU company acting as a sub-Business Associate with real HIPAA responsibility.
We understand what this requires, technically, contractually, and from a compliance perspective.
