Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MedChat is a US-based HIPAA-compliant live chat platform specifically designed for healthcare organisations including hospitals, clinics, and telehealth providers. Because healthcare chat conversations may contain protected health information (PHI), MedChat faces dual compliance requirements: HIPAA in the US and GDPR for European patients. Explicit consent is required for health data collected via chat, and all data is processed on US infrastructure requiring Standard Contractual Clauses.
MedChat is a live chat platform designed specifically for healthcare organisations, built to comply with HIPAA requirements in the United States. It serves hospitals, clinics, dental practices, telehealth providers, and medical billing companies that need to engage patients via chat while protecting protected health information (PHI). MedChat provides patient intake forms, appointment scheduling, and post-visit follow-up chat functionality.
For European healthcare organisations using MedChat, both GDPR and HIPAA principles apply. Under GDPR, health information is special category data under Article 9, requiring explicit consent (Art. 9(2)(a)) or another specific legal basis such as medical treatment (Art. 9(2)(h)). The ePrivacy Directive requires consent before chat scripts load. The combination of special category health data, large-scale processing, and US data transfer makes MedChat one of the highest-risk tools in terms of GDPR compliance requirements.
MedChat collects chat conversation content (which may include health symptoms, diagnoses, medications, appointment reasons, and other PHI), patient names and contact details, session identifiers, IP addresses, and browser information. When integrated with appointment systems, it may also process scheduling data linked to the patient''s health record.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Explicit consent under GDPR Article 9(2)(a) is required before health data is collected via MedChat. This goes beyond standard ePrivacy consent and requires a clear, specific statement that health information may be shared and processed. Patients must be specifically informed that chat conversations are processed in the US, that health data requires special protection, and must actively agree before the chat begins.
MedChat processes all data in the US. Standard Contractual Clauses apply, but the sensitivity of health data makes the transfer particularly significant. A Transfer Impact Assessment should be conducted as part of the mandatory DPIA to evaluate whether SCCs effectively protect health data in the US context.
Obtain explicit Article 9 consent before MedChat loads. Conduct a mandatory DPIA including a Transfer Impact Assessment. Sign a DPA and BAA with MedChat. Update your privacy notice to describe health data processing and the US transfer. Configure conversation log retention to align with healthcare data retention requirements. Implement a mechanism for patients to request deletion of their chat data. Consider EU-hosted healthcare chat alternatives if the US transfer risk cannot be adequately mitigated.
Websites using MedChat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is mandatory for MedChat deployments. Healthcare chat conversations constitute processing of special category health data under GDPR Article 9, combined with large-scale processing and US data transfer. The DPIA must specifically address the health data processing basis, the US transfer safeguards, and data minimisation for healthcare conversations.
Sample consent text
We use MedChat to provide live chat support for healthcare enquiries. MedChat may process health information you share during the chat. This data is processed on servers in the United States. As health data receives special protection under GDPR, your explicit consent is required. Please accept to enable the healthcare chat service.
Third-party domains contacted
medchat.comcdn.medchat.comapi.medchat.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mc_session | session | Session | Session identifier for the MedChat live chat widget — may process protected health information |
| mc_uid | persistent | 1 year | Visitor identifier used to recognise returning patients in the MedChat widget |
MedChat uses cookies for user preferences — inform visitors with a consent banner.
MedChat collects chat conversation content which may include health symptoms, diagnoses, medications, appointment reasons, and other protected health information. It also collects patient names, contact details, session identifiers, IP addresses, and browser information.
Yes, and more than standard consent. Healthcare chat conversations may contain special category health data under GDPR Article 9, requiring explicit consent beyond standard ePrivacy consent. Patients must be specifically informed that health data may be shared and processed in the US before any health information is entered.
Explicit consent under Article 9(2)(a) is the most appropriate basis for health data collected via chat. Article 9(2)(h) may apply for healthcare professionals providing medical treatment. Standard contract performance or legitimate interest cannot be used as the basis for special category health data.
Yes. MedChat is a US company processing all data on US infrastructure. Standard Contractual Clauses apply. Given the sensitivity of health data, a Transfer Impact Assessment must be conducted as part of the mandatory DPIA to assess whether SCCs provide adequate protection.
Yes, a DPIA is mandatory. MedChat processes special category health data at scale, involving large-scale processing, automated conversation handling, and US data transfer. All three of these factors independently trigger the DPIA requirement under GDPR Article 35.
Obtain explicit Article 9 consent before MedChat loads. Conduct a mandatory DPIA with Transfer Impact Assessment. Sign both a DPA and a BAA with MedChat. Update your privacy notice to specifically describe health data processing and US transfer. Configure retention limits for chat logs aligned with healthcare data requirements.
For EU-hosted healthcare chat, consider Cliniko (Australian, GDPR-conscious), Ninchat (Finland) with healthcare configuration, or custom implementations using EU-hosted messaging infrastructure. Doctolib (France) provides GDPR-compliant patient communication tools specifically designed for European healthcare providers.
Add a dedicated section on patient chat communication. Explain that MedChat processes health information from chat conversations on US servers, that this constitutes processing of special category health data, that explicit consent is required and can be withdrawn, that data is transferred to the US under SCCs, and provide a contact point for data subject rights including chat data deletion.