> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://blueprint.ziro.health/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://blueprint.ziro.health/_mcp/server.

# The Regulatory Landscape

## Overview

Navigating healthcare regulation is one of the most challenging aspects of building a digital health product. The regulatory landscape varies significantly by region, product type, and target market. Understanding which regulations apply to your product — and building compliance in from day one — is essential.

***

## Major Regulatory Frameworks

### HIPAA (United States)

The Health Insurance Portability and Accountability Act governs the use and disclosure of Protected Health Information (PHI).

**Applies to**: Covered entities (providers, plans, clearinghouses) and their business associates.

**Key requirements**:

* Privacy Rule — limits use and disclosure of PHI
* Security Rule — requires administrative, physical, and technical safeguards
* Breach Notification Rule — requires notification of PHI breaches
* Enforcement Rule — penalties for non-compliance

### GDPR (European Union)

The General Data Protection Regulation governs the processing of personal data, including health data as a special category.

**Applies to**: Any organization processing data of EU residents.

**Key requirements**:

* Lawful basis for processing
* Data Protection Impact Assessments (DPIA) for high-risk processing
* Data protection by design and by default
* Breach notification within 72 hours
* Right to erasure ("right to be forgotten")

### MDR (European Union)

The Medical Device Regulation governs medical devices sold in the EU, including software classified as a medical device.

**Applies to**: Software intended for medical purposes (diagnosis, prevention, monitoring, treatment).

**Key requirements**:

* Risk classification (Class I, IIa, IIb, III)
* Conformity assessment
* Clinical evaluation
* Quality management system (ISO 13485)
* Unique Device Identification (UDI)
* Post-market surveillance

### FDA (United States)

The Food and Drug Administration regulates medical devices, including Software as a Medical Device (SaMD).

**Applies to**: Software intended for medical purposes.

**Key requirements**:

* Risk classification (Class I, II, III)
* Premarket notification (510(k)) or premarket approval (PMA)
* Quality System Regulation (QSR)
* Cybersecurity guidance for premarket submissions
* Real-world evidence requirements

***

## Regulation by Product Type

| Product Type                                          | Likely Regulations                              |
| ----------------------------------------------------- | ----------------------------------------------- |
| Health information app (no clinical decision support) | HIPAA (if handling PHI), GDPR                   |
| Symptom checker with AI diagnosis                     | HIPAA, FDA (SaMD), MDR (EU), GDPR               |
| Telemedicine platform                                 | HIPAA, GDPR, state/provincial medical licensing |
| Medication adherence app                              | HIPAA, FDA (maybe), GDPR                        |
| Wellness/fitness app (no medical claims)              | GDPR (if EU users), data privacy laws           |
| Remote patient monitoring device                      | HIPAA, FDA, MDR, FCC (wireless), CE marking     |
| Clinical decision support software                    | HIPAA, FDA, MDR                                 |
| Digital therapeutic                                   | FDA, MDR, HIPAA, clinical trial requirements    |

***

## Compliance Strategy for Startups

Map your product features to regulatory categories. Engage regulatory counsel early — it's cheaper than fixing non-compliance later

Implement security and privacy controls from the start. Encrypt data at rest and in transit. Implement access controls and audit logging

HIPAA requires documentation of policies, procedures, and risk assessments. MDR requires technical documentation. Start your documentation system on day one

SOC 2 Type II, ISO 13485, CE marking — these take 6-18 months and significant resources. Plan your certification roadmap early

For medical device software, a QMS (ISO 13485 compliant) is required. This covers design controls, risk management, and post-market surveillance

***

## Regional Considerations

HIPAA + FDA + state privacy laws (CCPA, etc.). Fragmented payer system adds complexity for reimbursement

GDPR + MDR + AI Act. Harmonized but stringent. MDR transition period creates opportunities and risks

UK GDPR + MHRA (post-Brexit). MHRA is developing its own medical device framework

Varies widely — Japan (PMDA), China (NMPA), Australia (TGA), Singapore (HSA). Growing regulatory maturity

***

## Related Chapters

* [Cybersecurity Framework](/technical-architecture/cybersecurity) — Technical security controls for compliance
* [Data Privacy by Design](/technical-architecture/data-privacy) — Privacy architecture patterns
* [Pricing & Reimbursement](/business-gtm/pricing-reimbursement) — Regulatory impact on revenue models