HIPAA vs GDPR: Key Differences and Compliance Requirements

If you handle health-related data across borders, you likely face both HIPAA and GDPR. This guide clarifies where each regulation applies, what data they protect, how consent and Data Subject Rights work, and what to do about breaches. It also highlights must-have contracts—Business Associate Agreements and Data Processing Agreements—to help you build a defensible compliance program. This overview is informational and not legal advice.

Scope and Applicability

HIPAA

HIPAA applies in the United States to covered entities—health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses—and to their business associates. If you create, receive, maintain, or transmit Protected Health Information on behalf of a covered entity, you are a business associate and must sign Business Associate Agreements that bind you to HIPAA obligations.

GDPR

GDPR applies to controllers and processors that engage in Personal Data Processing of individuals in the EU/EEA, including organizations outside the region that offer goods or services to, or monitor the behavior of, people in the EU/EEA. Many organizations must appoint a Data Protection Officer when core activities involve large-scale processing of special category data (such as health data) or large-scale monitoring.

When both may apply

• US health systems serving EU patients via telehealth or patient portals.
• Digital health apps marketing to EU residents while integrating with US providers.
• Cloud and analytics vendors handling PHI for US clients and personal data for EU clients.

Practical steps: map data flows by jurisdiction, determine whether you act as a HIPAA covered entity/business associate and/or a GDPR controller/processor, and put the right contracts in place (Business Associate Agreements and Data Processing Agreements).

Data Protection Scope

What HIPAA protects

HIPAA protects Protected Health Information—individually identifiable health information held or transmitted by covered entities and business associates, in any form. PHI excludes de-identified data (as defined by HIPAA), certain education records, and employment records held by a covered entity in its role as employer. HIPAA’s “minimum necessary” standard requires you to limit uses and disclosures to what is needed.

What GDPR protects

GDPR protects personal data—any information relating to an identified or identifiable person. Health data is a “special category” subject to stricter safeguards. GDPR embeds principles like purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability across all Personal Data Processing.

De-identification, anonymization, and pseudonymization

• HIPAA de-identification may use Safe Harbor removal of specified identifiers or Expert Determination that re-identification risk is very small.
• Under GDPR, truly anonymized data (irreversibly de-identified) falls outside the regulation; pseudonymized data remains personal data and must still meet GDPR requirements.

Consent Requirements

HIPAA

HIPAA generally does not require patient consent for Treatment, Payment, and Health Care Operations. However, a signed authorization is required for uses and disclosures beyond those purposes, such as most marketing, the sale of PHI, and many research scenarios (unless an IRB or privacy board grants a waiver). Your authorization forms must be specific and revocable, and you must honor requested restrictions where feasible.

GDPR

GDPR requires a lawful basis for each processing purpose: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For special category data like health data, you typically need explicit consent or must rely on a specific exception (for example, health care provision, public health, or research with safeguards). Valid consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give.

Operational tips

• Document your lawful basis per purpose; avoid using consent when another lawful basis is more appropriate.
• Design granular consent and authorization flows; track versions, scope, and withdrawal.
• Ensure marketing and research workflows meet the stricter of the two regimes where they overlap.

Individual Rights under Regulations

HIPAA patient rights

Under HIPAA, individuals can access and obtain copies of their PHI (generally within 30 days, with a limited extension), request amendments, request restrictions on certain disclosures, receive confidential communications, and obtain an accounting of certain disclosures. HIPAA does not provide a broad right to deletion.

GDPR Data Subject Rights

GDPR grants robust rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. You must respond without undue delay and within one month in most cases, with a limited extension for complex requests. You also must verify identity, explain decisions, and document outcomes.

Building one response process

• Centralize intake of requests and identity verification.
• Automate search across systems to compile records quickly.
• Standardize response templates and logs to evidence compliance under both HIPAA and GDPR.

Breach Notification Protocols

HIPAA

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security, subject to narrow exceptions. You must conduct a risk assessment to determine the probability of compromise. If notification is required, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; notify regulators and, for larger incidents, the media, following HIPAA’s rules. Business associates must notify the covered entity promptly.

GDPR

A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. You must assess risk to individuals’ rights and freedoms. Notify the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in risk; notify affected individuals without undue delay when the risk is high. Processors must notify controllers without undue delay.

Breach Notification Timelines, evidence, and readiness

• Timelines: GDPR expects authority notice within 72 hours; HIPAA requires individual notice without unreasonable delay and no later than 60 days.
• Evidence: maintain an incident register, risk assessments, containment steps, and notification artifacts.
• Readiness: run tabletop exercises, encrypt data at rest/in transit, and ensure vendor contracts define breach reporting duties.

Penalties for Non-Compliance

HIPAA

HIPAA uses a tiered civil penalty structure that scales with culpability and corrective actions, with annual caps adjusted for inflation. Serious, intentional misuse of PHI can trigger criminal penalties, including fines and potential imprisonment. Regulators often impose corrective action plans that mandate multi-year remediation.

GDPR

GDPR empowers authorities to issue administrative fines up to the higher of €20 million or 4% of worldwide annual turnover for the most serious infringements, and up to €10 million or 2% for others. Enforcement may also include reprimands, processing bans, orders to delete data, and audits. Individuals can seek compensation for material or non-material damage.

Reducing enforcement risk

• Demonstrate accountability with documentation, metrics, and regular audits.
• Use privacy by design/default, strong security, and ongoing training.
• Keep Business Associate Agreements and Data Processing Agreements current and enforceable.

Regulatory Oversight and Enforcement

HIPAA

The US Department of Health and Human Services Office for Civil Rights investigates complaints, conducts compliance reviews, and negotiates settlements. State attorneys general may also bring actions. HIPAA itself does not grant individuals a direct private right of action, though other laws may apply.

GDPR

National Data Protection Authorities oversee compliance, handle complaints, and coordinate cross-border cases through a “one-stop-shop” mechanism. The European Data Protection Board promotes consistent application. Your Data Protection Officer, where required, monitors compliance, advises on risks, and serves as a point of contact with authorities.

Conclusion

HIPAA targets US health-sector PHI, while GDPR governs broader personal data globally with strong individual rights. Build a unified program that maps data, selects the right lawful bases, honors requests on time, proves security, and formalizes vendor risk via Business Associate Agreements and Data Processing Agreements. When in doubt, follow the stricter rule to reduce cross-jurisdictional risk.

FAQs.

What are the main differences between HIPAA and GDPR?

HIPAA is a US health-privacy law focused on Protected Health Information handled by covered entities and business associates. GDPR is an EU-wide framework covering nearly all personal data across sectors, with extraterritorial reach. GDPR embeds broad principles and strong Data Subject Rights; HIPAA centers on health-specific privacy, security, and disclosure rules.

How do consent requirements differ under HIPAA and GDPR?

HIPAA generally allows Treatment, Payment, and Operations without consent but requires written authorization for many other uses, such as most marketing. GDPR requires a lawful basis for each purpose; for health data, that is usually explicit consent or a specific exception (for example, health care provision). GDPR consent must be freely given, specific, informed, unambiguous, and easily withdrawn.

What penalties apply for non-compliance with HIPAA or GDPR?

HIPAA uses tiered civil penalties that escalate with culpability and can include criminal penalties for intentional misuse, plus mandated corrective action plans. GDPR authorizes significant administrative fines—up to the higher of €20 million or 4% of global turnover for the most serious violations—along with orders, audits, and potential compensation claims by individuals.

How do breach notification requirements compare under HIPAA and GDPR?

Under HIPAA, you must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI, and notify regulators per HIPAA rules. Under GDPR, you must notify the supervisory authority within 72 hours of becoming aware of a personal data breach (unless risk is unlikely) and notify individuals without undue delay when there is high risk to their rights and freedoms.