The General Data Protection Regulation (GDPR, Regulation 2016/679) is the European Union's comprehensive data-protection law. Its reach is extraterritorial: it applies to the personal data of people located in the EU/EEA regardless of where the company processing that data is based, so a US-hosted telehealth service with European patients is squarely in scope. Health data receives heightened treatment — under Article 9 it is 'special category' data, which is prohibited to process unless a specific condition applies, most commonly the data subject's explicit consent or the necessity of providing care or managing health services.
For a telemedicine product team the practical message is that GDPR sits alongside HIPAA rather than replacing it. You map a lawful basis to every processing activity, build the machinery for data-subject rights (access, rectification, erasure, portability), establish a valid mechanism for any transfer of data outside the EU, and stand up a breach process that can notify the supervisory authority within 72 hours of becoming aware of a qualifying breach. Many of these have no direct HIPAA equivalent — a 'right to erasure' request, for instance, collides awkwardly with US medical-record retention rules.
The common mistake is assuming HIPAA compliance covers Europe. It does not: the two regimes overlap on security and minimization but diverge on consent, individual rights, and cross-border transfer, and GDPR carries its own enforcement and substantial fines. Treat EU expansion as a distinct compliance workstream, designed in early rather than retrofitted after launch.
