HealthTech Commerce: HIPAA-Compliant Medical Marketplaces
Key Takeaways
Last verified: March 2026
The challenge: HealthTech commerce faces regulatory requirements that no multi-tenant SaaS platform can meet. HIPAA mandates encryption, access control, and audit trails for protected health information. FDA 21 CFR Part 11 requires immutable electronic records for medical products. EU MDR requires device-level traceability across the supply chain.
The platform problem: Shopify Plus, BigCommerce, and Salesforce Commerce Cloud do not offer HIPAA Business Associate Agreements for standard eCommerce, do not enforce FDA record-keeping standards, and store European customer data outside EU/UK jurisdictions.
The solution: Self-hosted open source platforms deployed on sovereign infrastructure give HealthTech merchants full control over PHI handling, FDA-compliant record-keeping, and multi-jurisdictional data residency.
What this guide covers: HealthTech commerce requirements across medical devices, digital therapeutics, and practitioner dispensing. Which regulations apply, why SaaS architecture fails healthcare compliance, and how to build marketplaces that satisfy HIPAA, FDA, MHRA, and EU MDR.
Why Is HealthTech Commerce Different?
The moment your commerce platform touches patient data, every vendor in your stack becomes a HIPAA liability. That single fact shapes every platform decision in HealthTech, and it’s the reason mainstream eCommerce solutions fall short for this market.
The global HealthTech eCommerce market reached USD 617 billion in 2026 and is projected to grow at 20% CAGR through 2032 (Grand View Research, 2025). Three shifts are driving that growth:
- Direct-to-consumer medical devices: continuous glucose monitors, smart inhalers, and insulin pumps sold directly to patients
- FDA-cleared digital therapeutics: app-based treatments prescribed by physicians and distributed through commerce platforms
- B2B practitioner dispensing: nutritionists, chiropractors, and physical therapists selling medical-grade products directly to patients
The US digital health market alone attracted $10.7 billion in venture funding in 2024 (Rock Health, 2025).
What makes this market fundamentally different is the collision of three regulatory forces.
HIPAA requires all protected health information (patient names, medical histories, prescriptions, insurance details) to be encrypted, access-controlled, and audit-trailed. Any platform handling healthcare transactions must sign a Business Associate Agreement (BAA) with the healthcare entity.
FDA 21 CFR Part 11 requires electronic records for medical products to be immutable, timestamped, and auditable. EU MDR requires device-level traceability using Unique Device Identification across the entire supply chain.
Get any of these wrong and the consequences are regulatory, not just commercial. In 2024, a regional health system paid $4.75 million after its eCommerce vendor mishandled patient data collected during product orders. HIPAA violations carry penalties of $100 to $50,000 per violation, with annual maximums of $1.5 million per category (HHS Office for Civil Rights, 2024).
What Regulations Apply to HealthTech eCommerce?
Five regulatory frameworks across three jurisdictions govern HealthTech commerce โ and they overlap in ways that make multi-tenant SaaS architecturally incompatible. Data protection (HIPAA, GDPR, UK GDPR), product approval (FDA, MHRA), and supply chain compliance (NHS DSPT, EU MDR) all impose platform-level requirements simultaneously.
| Regulation | Jurisdiction | What It Means for HealthTech Commerce | Impact |
|---|---|---|---|
| HIPAA + HITECH | US | PHI must be encrypted, access-controlled, audit-trailed. BAAs required. | ๐ด Critical |
| FDA 21 CFR Part 11 | US | Medical product records must be immutable, timestamped, auditable. | ๐ด Critical |
| GDPR | EU | Patient data triggers residency, consent, and portability requirements. | ๐ด Critical |
| UK GDPR + NHS DSPT | UK | NHS partners must meet DSPT compliance and UK data residency. | ๐ก Moderate |
| EU MDR | EU | Device-level UDI tracking and post-market surveillance required. | ๐ด Critical |
| EU IVDR | EU | In vitro diagnostic traceability and reporting. | ๐ก Moderate |
| MHRA | UK | UKCA marking and post-market surveillance for UK market. | ๐ก Moderate |
HIPAA is the regulation that disqualifies most SaaS platforms outright. The Department of Health and Human Services states that a “business associate” includes any entity that “creates, receives, maintains, or transmits protected health information on behalf of a covered entity” (45 CFR ยง 160.103).
Your eCommerce platform vendor is a business associate. A BAA is mandatory. Most SaaS platforms either refuse to sign one or exclude healthcare entirely from their acceptable use policies.
Learn more about HIPAA requirements from the Department of Health and Human Services. For the full platform analysis, see the HIPAA eCommerce compliance guide.
FDA 21 CFR Part 11 adds a second layer that SaaS platforms simply don’t support. For any medical device, diagnostic test, or digital therapeutic sold through eCommerce, sales records must be immutable and non-repudiatable. Once created, records must remain unchanged unless every modification is logged with full attribution. This must be built into the core data model, not added through a plugin. The FDA maintains full guidance on device record-keeping and post-market surveillance.
EU MDR requires device-level traceability from manufacture to patient. Since May 2024, manufacturers and distributors must track every device through the supply chain using Unique Device Identification (UDI). For a medical device marketplace, that means recording UDI barcodes at sale, linking them to batch and serial numbers, and maintaining traceability records accessible to EU regulators.
For data protection requirements, see the GDPR and Schrems II eCommerce compliance guide. For UK-specific requirements, see the UK Data Act eCommerce compliance guide.
Why Do SaaS Platforms Fail HealthTech Compliance?
The problem isn’t that SaaS platforms haven’t gotten around to supporting healthcare. The problem is architectural. Multi-tenant SaaS means shared infrastructure managed by global teams. Healthcare regulation requires isolated, auditable, jurisdiction-specific data handling. No amount of BAA negotiation or plugin configuration bridges that gap.
The HIPAA-SaaS gap
Shopify Plus, BigCommerce, and Salesforce Commerce Cloud do not offer BAAs for standard eCommerce. Even Shopify Plus has significant restrictions โ the platform itself is not HIPAA-compliant, and merchants must maintain separate systems for HIPAA-regulated data.
This creates a hybrid compliance nightmare. Customer medical history sits in one system. Purchase records sit in another. Integration failures between systems create PHI exposure.
This isn’t theoretical. A 2024 HHS enforcement report documented $4.17 million in HIPAA settlements related to business associate failures (HHS OCR Breach Portal, 2024).
For merchants selling prescription medications, medical devices, or practitioner services, the HIPAA gap is disqualifying. Standard payment processors (Stripe, PayPal) also restrict healthcare transactions because payment data tied to health purchases is PHI-adjacent.
The FDA record-keeping problem
BigCommerce and Shopify have no native ability to enforce FDA 21 CFR Part 11 requirements. Specifically:
- No immutability. Platforms do not prevent record modification after creation.
- No tamper-proof audit trails. Logs don’t guarantee immutability.
- No digital signatures. No mechanism for non-repudiation.
For a medical device manufacturer or digital therapeutics company, this means maintaining parallel record-keeping systems: one for the storefront, another for regulatory compliance.
Regulators reviewing your eCommerce records have no assurance those records are authoritative.
The data residency barrier
NHS procurement contracts explicitly require UK data residency. Shopify and BigCommerce store European customer data on US-based infrastructure. While standard contractual clauses may address GDPR transfer requirements, they conflict with NHS procurement terms and EU MDR requirements that device traceability data be accessible to EU regulators.
How platforms compare for HealthTech commerce
| HealthTech Requirement | Shopify Plus | BigCommerce | Salesforce CC | Self-Hosted (Spree) |
|---|---|---|---|---|
| HIPAA BAA | โ Limited | โ No | โ No | โ Full BAA โ you own compliance |
| FDA 21 CFR Part 11 | โ No immutable records | โ No | โ No | โ Immutable records + audit trail |
| Data residency (EU) | โ US-based | โ US-based | โ US-based | โ Deploy on EU infrastructure |
| Data residency (UK/NHS) | โ US-based | โ US-based | โ US-based | โ Deploy on UK sovereign cloud |
| NHS DSPT compliance | โ No | โ No | โ No | โ Your systems, your posture |
| UDI tracking (EU MDR) | โ No | โ No | โ No | โ Product-level serialization |
| Codebase auditability | โ Proprietary | โ Proprietary | โ Proprietary | โ BSD 3-Clause, full audit |
What a HealthTech Commerce Platform Must Do
Most HealthTech businesses need at least three business models on one platform โ and that’s before you layer on compliance.
A medical device distributor needs a marketplace. A practitioner network needs B2B with license verification. A digital therapeutics company needs controlled digital product delivery.
Trying to build all three on separate SaaS instances with separate compliance stacks is how projects stall.
| Business Requirement | Why It Matters | Platform Capability Needed |
|---|---|---|
| Medical device marketplace | Manufacturers and distributors sell to hospitals, clinics, patients | Marketplace with vendor onboarding and compliance verification |
| Practitioner dispensing network | Practitioners sell medical-grade products directly to patients | B2B with practitioner orgs, patient access controls, license verification |
| Digital therapeutics distribution | FDA-cleared app-based treatments need controlled access | Digital product delivery with prescription integration APIs |
| HIPAA-compliant PHI handling | Medical history, prescriptions, insurance must be encrypted | AES-256 encryption, granular RBAC, immutable audit logging |
| FDA-compliant record-keeping | Sales records must be immutable for regulatory audits | Write-once order records, tamper-proof audit trail |
| UDI tracking (EU MDR) | Each device tracked from manufacture through patient use | Product-level serialization, batch tracking, UDI integration |
| Multi-jurisdictional data residency | US/UK/EU each require data in their jurisdiction | Self-hosted, deployable on any cloud region or on-premise |
A composable architecture eliminates the need for parallel compliance stacks. Marketplace, B2B, encryption, audit logging, and data residency work as built-in modules instead of separate vendor dependencies. For the full analysis of HIPAA platform requirements, see the HIPAA eCommerce compliance guide.
How Spree Enterprise Serves HealthTech Commerce
Here’s what changes when your commerce platform is designed for composability instead of single-model retail. Instead of stacking SaaS instances and compliance plugins, you get marketplace, B2B, encryption, and multi-jurisdiction deployment as native modules in one platform.
| HealthTech Requirement | Spree Enterprise Capability | How It Works |
|---|---|---|
| Medical device marketplace | Native marketplace + B2B | Vendors register, list products with certifications, buyers purchase. Per-vendor compliance docs stored and auditable. |
| Practitioner dispensing | B2B with buyer organizations | Practitioners register with license verification. Patients purchase through practitioner-specific storefronts. |
| HIPAA-compliant PHI | AES-256 + RBAC + immutable logging | All data encrypted at rest. Access restricted by role. Every access logged. Full BAA support. |
| FDA-compliant records | Immutable orders + audit trail | Write-once records. Audit trail: timestamp, user, action, IP. Digital signature integration available. |
| UDI tracking (EU MDR) | Product-level serialization | UDI per device. Batch/serial recorded at sale. Integration APIs for EU MDR systems. |
| Multi-region residency | Self-hosted, any cloud | AWS US or GovCloud. AWS UK for NHS. EU-only for GDPR. Your team controls all of it. |
| GDPR data portability | Full REST + GraphQL APIs | Customers export all transactions, interactions, and profile data on demand. |
Because Spree is self-hosted, you deploy it on infrastructure you control. No multi-tenant SaaS vendor sits between you and your compliance obligations.
Consider a medical device distributor operating across the US and EU. On SaaS, that means two separate platforms with two compliance stacks. On Spree, it’s one composable platform that handles both HIPAA and GDPR through deployment configuration.
Spree’s marketplace module and granular role-based access control let you segment your catalog: public listings for non-regulated accessories, restricted access for prescription devices, role-based pricing for hospital procurement versus individual patients.
Your security and compliance teams can audit every line of Spree’s codebase. The BSD 3-Clause license means that when FDA inspectors or NHS DSPT assessors ask how your platform meets a specific security control, you show them the source code. You don’t point to a vendor’s compliance certificate and hope it covers your use case.
For HealthTech marketplaces that need HIPAA-compliant data handling, FDA-ready record-keeping, and multi-jurisdictional deployment, a self-hosted open source platform with composable business model support provides the strongest architectural fit.
Architecture and Deployment for HealthTech Commerce
A production HealthTech architecture starts with one question: where does patient data live? The answer determines your hosting, your compliance posture, and your integration options.
Hosting and data residency. Each jurisdiction imposes different rules:
- US operations: AWS US-East or AWS GovCloud (for government healthcare programs)
- UK NHS partnerships: AWS London or Azure UK-South (NHS requires UK data residency)
- EU operations: AWS Frankfurt or AWS Ireland (GDPR requires EU data residency)
Spree deploys on any cloud region or on-premise, letting you match data residency to regulatory jurisdiction without platform changes.
HIPAA architecture. The compliant deployment pattern covers four layers:
- Encryption: AES-256 at rest for the database, TLS 1.2+ in transit for all API traffic
- Access control: Role-based visibility where physicians, nurses, patients, and admins each see different data
- Audit logging: Immutable, tamper-evident records of every data access event
- Backup isolation: Encrypted backups stored in the same jurisdiction as the primary data
FDA-compliant record-keeping. For medical device and digital therapeutics sales, the recommended pattern uses write-once order records (no post-creation modification), tamper-proof audit trails with timestamps and user attribution, digital signature integration for non-repudiation, and regulatory export in FDA-standard formats for audit responses.
Integration points. Critical HealthTech integrations include:
- Pharmacy management: NCPDP standards for prescription fulfillment
- Healthcare licensing databases: practitioner and manufacturer verification
- UDI databases: FDA and EU MDR device traceability
- EHR systems: Epic, Cerner for patient data where applicable
- Health-focused payment processors: specialized processors that SaaS platforms don’t support
Spree’s REST and GraphQL APIs provide the integration surface for all of these.
HealthTech Compliance Resources
For detailed guidance on the regulations affecting HealthTech commerce:
| Regulation | Scope | Full Guide |
|---|---|---|
| HIPAA + HITECH | US healthcare data protection and breach notification | HIPAA eCommerce Compliance |
| GDPR / Schrems II | EU data residency, consent, and portability | GDPR and Schrems II eCommerce Compliance |
| UK Data Act | UK data protection and NHS DSPT requirements | UK Data Act eCommerce Compliance |
| FDA 21 CFR Part 11 | US medical device record-keeping | FDA Compliance for eCommerce (coming soon) |
| EU MDR / IVDR | EU medical device traceability | EU Medical Device Compliance (coming soon) |
For related industry deep dives:
- Defense Procurement: ITAR-Compliant B2B Marketplaces shares compliance-heavy infrastructure requirements with HealthTech.
- Energy and Carbon Credit Marketplaces (coming soon) follows similar multi-jurisdictional and data-sovereignty patterns.
HealthTech compliance spans multiple jurisdictions and regulatory bodies simultaneously. A single medical device marketplace selling across the US, UK, and EU must satisfy HIPAA, FDA 21 CFR Part 11, GDPR, NHS DSPT, and EU MDR requirements at the same time. The guides above break down each framework’s platform-level requirements and deployment patterns so you can align your architecture with the specific regulations your business faces.
Build HealthTech Commerce with Spree
Spree Enterprise gives HealthTech merchants a composable marketplace platform that combines medical device distribution, practitioner networks, and digital therapeutics with HIPAA-compliant data handling, FDA-ready record-keeping, and flexible deployment across US, UK, and EU jurisdictions.
For HealthTech commerce that meets healthcare compliance requirements from day one, the Spree team can scope the right architecture for your operations.
Frequently Asked Questions
Can I build a medical device marketplace on Shopify or BigCommerce?
Not for HIPAA-regulated or FDA-regulated devices. Neither platform offers BAAs for standard eCommerce, and neither enforces FDA 21 CFR Part 11 record-keeping standards. Medical device sales records on these platforms would not meet immutability or non-repudiation requirements. Self-hosted platforms deployed on sovereign infrastructure are the compliant path.
What is a HIPAA BAA and why does my eCommerce platform need one?
A Business Associate Agreement (BAA) is a contract required by HIPAA between a healthcare entity and any vendor handling protected health information. It establishes the vendor’s responsibility for specific security controls around PHI. Most SaaS eCommerce platforms refuse to sign BAAs because they don’t accept HIPAA liability. Self-hosted platforms let you execute your own compliance program and sign BAAs directly with healthcare partners.
What does FDA 21 CFR Part 11 mean for my commerce platform?
Part 11 sets standards for electronic records in FDA-regulated industries. It requires sales records, customer data, and product information to be immutable (no post-creation modification), all changes to be logged with timestamps and user attribution, and the system to produce audit trails on demand for FDA inspections. SaaS platforms don’t support this natively.
How do I handle data residency for a platform operating in the US, UK, and EU?
Each jurisdiction has different requirements. HIPAA requires US-based PHI processing. NHS partnerships require UK data centers. GDPR requires EU-based storage. Self-hosted platforms solve this through deployment configuration: deploy on AWS US for domestic, AWS London for NHS, AWS Frankfurt for EU โ all on the same codebase.
Can I sell to the NHS using a SaaS eCommerce platform?
NHS supply contracts require DSPT compliance and UK data residency. Shopify and BigCommerce store data on US infrastructure and don’t support DSPT. NHS partners using non-compliant platforms violate procurement contracts. Self-hosted platforms deployed on UK sovereign cloud meet both DSPT and data residency requirements.
What payment processors work for HealthTech eCommerce?
Standard processors (Stripe, PayPal) restrict healthcare transactions because payment data tied to health purchases is PHI-adjacent. Self-hosted platforms with open payment architecture integrate any processor via API, including health-specific processors that SaaS platforms don’t support. Many HealthTech merchants use ACH transfers as the primary B2B payment method.
