Skill Guide

Health data privacy and regulatory compliance (HIPAA, GDPR, FDA SaMD guidance)

The applied knowledge and operational capability to manage protected health information (PHI) and medical device software in compliance with specific, legally mandated frameworks: the U.S. Health Insurance Portability and Accountability Act (HIPAA), the EU General Data Protection Regulation (GDPR), and the U.S. Food and Drug Administration's (FDA) guidance on Software as a Medical Device (SaMD).

This skill is the primary risk mitigator against catastrophic financial penalties, criminal liability, and irreversible brand damage in health technology. Its direct business impact is enabling global market access and securing enterprise contracts, as compliant data handling and product classification are non-negotiable prerequisites for payers, providers, and regulators.

1 Careers

1 Categories

9.0 Avg Demand

20% Avg AI Risk

How to Learn Health data privacy and regulatory compliance (HIPAA, GDPR, FDA SaMD guidance)

1. Master the core definitions and scope of each regulation (e.g., HIPAA's 18 PHI identifiers, GDPR's special category of data, FDA's SaMD risk categorization framework). 2. Learn the fundamental principles: HIPAA's Minimum Necessary Rule, GDPR's Lawful Basis for processing, and the FDA's Total Product Lifecycle (TPLC) approach. 3. Understand the primary roles and responsibilities: HIPAA Covered Entity vs. Business Associate, GDPR Controller vs. Processor, and FDA Sponsor vs. Manufacturer.

Transition to application by conducting a data flow mapping exercise for a mock health app to identify all points of collection, storage, processing, and transfer of data. Perform a mock Data Protection Impact Assessment (DPIA) under GDPR or a Security Risk Analysis (SRA) under HIPAA. Common mistakes include conflating consent with lawful basis, misapplying de-identification standards, and misunderstanding the FDA's enforcement discretion for clinical decision support software.

Architect integrated compliance frameworks that satisfy multiple jurisdictions simultaneously (e.g., designing a data platform with HIPAA BAA clauses, GDPR Standard Contractual Clauses, and FDA 21 CFR Part 11 audit trails). Develop organizational compliance programs including incident response plans that meet the 72-hour GDPR breach notification and the HIPAA breach notification rule requirements. Mentor engineering and product teams on 'Privacy and Security by Design' principles as mandated by GDPR Article 25.

Practice Projects

Beginner

Case Study/Exercise

PHI Identifier Identification & Classification

Scenario

You are given a dataset containing columns: PatientID, FirstName, LastName, DOB, ZIPCode, DiagnosisCode, LabResultValue, EmailAddress. Determine which columns constitute PHI under HIPAA and which are Special Category Data under GDPR.

How to Execute

1. List all 18 HIPAA identifiers and map each column. 2. Analyze if the combination of ZIPCode and DOB could re-identify the patient (HIPAA Expert Determination standard). 3. Under GDPR, confirm if 'DiagnosisCode' falls under Article 9 special categories. 4. Document your findings in a compliance memo format.

Intermediate

Project

SaMD Pre-Market Submission Checklist Development

Scenario

Your team has developed a mobile app that uses a proprietary algorithm to analyze user-reported symptoms and images of skin lesions to provide a risk assessment for melanoma. Draft the initial regulatory strategy document for FDA submission.

How to Execute

1. Use the FDA's SaMD risk categorization framework to determine if this is a Class I, II, or III device based on the state of healthcare situation and significance of information provided. 2. Identify the applicable regulatory pathway (e.g., 510(k), De Novo, PMA). 3. Outline the necessary software documentation requirements per IEC 62304 and FDA's Guidance on Content of Premarket Submissions for Device Software Functions. 4. Create a checklist for cybersecurity documentation per FDA's premarket cybersecurity guidance.

Advanced

Case Study/Exercise

Multinational Health Data Incident Response Simulation

Scenario

A ransomware attack encrypts a server in your AWS US-East region containing HIPAA-covered PHI of US citizens and GDPR-protected data of EU citizens from a telehealth service. The data includes mental health counseling notes.

How to Execute

1. Simulate the first 24-hour response: Activate the Incident Response Plan, isolate systems, and determine the scope of the breach. 2. Parallel-track legal notifications: Draft notifications for the HHS Office for Civil Rights (HIPAA) and the relevant EU Supervisory Authority (GDPR). Assess if the mental health notes trigger 'high risk' GDPR breach notification to individuals. 3. Conduct a tabletop exercise with legal, communications, and IT leads. 4. Develop a root cause analysis and remediation report that satisfies both regulators.

Tools & Frameworks

Regulatory & Standards Frameworks

HIPAA Privacy & Security Rules (45 CFR Parts 160, 164)GDPR (Regulation (EU) 2016/679)FDA Guidance on Clinical Decision Support SoftwareIEC 62304: Medical device software - Software life cycle processesNIST SP 800-53 / 800-66 (HIPAA Security Rule mapping)

These are the primary legal and technical standards. They are not optional guidelines but mandatory frameworks for operations, product development, and audit preparation in their respective domains.

Operational & Technical Tools

OneTrust or TrustArc (Privacy Management Software)OpenFDA API (for device classification research)AWS/Azure/GCP HIPAA-eligible service catalogsVeracode or Checkmarx (SAST/DAST for secure code)Audit Management Systems (e.g., AuditBoard for SOX/HIPAA audit trails)

These platforms automate compliance tasks: managing consent and data subject requests (GDPR), conducting risk assessments (HIPAA SRA), ensuring cloud infrastructure is configured for PHI, and maintaining evidence for audits. They are force multipliers for compliance teams.

Mental Models & Methodologies

Data Flow MappingPrivacy by Design (PbD)Threat Modeling (e.g., STRIDE)Total Product Lifecycle (TPLC) Approach

Data Flow Mapping visually traces data to identify compliance gaps. PbD is the mandatory engineering methodology for GDPR. Threat Modeling proactively identifies security risks to PHI. TPLC is the FDA's core philosophy for regulating SaMD, emphasizing continuous monitoring post-market.