The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

In the United States, HIPAA compliance is mandatory when working with patient’s protected health information (PHI).

When it comes to EU-based entities, the risk in entrusting PHI has been somewhat alleviated with the introduction of General Data Protection Regulation (GDPR).

Although the regulation legally covers data protection and privacy of European Union citizens and residents, it serves the larger purpose of protecting sensitive data in general.

GDPR was introduced with the main goals of giving control to individuals over their personal data, and simplifying the regulatory environment for international business by unifying the regulation within the EU.

Since GDPR includes the highest level of personal data protection required by the French Personal Data Protection Act (Commission nationale de l'informatique et des libertés), based on the EU Privacy Directive (UE) 2016/679, one could argue that the European regulation is more thorough and stringent, as it deals with all individual data, while offering special provisions when it comes to health data.

In the EU all information “related to physical or mental health of an individual” is considered health data including provision of services which reveal information about a person’s health status.

This data falls under even stricter regulation under GDPR than other types of personal information. Among others, an “explicit consent” is required from the subject for processing of his or her health data.

Since we're a French company originating in Paris, our privacy and security is compliant with GDPR.

We are compliant with EU privacy laws, which make us abide by strict rules and regulations under the GDPR. Since we are not bound by US laws, we aren’t restricted to HIPAA regulations.