GDPR —The EU Law that Affects US Health Tech

Health Consulting

When should American Health Tech companies conform to non–US laws?


When your business collects data from individuals outside of the US: In the case of the General Data Protection Regulation (GDPR), which has been protecting European citizens since 2018, US companies must comply with GDPR if they potentially collect and store personal information about citizens in Europe. The penalties are hefty, especially since fines are multiplied for each individual affected.


When business partnerships are affected by international legal principles: In the health care sector, lucrative and long–term business partnerships depend on intentionality of how data is collected, stored, and shared. Data interoperability, coupled with appropriate data protection, will be the foundation for successful business development conversation—especially when scaling beyond regional deals.


When similar laws are on the horizon to be passed the US: The recent proposed update to HIPAA along with multiple GDPR-type laws at the state level provide a strong indication that the US is moving toward federal data protection laws that mirror Europe’s GDPR.

GDPR-type laws stress “privacy by design,” a concept requiring businesses to display intentionality around the data they collect, the method of collection, and the security of their storage. Intentionality is a principle, especially around regulatory alignment, that could save the Health Tech industry billions each year as opposed to being reactive and retroactively fitting everything a few years down the line.

At its core, GDPR bestows eight basic rights on European citizens, which in turn creates obligations on behalf of the businesses they interact with:

Basic Right Description of Individual Right Business Obligation It Imposes
Right to access Individuals have the right to request access to their personal data and to ask how their data is used by the business after it has been gathered Business must provide a copy of the personal data free of charge (and in electronic format, if requested)
Right to be forgotten Individuals have the right to withdraw their consent from a business to use their personal data Business must delete all of the individual’s personal data
Right to data portability Individuals have a right to transfer their data from one service provider to another Business must provide the data in a commonly used and machine readable format
Right to be informed Individuals have a right to know if their data is going to be gathered, and what data will be gathered, as well as a default right to opt in Business must get explicit and freely given opt-in consent from individual prior to data collection
Right to have information corrected Individuals have a right to have their data updated if it is out of date, incomplete, or incorrect If an individual requests such an update, the business must comply
Right to restrict processing Individuals can request that their data is not used for processing Business can collect and store the individual’s data, but cannot use it for other purposes
Right to object Individuals have a right to stop the processing of their data for direct marketing Business must make this right clear to individuals in all communications and must stop processing the individual’s data as soon as the request is received
Right to be notified Individuals have a right to be informed if there has been a data breach which compromises their personal data Business must provide this notice within 72 hours of first having become aware of the breach

Have questions about what all this means for your specific health tech business and consumers? Reach out to us — we’d love to help!

Get our latest insights on healthcare regulatory compliance delivered directly to your inbox.

Health Consulting

Regulatory alignment for the next generation of health tech companies

© 2020 Elevation Health Consulting. All Rights Reserved. Privacy Notice