HIPAA vs. GLBA: Real-World Scenarios That Make the Differences Clear

You often hear HIPAA and GLBA mentioned together, but they govern very different worlds. This guide uses real situations to show where each law applies, what they protect, and how to comply without guesswork.

As you read, note how obligations shift depending on whether you handle health information or financial information—and how shared best practices like risk assessments, encryption, and vendor oversight help in both regimes.

Healthcare Industry Compliance

Who must comply and why it matters

HIPAA applies to covered entities—health plans, healthcare providers, and healthcare clearinghouses—and their business associates. It protects individually identifiable health information (PHI), including electronic PHI (ePHI), through the Privacy Rule, Security Rule, and Breach Notification Rule.

The Security Rule requires Administrative Safeguards, Physical Safeguards, and Technical Safeguards. You must complete ongoing risk assessments, implement least-privilege access, train your workforce, and document policies and procedures.

Scenario: Hospital adopting a cloud EHR

A regional hospital migrates to a cloud-based EHR. It signs a business associate agreement with the vendor, configures multi-factor authentication, applies encryption, and enables audit logs. Regular risk assessments drive updates to access controls and incident response plans.

Clinicians receive role-based access, and the privacy office enforces the “minimum necessary” standard. Patients exercise Patient Access Rights to view and obtain copies of their records through the portal within defined timeframes.

Scenario: Telehealth startup scaling fast

A telehealth startup hires remote clinicians. It tightens device security, requires VPN use, and conducts background checks. Administrative Safeguards cover onboarding, sanction policies, and periodic training refreshers.

Technical Safeguards include session timeouts, automatic logoff, and transmission security for video visits. The team rehearses breach response so it can quickly investigate, mitigate, and notify if a security incident compromises ePHI.

Financial Institution Requirements

Who must comply and core GLBA rules

GLBA covers many financial institutions, including banks, credit unions, lenders, mortgage servicers, fintechs that arrange consumer financial products, and certain insurers and securities firms. Three pillars govern obligations: the Financial Privacy Rule, the Safeguards Rule, and protections against pretexting.

Institutions must provide clear privacy notices, honor Opt-Out Provisions for sharing nonpublic personal information with certain nonaffiliated parties, and maintain a comprehensive information security program driven by risk assessments and monitored by leadership.

Scenario: Credit union launching P2P payments

A credit union rolls out a peer‑to‑peer app. It updates its privacy notice under the Financial Privacy Rule, offers opt-out where required, and vets the payments vendor’s security controls. The security program assigns a qualified lead, enforces MFA, encrypts sensitive data, and tests monitoring alerts.

Vendor contracts mandate incident reporting and safeguard requirements. Regular board reports track program effectiveness and corrective actions.

Scenario: Auto lender using an online lead generator

An auto lender sources leads from a third party. Before using any data, it confirms the provider’s collection practices align with GLBA and that sharing meets notice and opt-out commitments. Contracts restrict re-disclosure and require security standards consistent with the Safeguards Rule.

If the lead source engaged in deceptive practices, the lender could face Federal Trade Commission Enforcement for unfair or deceptive acts in addition to GLBA violations.

Protected Information Types

What counts as protected data

HIPAA protects PHI—any identifiable health information created or received by a covered entity or business associate related to health, care, or payment. De-identified data that meets HIPAA standards falls outside PHI rules.

GLBA protects nonpublic personal information (NPI), including personally identifiable financial information provided by a consumer, results from a transaction or service, or is otherwise obtained in connection with providing a financial product or service.

Scenario: Same person, different data—different rules

A patient’s blood test results at a clinic are PHI under HIPAA. The same person’s auto-loan payoff amount at a bank is NPI under GLBA. A fitness app that never engages in covered healthcare functions may hold sensitive data, but unless it acts for a HIPAA covered entity, that data is not PHI; other privacy laws may apply instead.

Similarly, banking data held by a merchant for loyalty points is not GLBA NPI unless the merchant provides a financial product or service; state privacy laws may govern that dataset.

Regulatory Safeguards Comparison

HIPAA Security Rule highlights

• Administrative Safeguards: risk analysis, risk management, workforce training, and contingency planning.
• Physical Safeguards: facility access controls, device/media controls, and workstation security.
• Technical Safeguards: access controls, audit controls, integrity protections, authentication, and transmission security.

GLBA Safeguards Rule highlights

• Written information security program led by a qualified individual and informed by periodic risk assessments.
• Access controls, encryption, multi-factor authentication, secure development, and change management.
• Continuous monitoring or regular testing, vendor oversight, incident response planning, and governance reporting.

Scenario: Lost laptop on a business trip

Your clinician’s unencrypted laptop is stolen. Under HIPAA, you perform a risk assessment to determine breach probability and, if necessary, notify affected individuals and regulators. Full-disk encryption and strong authentication could qualify as effective Technical Safeguards that prevent a breach.

A lender’s analyst loses a device with loan application data. Under GLBA, you evaluate the event against your incident response plan, investigate access logs, and, where required, notify regulators and affected consumers. Strong encryption and rapid revocation of credentials can reduce exposure.

Consumer Rights and Controls

HIPAA: patient-centric controls

Patients have Patient Access Rights to inspect, obtain copies, and in some cases direct you to transmit their PHI to a third party. They may request amendments and receive an accounting of certain disclosures.

Marketing uses of PHI generally require authorization, with narrow exceptions for treatment and certain operations. You must apply the minimum necessary standard to routine uses and disclosures.

GLBA: privacy notices and opt-outs

Consumers receive privacy notices describing your information practices and Opt-Out Provisions for sharing with certain nonaffiliated third parties. GLBA does not create a general right for consumers to access all NPI you hold; other laws like credit reporting rules may provide that access in specific contexts.

Scenario: Data sharing for advertising

A hospital cannot sell PHI for targeted advertising without patient authorization. A bank can share limited data for joint marketing under GLBA exceptions but must honor opt-outs for specified third-party sharing described in its privacy notice.

Enforcement and Penalties Overview

HIPAA enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights investigates complaints and breaches, imposes corrective action plans, and can assess significant civil penalties. The Department of Justice may bring criminal cases for intentional misconduct.

GLBA enforcement

Federal Trade Commission Enforcement applies to many non‑bank financial institutions, while federal banking regulators oversee banks and credit unions. Securities and insurance regulators enforce GLBA-related privacy and safeguard obligations for their sectors.

Scenario: Exam findings vs. public orders

A health system enters a resolution agreement with oversight, training, and reporting after OCR identifies systemic gaps. A fintech receives an FTC order requiring program overhauls, third‑party assessments, and monetary relief after failing to implement an effective Safeguards Rule program.

Overlapping Compliance Strategies

Build once, satisfy many requirements

• Run risk assessments at least annually and after major changes; track findings to closure.
• Map data flows to distinguish PHI, NPI, and other categories; apply the strictest controls where datasets mix.
• Enforce least‑privilege access, MFA, encryption in transit and at rest, and continuous monitoring.
• Strengthen vendor management with due diligence, contract clauses, and ongoing verification.
• Train your workforce with role‑specific content; test retention with simulations.
• Exercise incident response; refine based on post‑incident reviews.

Scenario: University health clinic and student lending

A university runs a campus clinic (HIPAA) and services institutional loans (GLBA). It separates systems and networks, labels data at collection, and routes requests to the correct team—medical records for HIPAA Patient Access Rights and financial services for GLBA privacy choices.

Centralized security architecture delivers shared controls—identity, logging, and encryption—while policy playbooks keep privacy notices, authorizations, and opt-outs consistent with each law.

Conclusion

HIPAA vs. GLBA comes down to context: health information versus financial information. Know which hat you are wearing, classify data precisely, and use risk‑based safeguards to meet each rule set. With clear scoping, disciplined governance, and tested controls, you can comply confidently across both regimes.

FAQs

What types of information does HIPAA protect?

HIPAA protects individually identifiable health information—PHI—related to a person’s health status, care, or payment when held by covered entities or their business associates. Electronic PHI (ePHI) is subject to the Security Rule’s Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

How does GLBA ensure financial data security?

GLBA requires a written information security program under the Safeguards Rule, guided by periodic risk assessments. It emphasizes access controls, encryption, multi-factor authentication, monitoring and testing, vendor oversight, incident response, and governance reporting. The Financial Privacy Rule complements this by requiring notices and Opt-Out Provisions for certain sharing.

What are the main enforcement agencies for HIPAA and GLBA?

HIPAA is primarily enforced by the Department of Health and Human Services’ Office for Civil Rights, with the Department of Justice handling criminal cases. GLBA is enforced by the Federal Trade Commission for many non‑bank institutions and by federal banking, securities, and insurance regulators for their respective sectors.

How do consumer rights differ under HIPAA and GLBA?

Under HIPAA, individuals have Patient Access Rights to their PHI and can request amendments and an accounting of certain disclosures. Under GLBA, individuals receive privacy notices and may opt out of specified nonaffiliated third‑party sharing, but GLBA does not provide a general right to access all NPI held by financial institutions.