Healthcare Data Compliance: HIPAA, GDPR, and HITRUST
.png)
DPO Conslting Rejoin Grant Thornton
Healthcare data compliance is no longer a narrow legal or security topic. It has become a core issue for every organisation that collects, uses, hosts, analyses or shares health-related information. Healthcare providers, digital health companies, insurers, research organisations, SaaS vendors and technology partners all face the same underlying challenge: health data is both operationally essential and highly sensitive.
This sensitivity is not limited to medical records. Health data may reveal a person’s diagnosis, treatment, medication, disability, genetic characteristics, mental health, fertility, lifestyle, location, behaviour or risk profile. It may be generated in a hospital, in a mobile app, through a wearable device, during a teleconsultation, as part of an insurance claim or within an AI model.
This is why healthcare data compliance cannot be reduced to a privacy notice, a consent form or a security questionnaire. It requires a structured governance model, a clear understanding of applicable laws, robust contractual controls, effective cybersecurity measures and continuous evidence that the organisation remains in control of its data flows.
Healthcare depends on trust. Patients disclose information because they believe it will be used for their care, protected against misuse and shared only where appropriate. When this trust is weakened, the consequences are not only legal or reputational. Patients may withhold information, clinicians may lack the full picture, and organisations may lose the confidence of partners, regulators and users.
At the same time, healthcare has become increasingly digital and interconnected. Patient portals, telemedicine platforms, remote monitoring, connected devices, cloud hosting, outsourced billing, research databases and AI-enabled tools have multiplied the number of actors involved in health data processing. Data no longer remains within the walls of a hospital or clinic. It moves across systems, vendors, jurisdictions and use cases.
This creates a practical compliance problem. An organisation may understand its core medical activity, yet have limited visibility over how data is used by support tools, cloud providers, analytics platforms, mobile applications or subcontractors. The real risk often lies in these operational blind spots.
A mature healthcare data compliance programme therefore starts with a simple question: can the organisation demonstrate, in practice, who processes which data, for what purpose, under which legal framework, with which safeguards, and with what evidence?
Healthcare data is broader than many organisations assume. It includes clinical information such as diagnoses, prescriptions, lab results, imaging reports, treatment notes, care plans and hospital records. It also includes administrative information when linked to care, such as appointment history, billing data, insurance claims, patient identifiers or communications with medical staff.
Digital health has expanded the perimeter even further. A sleep pattern, heart rate, fertility cycle, symptom tracker, medication reminder or location signal may, depending on the context, reveal information about a person’s health. AI-generated scores, clinical predictions and risk classifications may also become health-related data when they are linked to an individual.
The legal qualification of this data depends on context. Under the GDPR and UK GDPR, data concerning health is generally treated as special category data and benefits from enhanced protection. Under HIPAA, the central question is whether the information qualifies as protected health information and whether it is handled by a covered entity or business associate. Outside HIPAA, consumer health data may still fall within the scope of other privacy, breach notification or state-level health data laws.
This distinction is critical. A company may handle highly sensitive health-related information without being directly subject to HIPAA. Conversely, an organisation subject to HIPAA may also need to comply with GDPR, UK GDPR, state consumer health laws, medical device rules or contractual security obligations.
In the United States, HIPAA remains the central framework for protected health information handled by covered entities and business associates. It requires privacy and security safeguards, risk analysis, access controls, policies, training, business associate agreements and breach notification processes. HIPAA is therefore essential, but it is not universal. It does not automatically cover every health app, wellness service, wearable provider or direct-to-consumer digital health tool.
This is where the FTC Health Breach Notification Rule becomes important. Certain vendors of personal health records, PHR-related entities and service providers may have breach notification obligations even when they fall outside HIPAA. The development of health apps and connected devices makes this analysis increasingly relevant. Being “outside HIPAA” should never be treated as meaning “outside health data compliance”.
For organisations operating in or targeting Europe, the GDPR and UK GDPR impose a different logic. Health data is usually special category data, which means that organisations must identify both a lawful basis for processing and a specific condition allowing the processing of such sensitive information. The territorial scope of the GDPR also needs to be assessed carefully. It does not apply merely because an individual is an EU citizen. It may apply where an organisation is established in the EU, or where a non-EU organisation targets individuals in the EU by offering goods or services or monitoring their behaviour.
In the European Union, the European Health Data Space adds another layer. It will progressively reshape the way electronic health data is accessed, exchanged and reused, both for primary care and for secondary uses such as research, innovation, policy-making and regulatory activities. Organisations should already factor this evolution into their data governance, interoperability and secondary-use strategies.
In France, health data hosting also requires specific attention. Depending on the activity, organisations hosting personal health data collected in the context of prevention, diagnosis, care or medico-social follow-up may fall within the HDS certification framework. This is particularly relevant for SaaS vendors, cloud providers, digital health platforms and technology partners supporting healthcare actors.
The key point is that healthcare data compliance is rarely governed by a single framework. The applicable rules depend on the organisation’s role, the type of service, the location of individuals, the purpose of processing, the legal status of the data, the technologies used and the contractual position of each actor.
The first mistake in healthcare data compliance is to begin with documentation before understanding data flows. A privacy notice, data processing agreement or security policy will only be credible if it reflects the organisation’s real operations.
A robust programme begins with data mapping. The organisation needs to understand where health data enters, where it is stored, which systems process it, which vendors access it, where it is hosted, how long it is retained and whether it is reused for analytics, research, product improvement or AI development.
This mapping should not be limited to clinical systems. In practice, health data often appears in customer support tools, billing platforms, CRM systems, email exchanges, file-sharing folders, data warehouses, testing environments, logs, screenshots and internal collaboration tools. These secondary locations are often where compliance weaknesses emerge.
Once data flows are understood, the organisation can allocate legal roles. The same actor may be a controller for one activity, a processor for another, a business associate in a HIPAA context, a SaaS vendor in another, or a provider of an AI system under sector-specific rules. These roles determine contractual obligations, liability, transparency duties, security expectations and incident notification requirements.
Only then can the organisation build the right documentation. This may include records of processing activities, DPIAs, HIPAA risk analyses, business associate agreements, data processing agreements, data sharing agreements, vendor assessments, security schedules, transfer assessments, incident response procedures and AI governance documents.
Healthcare data security must protect confidentiality, integrity and availability. Confidentiality matters because patients expect their information to remain protected. Integrity matters because incorrect or altered health data may affect care. Availability matters because healthcare organisations need access to reliable information when delivering services.
This is why cybersecurity in healthcare cannot be treated as a purely IT topic. Access governance, authentication, encryption, audit logging, backup, recovery, vendor access, vulnerability management and incident response all have legal and operational consequences.
A common weakness is excessive access. Healthcare environments often grant broad permissions because clinical workflows require flexibility. Over time, temporary access, role changes, emergency procedures and legacy permissions create unnecessary exposure. A mature programme should therefore include role-based access, periodic access reviews, strong authentication, privileged access controls and clear joiner-mover-leaver processes.
Another recurring risk is shadow IT. When staff use unapproved tools to share documents, schedule appointments, run surveys, communicate with patients or collaborate internally, health data may leave the controlled environment. The answer is not simply to prohibit these tools. Organisations need approved alternatives that are usable, secure and aligned with real operational needs.
Incident readiness is equally important. In healthcare, an incident may trigger legal notification duties, contractual escalation, regulatory scrutiny, patient communication and continuity-of-care concerns. A breach response plan should define who investigates, who escalates, who decides on notification, how evidence is preserved, how patients are informed and how lessons learned are integrated into the compliance programme.
One of the most sensitive areas in healthcare data compliance is secondary use. Health data collected for care, reimbursement or service delivery may later be considered for research, analytics, benchmarking, AI training, product improvement or commercial partnerships.
These uses may be legitimate, but they require rigorous analysis. The organisation must assess whether the new purpose is compatible with the original one, whether additional transparency is required, whether consent is necessary or appropriate, whether pseudonymisation is sufficient, whether true anonymisation can be achieved, and whether ethics approval or regulatory authorisation is needed.
Pseudonymisation is often misunderstood. Pseudonymised data is not necessarily anonymous data. If the data can still be linked back to an individual through a key or additional information, it will generally remain personal data under the GDPR and UK GDPR. This has practical consequences for research databases, AI datasets, analytics environments and data sharing projects.
The same caution applies to anonymisation. In healthcare, anonymisation is difficult because datasets are often rich, unique and linkable. A rare diagnosis, a combination of dates, location data or treatment history may increase re-identification risk. Organisations should therefore avoid treating anonymisation as a label and instead assess whether re-identification is reasonably possible in context.
AI is becoming a central feature of healthcare innovation. It can support triage, diagnosis assistance, imaging analysis, patient engagement, operational planning, fraud detection, population health and research. But it also increases the need for disciplined governance.
Healthcare AI raises several questions at once. Was the data used lawfully? Is the dataset representative? Are the model outputs reliable? Can bias affect certain groups? Is the system used for clinical decision support or administrative prioritisation? Does it qualify as a medical device? Is there meaningful human oversight? Can decisions be explained to patients or professionals? Is model performance monitored over time?
In the European Union, some AI systems used for medical purposes may be classified as high-risk under the AI Act, particularly where they are linked to regulated medical devices or safety-related functions. In the United States, AI or machine-learning-enabled software may fall within the FDA’s medical device framework when it meets the relevant criteria.
AI governance should therefore be connected to healthcare data compliance, not treated as a separate innovation workstream. The quality, traceability, lawfulness and security of health data directly affect the safety and regulatory acceptability of AI systems.
A sustainable healthcare data compliance programme should be built progressively. The starting point is a clear view of the organisation’s activities, systems, vendors and data flows. From there, the organisation can determine which legal regimes apply, assign roles and responsibilities, identify high-risk processing, and prioritise remediation.
The programme should then translate legal requirements into operational controls. This means aligning privacy notices with real practices, putting the right contracts in place, strengthening access governance, testing incident response, training staff on realistic scenarios, reviewing vendors and maintaining evidence.
Governance is essential. Privacy, security, legal, clinical, IT, product, procurement and business teams must understand their respective responsibilities. In larger organisations, this may require a dedicated privacy committee, information security governance, vendor risk governance and, increasingly, AI governance.
The objective is not to create documentation for its own sake. It is to ensure that the organisation can demonstrate control. Regulators, partners, investors, procurement teams and patients will not only ask whether policies exist. They will want to know whether the organisation can show how its controls work in practice.
DPO Consulting supports healthcare and digital health organisations in transforming complex privacy, security and AI obligations into practical governance.
This support may start with a compliance audit or gap assessment covering data flows, systems, vendors, contracts, security measures and regulatory obligations. It may then include the design of a remediation roadmap, the preparation of DPIAs or HIPAA-aligned risk analyses, the review of SaaS and cloud arrangements, the drafting or negotiation of data protection agreements, the assessment of health data hosting requirements, or the creation of incident response and breach notification procedures.
For organisations developing or deploying AI in healthcare, DPO Consulting can also support AI governance, AI Act readiness, data governance for model development, vendor assessment, risk classification, transparency documentation and alignment with privacy and cybersecurity expectations.
The goal is pragmatic: help organisations reduce regulatory exposure, secure sensitive health data, build patient and partner trust, and make compliance a sustainable part of operations rather than a one-off legal exercise.
Healthcare data compliance is becoming more complex because healthcare itself is becoming more digital, more interconnected and more data-driven. The organisations that will manage this complexity successfully are not those with the longest policies. They are those that understand their data flows, allocate responsibilities clearly, control their vendors, secure their systems, document their decisions and review their practices continuously.
In healthcare, trust depends on evidence. Compliance is the discipline that makes that evidence possible.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
.svg)
.png)
.png)
