All-in-one Risk Management Platform


GDPR and HIPAA remain two of the most talked about and applicable compliance regulations in the world. The two laws have some overlap but also have some distinct differences that often leave people confused. In this article we'll walk through some key topics and lay out where each law stands, in hopes of creating some clarity to you.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.


In the compliance world, a source of many questions is how GDPR and HIPAA are different. Many people are required to comply with both if their work relates to the healthcare system in the United States or with any personal data in the United Kingdom. In this article we’ll do a quick breakdown of the key distinctions between these two legislations. 

The GDPR governs the use of all personal data of the persons that fall within its scope, while HIPAA has a much more focused scope, only applying to protected health information (PHI). Below we’ll break down the core points of what HIPAA and GDPR do.

Protected Data


Personal Data: Any data that relates to, or can lead to the identification of a living person. This includes:

  • Name
  • Identification number
  • Location data
  • Physical address
  • Email address
  • IP address
  • Radio frequency identification tag
  • Photograph
  • Video
  • Voice recording
  • Biometric data (eye retina, fingerprint, etc.)
  • An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.

Protected Health Information: Any information about health status, care, or payment that is created or collected by a HIPAA Covered Entity (or a Business Associate of a Covered Entity), that can be linked to a specific individual. This includes:

  • Name
  • Address
  • DOB
  • Bank/credit card details
  • Social security number 
  • Photos
  • Insurance information
  • Health information

Classifications of Entities


In GDPR, you’re either a data processor or a data controller. The structures don’t mirror each other 100% but controllers, like covered entities, are the organizations that ultimately own personal data. Whereas processors, like business associates, provide services, or data processing, for controllers. GDPR defines controllers as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” GDPR defines entities based on the ownership of data.


You’re either a Covered Entity (CE) or a Business Associate (BA). For example: subcontractors are just business associates of business associates. A hospital would be considered a covered entity and a software company offering a service to a hospital would be a business associate. HIPAA strictly defines covered entities based on functions in healthcare as providers, payers, and clearinghouses. HIPAA defines entities based on the function of the organization.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.



This law sets compliance standards for all entities that fall within its scope. That scope is:

  • Has a base of operations in the EU (in this case the entity must apply GDPR protections to ALL users).
  • Offers goods or services (even if the offer is for free) to people in the EU.
  • Monitors the behavior of people who are in the EU, whether the entity is established in the EU or not.

This regulation sets standards for covered entities and their business associates. HIPAA applies to anyone dealing with PHI of US citizens and any entity or business intending to do business and deliver their services in the United States.



Explicit consent is required for the processing of personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the conditions of processing in Article 9 of the GDPR and a legal basis applies.


Allows disclosure of some PHI for “treatment purposes” without the consent of the individual. More clarification on this can be found here

Right To Be Forgotten


Under the GDPR, individuals (Data Subjects) have the right to be forgotten (or to have their data deleted upon request).


On the other hand, HIPAA does not grant this right to be forgotten. The PHI belongs to the doctor who doesn’t have to comply with that request compared to GDPR where it is required. Part of this is due to the nature of healthcare related services where patient or insurance records are required to be kept for years on end. 

Data Breaches


The Supervisory Authority must be notified within 72 hours. Affected persons must also be notified.


Organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.

Like what you see?  Learn more below

GDPR and HIPAA remain two of the most talked about and applicable compliance regulations in the world. The two laws have some overlap but also have some distinct differences that often leave people confused. In this article we'll walk through some key topics and lay out where each law stands, in hopes of creating some clarity to you.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)