GDPR and HIPAA: Expanding a US HealthTech Company to the EU

US HealthTech companies operating under HIPAA face a specific challenge when expanding into the EU. The privacy obligations are not the same and the data flows are not the same. HIPAA-compliant practices do not automatically satisfy GDPR, and several common US patterns are unworkable in the EU.

This page covers what changes when a US HealthTech company starts processing EU resident health data, what stays the same, and how to design the compliance program for both jurisdictions.

What each framework regulates

HIPAA is US federal law applicable to Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and Business Associates. It regulates Protected Health Information (PHI), defined as individually identifiable health information held by a Covered Entity or Business Associate. HIPAA is enforced by the US Department of Health and Human Services Office for Civil Rights, with maximum penalties up to 1.5 million USD per violation category per year.

GDPR is EU privacy law applicable to any organization processing personal data of EU residents, regardless of where the organization is based. Health data is special category data under GDPR Article 9, requiring an Article 9 condition in addition to a general Article 6 lawful basis. Maximum fines are 20 million euros or 4 percent of global annual turnover.

The two frameworks share underlying privacy principles but differ substantially in scope, lawful basis requirements, data subject rights, and operational requirements.

What is the same

Both frameworks require security of health data. Encryption in transit and at rest, access controls, audit logging, and incident response are standard expectations under both.

Both frameworks require breach notification. The triggers and timelines differ, but both require notification of regulatory authorities and affected individuals in specified circumstances.

Both frameworks require minimum necessary use of health data. HIPAA's minimum necessary rule and GDPR's data minimization principle are conceptually similar.

Both frameworks require business agreement contracts with downstream processors. HIPAA Business Associate Agreements and GDPR Data Processing Agreements have different specific content but serve similar purposes.

Both frameworks impose obligations on senior leadership for compliance.

What is different

Lawful basis for processing. HIPAA permits use of PHI for treatment, payment, and healthcare operations without specific patient authorization. GDPR requires both an Article 6 lawful basis and an Article 9 condition for special category data. The most common Article 9 conditions for health technology are explicit consent (Article 9(2)(a)), processing necessary for the provision of health or social care under EU or member state law (Article 9(2)(h)), or processing necessary for reasons of public interest in public health (Article 9(2)(i)).

US HealthTech companies relying on the HIPAA "treatment, payment, operations" exception often cannot rely on the same approach in the EU. The Article 9 conditions are more restrictive and the operational scope of "treatment, payment, operations" under HIPAA exceeds what the corresponding Article 9 conditions cover.

Data subject rights. HIPAA grants patients certain rights (access, amendment, accounting of disclosures, restrictions). GDPR Articles 15 through 22 grant broader rights including portability, erasure, restriction, and objection. The right to erasure (Article 17) is particularly notable as HIPAA has no comparable right.

International data transfers. HIPAA does not regulate international transfers of PHI specifically. GDPR Chapter V requires specific mechanisms for transfers out of the EEA (Standard Contractual Clauses, Adequacy Decisions, Binding Corporate Rules, or specific derogations). Transfer Impact Assessments are required for transfers to countries without an Adequacy Decision, including the United States in most cases.

US-EU Data Privacy Framework. The Data Privacy Framework permits transfers of personal data from the EU to certified US organizations. Certification is voluntary and requires specific commitments. Many US HealthTech companies certify under the DPF to simplify EU-US data flows, though the DPF has been challenged in EU courts and ongoing legal uncertainty exists.

DPO appointment. HIPAA does not require a Data Protection Officer. GDPR Article 37 requires DPO appointment for organizations whose core activities consist of large-scale processing of special category data, which most HealthTech companies qualify under.

Records of Processing Activities. HIPAA does not require RoPA. GDPR Article 30 requires it.

Privacy notice content. HIPAA Notice of Privacy Practices has specific required content. GDPR Articles 13 and 14 have different and broader required content. A HIPAA NPP does not satisfy GDPR notice requirements.

Special category data of children. HIPAA has limited specific provisions for minors' data, deferring to state laws. GDPR Article 8 has specific requirements for children including age-of-consent provisions.

What needs to change when expanding to the EU

Lawful basis documentation. You need to document the GDPR Article 6 lawful basis and Article 9 condition for each processing activity involving health data of EU residents. This typically requires more granular consent management than HIPAA practices.

Consent management. For Article 9(2)(a) explicit consent, the consent must be specific, informed, freely given, and unambiguous. This is a higher bar than HIPAA's general authorization model. Operationally, this often requires consent capture at multiple points and a consent management system.

Privacy notices. EU-facing privacy notices must include the Article 13/14 required content. Maintaining separate notices for US versus EU users is common; some companies use a single global notice with jurisdiction-specific sections.

Data Processing Agreements with EU customers. EU customers (typically other Covered Entities or Business Associates in the EU) will require GDPR-compliant DPAs in addition to or in place of HIPAA BAAs.

International transfer mechanism. You need documented SCCs, DPF certification, or another transfer mechanism for transfers of EU resident health data to the US. Most US HealthTech companies use SCCs supplemented by Transfer Impact Assessments.

DPO appointment. Most US HealthTech companies processing EU resident data at scale need a DPO. This can be an internal employee or a fractional/outsourced DPO.

EU Representative. Non-EU companies offering services to EU residents typically need an EU Representative under Article 27. This is a separate role from the DPO and must be operationally separate per EDPB guidance.

Operational capability for EU-specific data subject rights. Erasure, portability, and other GDPR-specific rights require operational capability beyond HIPAA requirements.

Common operational patterns

US HealthTech companies entering the EU typically choose between three patterns:

Pattern 1: Separate EU entity and infrastructure. The company establishes an EU entity (often Ireland or Netherlands), routes EU customer data through EU-based infrastructure, and maintains operational separation from the US business. Pros: simpler GDPR compliance, fewer international transfer issues. Cons: higher operational cost, complex internal data flows.

Pattern 2: Single global infrastructure with transfer mechanisms. The company maintains existing US infrastructure and uses DPF certification or SCCs for transfers to the US. Pros: lower operational cost, single platform. Cons: complex transfer mechanism management, exposure to ongoing legal uncertainty around US data transfers.

Pattern 3: Hybrid. EU customer-facing infrastructure in the EU with backend operations in the US under transfer mechanisms. Pros: reasonable cost, simpler customer-facing posture. Cons: still requires transfer mechanism management.

Most early-stage US HealthTech companies start with Pattern 2 because it has the lowest operational overhead and proceed to Pattern 3 or Pattern 1 as the EU business scales.

How Engage Compliance helps

We support US HealthTech companies expanding into the EU on the GDPR side, working alongside the company's existing HIPAA compliance team or HIPAA consultants. Common engagements include initial GDPR gap assessment, lawful basis and consent design, EU privacy notice drafting, DPA template development for EU customers, SCC and Transfer Impact Assessment work, DPO appointment, EU Representative service, and ongoing fractional DPO retainer.

We coordinate with your existing HIPAA compliance work rather than replacing it. HIPAA continues to apply to US data and US Covered Entity relationships; GDPR adds requirements for EU data and EU operations.

Get started

If you are a US HealthTech company evaluating or executing EU expansion, book a consultation. We will give you an honest assessment of the GDPR work required, what can leverage your existing HIPAA program, and what is genuinely new.