HIPAA in Europe may sound as oxymoronic as a curved straight line or easy to understand compliance rules. Although its’ a US law, the truth is that HIPAA in Europe is a major driver in both Health Tech and technology in general. To give a little background, HIPAA refers to an American law that came into effect in 1996 and covers how the patient data of American citizens can be processed with and without consent of that patient.
Why should European companies care about HIPAA?
HIPAA in Europe: Why American Law Applies to European Tech Companies
While HIPAA is not overtly extraterritorial, meaning it is not written to apply outside, it is written to protect the data of US citizens no matter where those citizens are in the world. So, to use another legal term, it is the de facto case that HIPAA applies outside the US.
Because HIPAA was written to protect the data of US citizens, it comes into effect when companies process or store the medical data of any US citizen. So, if your health tech company stores or processes the data of even one US Citizen, HIPAA applies, and you need to come into compliance with it.
What HIPAA fines do EU Health Techs Face?
Getting an exact dollar figure on the potential fines is a challenge. They can range between $25,000 and $50,000 per individual record and can grow into multimillion dollar fines. There can also be both fines at the federal and US state level, so it gets very challenging. However, those fines don’t consider the reputational damage that a health tech would face for a HIPAA fine. If a European company even wants to go to the US or get US investment, a HIPAA fine could kill those hopes.
How to Comply with HIPAA in Europe?
Complying with HIPAA not only mitigates the risk of fines and negative PR, but it also is a unique selling point. If your health tech wants to work with US companies or wants to work in the US, then you need to comply with HIPAA. So, by coming into compliance, you are opening the door up to a new market and to new business deals with American companies.
The good news is that some of what you need to do to comply with GDPR applies to HIPAA as well. You will need to tweak your privacy policy, how you gather consent and most importantly how you process and store the data. We offer a compliance audit and are happy to work with you to build a roadmap to come into compliance.
HIPAA in Europe is very much a piece of regulation that health techs need to comply with not so much because of the risk of fines but more so because of the opportunities that complying with HIPAA opens for EU Companies.
