TLDR:
A special category of sensitive personal data relating to physical or mental health, subject to heightened protection under GDPR and health privacy laws globally.
What is Health Data?
Health data encompasses medical conditions, treatments, prescriptions, disabilities, biometric health data, and health services received. Under GDPR Article 9, it requires explicit consent or another specific legal basis (such as vital interests, public health, or healthcare provision by a regulated professional).
Regulatory Framework
Beyond GDPR, health data is regulated by HIPAA in the United States, the PIPEDA/PHIPA framework in Canada, and a patchwork of national health information laws elsewhere. In Türkiye, KVKK treats health data as “special category” data with similar restrictions. Startups operating in digital health, telemedicine, or wellness must map their data flows carefully — including device telemetry, app analytics, and AI training data — because health-related inferences (e.g., menstrual tracking, mental wellbeing apps) frequently trigger the same heightened obligations as clinical records.
Practical Compliance Considerations
Practical safeguards include data minimization (collect only what is clinically necessary), encryption at rest and in transit, role-based access control, formal data processor agreements with cloud providers, breach response plans with regulator-notification timelines (72 hours under GDPR), and a documented lawful basis for each processing purpose.