Documents required of a Data Processor

In this case, there is an export of personal data from Europe to the United States. So you need to use a Personal Data Transfer Mechanism – in this case, I would recommend the Standard Contractual Clauses, Controller-to-Processor. You also have a procedure for managing these transfers in the directory 09- Personal Data Transfers.
 
However, in light of the European Union Court of Justice decision that invalidated the Privacy Shield Mechanism, the decision also known as Schrems II, data controllers must request non-EU data processors to provide additional technical and organizational measures to offer the same level of protection for the exported personal data, as it is given under GDPR. You must check whether your company is subject to FISA 702 in the US, and see how you can protect the personal data of your customers from being accessed by US authorities. For this, you should help your customers perform a Data Protection Impact Assessment, especially since you are processing special categories of personal data (health data). In directory 08 – Data Protection Impact Assessment you can find a methodology for DPIA.
 
You can find more details about the EUCJ Schrems II decision and its implications: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf