All-in-one Risk Management Platform

GDPR vs. HIPAA

GDPR and HIPAA remain two of the most talked about and applicable compliance regulations in the world. The two laws have some overlap but also have some distinct differences that often leave people confused. In this article we'll walk through some key topics and lay out where each law stands, in hopes of creating some clarity to you.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

GDPR vs HIPAA

In the compliance world, a source of many questions is how GDPR and HIPAA are different. Many people are required to comply with both if their work relates to the healthcare system in the United States or with any personal data in the United Kingdom. In this article we’ll do a quick breakdown of the key distinctions between these two legislations. 

The GDPR governs the use of all personal data of the persons that fall within its scope, while HIPAA has a much more focused scope, only applying to protected health information (PHI). Below we’ll break down the core points of what HIPAA and GDPR do.

Protected Data

GDPR

Personal Data: Any data that relates to, or can lead to the identification of a living person. This includes:

  • Name
  • Identification number
  • Location data
  • Physical address
  • Email address
  • IP address
  • Radio frequency identification tag
  • Photograph
  • Video
  • Voice recording
  • Biometric data (eye retina, fingerprint, etc.)
  • An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
HIPAA

Protected Health Information: Any information about health status, care, or payment that is created or collected by a HIPAA Covered Entity (or a Business Associate of a Covered Entity), that can be linked to a specific individual. This includes:

  • Name
  • Address
  • DOB
  • Bank/credit card details
  • Social security number 
  • Photos
  • Insurance information
  • Health information

Classifications of Entities

GDPR

In GDPR, you’re either a processor or a controller. The structures don’t mirror each other 100% but controllers, like covered entities, are the organizations that ultimately own personal data. Whereas processors, like business associates, provide services, or data processing, for controllers. GDPR defines controllers as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” GDPR defines entities based on the ownership of data.

HIPAA

You’re either a Covered Entity (CE) or a Business Associate (BA). For example: subcontractors are just business associates of business associates. A hospital would be considered a covered entity and a software company offering a service to a hospital would be a business associate. HIPAA strictly defines covered entities based on functions in healthcare as providers, payers, and clearinghouses. HIPAA defines entities based on the function of the organization.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Start Free Trial
Join over 17,000 companies who trust Accountable.

Scope

GDPR

This law sets compliance standards for all entities that fall within its scope. That scope is:

  • Has a base of operations in the EU (in this case the entity must apply GDPR protections to ALL users).
  • Offers goods or services (even if the offer is for free) to people in the EU.
  • Monitors the behavior of people who are in the EU, whether the entity is established in the EU or not.
HIPAA

This regulation sets standards for covered entities and their business associates. HIPAA applies to anyone dealing with PHI of US citizens and any entity or business intending to do business and deliver their services in the United States.

Consent

GDPR

Explicit consent is required for the processing of personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the conditions of processing in Article 9 of the GDPR and a legal basis applies.

HIPAA

Allows disclosure of some PHI for “treatment purposes” without the consent of the individual. More clarification on this can be found here

Right To Be Forgotten

GDPR

Under the GDPR, individuals (Data Subjects) have the right to be forgotten (or to have their data deleted upon request).

HIPAA

On the other hand, HIPAA does not grant this right to be forgotten. The PHI belongs to the doctor who doesn’t have to comply with that request compared to GDPR where it is required. Part of this is due to the nature of healthcare related services where patient or insurance records are required to be kept for years on end. 

Data Breaches

GDPR

The Supervisory Authority must be notified within 72 hours. Affected persons must also be notified.

HIPAA

Organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.

Like what you see?  Learn more below

GDPR and HIPAA remain two of the most talked about and applicable compliance regulations in the world. The two laws have some overlap but also have some distinct differences that often leave people confused. In this article we'll walk through some key topics and lay out where each law stands, in hopes of creating some clarity to you.
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)