Find out in 30 minutes how Dipeeo helps you comply with the GDPR and the AI Act.
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
-
Article Summary : HIPAA is the U.S. regulation that protects patient health information in the United States. In this article, you’ll learn who HIPAA applies to, what specific requirements it imposes regarding security, data privacy, contractual agreements, and protection, how it aligns GDPR the GDPR framework you’re already familiar GDPR , and what steps you can take to comply with it systematically.
The U.S. healthcare market is one of the most dynamic in the world. For a French e-health startup or a SaaS provider that processes the health information of U.S. patients, entering this market requires compliance with a specific regulatory framework: HIPAA regulations.
This regulation has governed the protection of health data in the United States since 1996. It specifies who may process such data, under what conditions, and with what contractual and technical safeguards. It is a mandatory requirement for any entity (whether U.S.-based or foreign) that handles medical information about U.S. patients.
This guide is designed for French companies that are exploring this topic for the first time, or that want to understand what HIPAA actually requires before entering the U.S. market. Here you will find essential definitions, key obligations, parallels with the GDPR, and steps to help you move forward with confidence.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996. It governs the protection of health data in the United States, including data confidentiality, security, and the integrity of U.S. patients’ health information.
To understand what HIPAA entails, it is helpful to draw a parallel with the European context. In France and Europe, health data is considered sensitive data under Article 9 of GDPR its processing is prohibited by default, except in strictly regulated cases. Additional standards reinforce this framework, such as the HDS (Health Data Host) certification, which is mandatory for any hosting of personal health data in France.
HIPAA serves a similar purpose in the United States: it is the regulatory framework that governs who can process health information, under what conditions, and with what safeguards.
Key Concept: PHI (Protected Health Information) PHI (Protected Health Information) PHI—literally, protected health information—refers to any information that identifies an individual and relates to their health status, health care, or the financial coverage of such care by health insurance: name, address, date of birth, Social Security number, diagnoses, prescriptions, medical images, etc. In electronic format, this is referred to as ePHI. Its functional equivalent under European law corresponds to the health data defined in Article 4.15 of GDPR.
HIPAA does not apply to all health data in general. It applies to specific entities that handle PHI within the United States.
That’s the first question you should ask yourself. HIPAA does not apply based on the country where your business is located, but rather on the nature of your activities and your clients.
Two categories of entities are directly subject to HIPAA:
The Business Associate Agreement (BAA) is the contract that formalizes this relationship. Without a signed BAA with your client , you expose both parties to penalties.
Key Concept: Business Associate Agreement (BAA) A BAA is a binding contract between a Covered Entity and its Business Associate. It defines each party’s obligations regarding the protection of PHI: authorized uses, security measures, and procedures in the event of a breach. It is the functional equivalent of a Data Processing Agreement (DPA) under GDPR.
Yes, as soon as your solution processes the health information of U.S. patients on behalf of a U.S. entity subject to HIPAA, you fall within the scope of the law—even if you are based in France.
Example:A French SaaS provider whose software is used by an American hospital, an e-health startup that hosts patient records for a U.S. insurer, and a cloud service provider that stores U.S. medical data: all of these are Business Associates as defined by HIPAA.
The two regulations have different scopes: the GDPR to any organization that processes data belonging to European residents, regardless of the type of data. HIPAA applies specifically to entities within the U.S. healthcare system and their providers, and covers only PHI. There are significant structural differences between them:
| GDPR | HIPAA | |
| Geographical scope | All personal data, EU residents | PHI only, U.S. healthcare context |
| Relevant data | All personal data (including health data) | PHI: Protected Health Information ( ) only |
| Human Rights | Extended rights (access, correction, erasure, portability, objection, etc.) | More limited rights (access to the file, corrections) |
| Accountability | Data controller + processor | Covered Entity + Business Associate |
| Sanctions | Up to 4% of global revenue | From $100 to $1.9 million per category of violation |
| Control authority | CNIL (National Commission for Information Technology and Civil Liberties) France), EDPB (Europe) | Office for Civil Rights (OCR), Department of Health |
Beyond their legal differences, HIPAA and the GDPR the same goal: to strengthen cybersecurity, reduce the risks associated with data breaches, and improve the protection of sensitive information in healthcare organizations.
Both frameworks impose strict security requirements regarding data access, system monitoring, incident reporting, and Accountability the processing of personal data.
This safety compliance helps organizations mitigate operational risks and build trust among U.S. patients and partners.
Despite these differences, both frameworks are based on the same fundamental principles.
☑️ Protection of sensitive data: The GDPR health data as a special category of data (Article 9): processing is prohibited by default, strict legal grounds apply, and enhanced safeguards are required. HIPAA operates on exactly the same principle for PHI. If you already process health information in compliance with GDPR, you have already incorporated this high level of protection.
☑️ The principle of data minimization: The GDPR that only data strictly necessary for the Purpose processing be collected. HIPAA expresses this same principle using the term “minimum necessary ”: use and disclose only the PHI that is essential. Same principle, different terminology.
☑️ Management of processors Under GDPR, any processor accesses personal data must sign a DPA. Under HIPAA, any Business Associate that accesses PHI must sign a BAA. The contractual logic is the same: to formalize obligations, define responsibilities, and regulate usage.
☑️ Data security: The GDPR appropriate technical and organizational safeguards —encryption, access controls, logging, and a business continuity plan. The HIPAA security rule formalizes exactly these same requirements, organizing them into three categories: administrative, physical, and technical safeguards.
☑️ Notification of breaches: Both frameworks require a formal procedure in the event of a breach: identification, classification, and notification in accordance with the notification rule to the authorities and the individuals concerned. The timeframes differ (72 hours vs. 60 days), but the process is the same.
☑️ Individual rights: The GDPR individuals extensive rights regarding their data. HIPAA grants more limited but similar rights: the right to access medical records and the right to request corrections. The philosophy of giving patients some control over their information is shared by both.
Good to know: The HIPAA data privacy rule establishes a specific requirement: the Notice of Privacy Practices. Any entity subject to HIPAA must provide patients with a document describing how their protected health information is used and what their rights are. This requirement has no direct equivalent in the GDPR and should be taken into account.
What this convergence means in practice: An organization that has established its GDPR compliance GDPR processing inventory, risk assessment, processors agreements, security policies, breach response procedures) already has the methodological, documentary, and cultural foundation that HIPAA requires. While there are gaps to be addressed, they are identifiable and well-defined.
The confidentiality policy governs the use of PHI. It defines:
Regarding GDPR strict legal grounds for processing health data, the principle of data minimization, and the obligation to inform individuals. The confidentiality rule is the U.S. equivalent, with specific formal requirements that must be anticipated.
The security rule applies exclusively to ePHI—electronic health information. It organizes data security requirements into three categories:
Some measures are required (mandatory), while others are optional (to be implemented or, depending on the context, justification must be provided for not implementing them).
Good to know: If you have already formalized your security measures in accordance with GDPR encryption, access management, audit logs, PIA), you have covered a large part of what the HIPAA security rule requires. The effort often involves less the measures themselves and more their documentation in the format required by HIPAA.
In the event of a breach involving unencrypted PHI, three notifications are required:
The breach must be documented, regardless of whether it is reported. HIPAA presumes a breach has occurred whenever unencrypted PHI is exposed, unless it can be demonstrated that the risk of misuse is low.
GDPR Considerations GDPR GDPR, you have 72 hours to notify the CNIL (National Commission for Information Technology and Civil Liberties) the event of a breach. The HIPAA deadline is longer (60 days), but the process is the same: assess the breach, evaluate the risk, notify, and document. An incident management procedure that has already been refined under GDPR easily GDPR to the HIPAA framework.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services is the regulatory authority. Penalties are scaled according to the degree of negligence:
| Level | Description | Penalty |
| Tier 1 | Unintentional violation | $100 – $50,000 |
| Tier 2 | Reasonable cause, without willful negligence | $1,000 – $50,000 |
| Tier 3 | Deliberate negligence, corrected | $10,000 – $50,000 |
| Tier 4 | Deliberate negligence, uncorrected | $50,000 (minimum) |
The annual cap per category of violation is $1.9 million. Criminal prosecution is also possible for intentional violations.
Key Figures Since 2003, the OCR has resolved more than 36,000 cases and secured payments totaling several hundred million dollars. In 2023, fines imposed exceeded $4.2 million for settlement cases alone.
The good news: There is no official HIPAA certification issued by a government authority. HIPAA compliance is an ongoing process: establishing appropriate rules and safeguards, documenting them, and maintaining them over time. It is demonstrated, not certified.
Here are the logical steps for a French company that is already well-versed in the GDPR
Step 1 — Map Your PHI Workflows: Identify exactly what U.S. patient health information you process, where it is stored, who has access to it, and how it flows through your system.
Step 2 — Assess Your Compliance Gaps with HIPAA
Compare your GDPR framework with the specific requirements of the privacy and security regulations. Most technical safeguards are already in place. The challenge is often one of documentation and procedure.
Step 3 — Sign the necessary BAA agreements with each client Covered Entity client , as well as with your own processors access PHI (hosting providers, analytics providers, support teams, etc.).
Step 4 — Complete the missing policies: HIPAA-compliant privacy notice, procedure for handling patient access requests, breach response plan, and HIPAA training for staff.
Step 5 — Document and Maintain HIPAA requires that policies, procedures, and audit logs be retained for 6 years. Documentation is your first line of defense in the event of an OCR audit.
A structured approach helps you move faster and avoid blind spots. The key resources you’ll need are: an audit of your PHI flows, a mapping of GDPR gaps, BAA templates tailored to your business, and document management solutions to maintain your compliance over the long term. This is exactly what we’ll cover in the next section.
In practice, data security depends as much on rigorous documentation as it does on technical measures. A robust system that is not properly documented will not provide protection in the event of an OCR investigation.
At Dipeeo, we handle GDPR compliance GDPR businesses from start to finish as an outsourced DPO outsourced with the CNIL (National Commission for Information Technology and Civil Liberties). We work primarily with e-health startups and SaaS providers looking to enter the U.S. market without getting lost in the regulatory maze.
More than a third of our clients in the healthcare sector: we have a thorough understanding of both GDPR HIPAA requirements, and we know exactly where the gaps lie between existing GDPR compliance and the specific requirements imposed by HIPAA. For healthcare organizations and companies that collaborate with U.S. partners, we integrate the two frameworks in a coherent manner rather than treating them as two separate projects.
What you get with Dipeeo:
Are you targeting the U.S. healthcare market? Let’s talk. Schedule a meeting with a Dipeeo expert for an initial consultation
Yes, if your solution processes the health information of U.S. patients on behalf of a HIPAA-covered entity. This is not a voluntary process; it is a legal requirement. In practice, your client will ask you to sign a BAA before any data exchange takes place—this is a sign that HIPAA applies to you.
Yes. HIPAA applies based on the nature of the health information being processed and the identity of your clients, not your location. A Paris-based SaaS provider whose solution is used by a U.S. hospital is subject to HIPAA just as a U.S. provider is.
Both agreements outline the obligations of a service provider that accesses sensitive data on behalf of a client. The DPA is required by the GDPR a data controller and its processor. The BAA is required by HIPAA between a Covered Entity and its Business Associate. If you work with clients in the healthcare sector, you will likely need to manage both agreements simultaneously.
No. There is no HIPAA certification issued by a U.S. government agency. HIPAA compliance is an ongoing process: implementing the required policies, documenting them, and maintaining them. Some private organizations offer audits or certifications, but these have no official legal standing.
HIPAA mandates cybersecurity measures designed to protect health information from internal and external threats, such as unauthorized access, accidental disclosure, ransomware, or data loss. Organizations must implement security policies, monitoring procedures, and access control mechanisms to ensure the long-term protection of protected health information.
The U.S. healthcare market represents a major opportunity for French e-health startups and SaaS providers. However , entering this ecosystem requires compliance with strict rules regarding data security, privacy, and the protection of protected health information.
The good news is that a company already compliant with GDPR already GDPR much of the foundation needed to meet HIPAA requirements. Data mapping, processors management, security policies, breach procedures, access controls, and cybersecurity: these mechanisms already form the foundation required for HIPAA compliance.
Schedule a consultation with a Dipeeo expert →If your organization is targeting the U.S. market, we’ll quickly let you know where you stand and what still needs to be done.
