U.S. data localization laws reshape global healthcare outsourcing
NEW YORK, UNITED STATES — A wave of new United States federal regulations is forcing significant change across the global healthcare outsourcing sector, fundamentally altering how healthcare and life sciences companies approach outsourcing and data management.
Experts at a recent webinar hosted by the International Association of Outsourcing Professionals (IAOP) say health data localization rules and restrictions on offshore vendors are rapidly becoming the norm, pushing providers and their vendors to rethink sourcing strategies and operational risk.
“On the state side, there’s recent trends favoring data protectionism and disfavoring offshoring and non-domestic technology developments,” said Robert Kantrowitz, partner at Kirkland & Ellis, during the session.
In states like Arizona, Florida, and Texas, new electronic health records (EHR) laws now require that sensitive healthcare data be stored—and sometimes even accessed—exclusively within the United States or selected territories, creating a debate over whether even offshore read-only access is permissible.
“Providers and payers contracting with Arizona’s Medicaid program—and all the contractors and subcontractors—are required to comply with these minimum contracting provisions,” he outlined.
This creates a complex compliance landscape for organizations relying on global outsourcing partners, as they must ensure every entity handling data adheres to these geographical restrictions.
Federal crackdown tightens data handling rules
At the federal level, the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA) and subsequent executive actions prohibit U.S. companies from transferring sensitive health or genomic data to countries such as China, Russia, and Iran.
“The act generally prohibits data brokers from selling, licensing or transferring for consideration Americans’ personally identifiable sensitive data to certain foreign adversary countries,” Kantrowitz noted.
Notably, these measures disregard traditional de-identification or anonymization, responding to advances in artificial intelligence that can re-identify data.
These layers of regulation mean vendors face higher operational scrutiny. Robyn Marino, Legal Advisor for Vee Healthtek and Founder of Global Link Law, highlighted the stakes: “You’re never going to delegate your compliance responsibilities away. The regulators are always going to look to see the client… there’s not going to be a whole lot in terms of shifting liability when it comes to regulatory liability.”
Kantrowitz also mentioned America’s AI Action Plan, a federal strategy that outlines over 90 policy actions to accelerate U.S. innovation and infrastructure while countering foreign influence, particularly from China.
Meanwhile, he also notes another piece of legislation, which is the One Big, Beautiful Bill Act (OBBBA), creates tax incentives to boost domestic drug manufacturing by offering full expensing for U.S.-based research and development (R&D) and production facilities. On the other hand, the NVIDIA, AMD tax deal involves two major chipmakers agreeing to pay U.S. tax revenues for AI chip sales to China, reflecting broader efforts to control technology exports.
Such federal measures, together with state regulations, form an overlapping and relatively strict system through which firms have to work when their inquiries engage any overseas data exchange or outsourcing plan.
Sourcing diversification and compliance by design
Avinash Baliga, partner at Avasant, observed, “For providers, multisupplier redundancy has become almost default. Health systems are adding U.S.-based suppliers… to reduce sole source risk and probably also create more resiliency.”
He added, “We are moving from voluntary standards to enforceable laws, which means pretty much every firm has to monitor how the state and federal laws are evolving.”
AI adoption in healthcare faces its own hurdles, with Marino advising that businesses must ensure “the vendor or the tool… understands the obligations with regard to HIPAA,” while tracing intellectual property and patient data protections.
As U.S. regulatory expectations intensify, the era of seamless offshore healthcare outsourcing is fading fast. “Compliance is a journey,” Baliga concluded. “You’re never fully compliant. You need to understand the changing laws you need to comply with, but also how your organization can improve.”
