7 min read

Writen by Zlatko Delev

Posted on: November 23, 2023

Safeguarding Health Data: HIPAA vs GDPR – A Comparative Analysis

What is HIPPA? Are there similarities and differences between it and GDPR? And does your organisation need to ensure it is compliant with both?

HIPAA is the Health Insurance Portability and Accountability Act 1996. It was designed to prevent patient-sensitive data (Protected Health Information or PHI) from being disclosed without the patient’s consent or knowledge. A federal law, it applies to the PHI of US citizens, irrespective of where that data is held.

If, therefore, an international company processes US PHI data, it is as bound by HIPPAA as an organisation in Maine, Montana or Mississippi.

HIPAA imposes administrative, physical and technical safeguards on US patient data. It sets boundaries for the release of health records and requires healthcare providers and related entities to have comprehensive security measures in place, covering areas like access controls, encryption, and employee training. It gives patients more control over their personal information.


The General Data Protection Regulation (GDPR) grants individuals a wider range of rights than HIPPA. GDPR gives data subjects a range of rights including the right to access their data, the right to be forgotten, and the right to data portability. Additionally, the rights conferred by GDPR extend beyond healthcare settings.

Strict Enforcement and Penalties

HIPAA violations can result in significant penalties, ranging from fines to criminal charges. The level of culpability determines the fine tier, and the tier determines the fine per violation.

At time of writing, for example, the minimum penalty for a tier 1 violation, that is, a violation due to a lack of knowledge, could attract as little as $137. In contrast, a tier 4 violation (i.e. one which features willful neglect not corrected within 30 days of being made aware of the violation) could attract the maximum penalty per year of $2,067,813.

GDPR’s maximum fine operates on a different scale (literally), with companies liable for €20 million or 4% of annual global turnover, whichever is greater.   


HIPPA applies to the data of US citizens. GDPR applies to the data of EU residents. Here’s what that means in practice:

◦ Noah is a US citizen but he’s spending a year studying in Paris and is therefore an EU resident. His PHI is protected by HIPAA — no matter where that data is processed — because he remains a US citizen. All his personal data is protected by GDPR — no matter where that data is processed — because he is resident in the EU. It will remain protected for as long as he remains in the EU.

◦ Isabella is originally from Spain. She’s currently living and working in Boston for a few months. Her PHI is not protected by HIPAA because she is not a US citizen. Her personal data is not protected by GDPR either because she is not currently an EU resident.

◦ XYZ Inc is a US organisation based in Tampa that handles lots of personal data, some of it relating to EU residents, some to US citizens. It is bound by GDPR, even though it is not based in the EU. If the data it processes is health related, it will be bound by HIPPA too.

◦ ABC AG is a German company based in Dusseldorf. It processes personal health information of US citizens and EU residents. It is bound by HIPPA because the data it holds is PHI-related. It is also bound by GDPR, because the personal health data it holds also qualifies as personal data for the purposes of GDPR.

Only in a fairly loose sense. They are both data protection laws. Both are mandatory. Both have extraterritorial reach (that is they apply everywhere the data they protect is processed).

Both laws also place stringent consent requirements on organisations that handle personal data. GDPR places a strong emphasis on obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.

HIPPA requires health providers to gain patient consent to the use of PHI in all but routine circumstances.

Beyond these, however, it’s almost surprising how little HIPPA and GDPR overlap. The main reason for that is the approach to their drafting. HIPPA’s legislators took a risk-based approach. As a consequence, you’ll find plenty of language within the law that says things like:

“Entities must:

◦ Detect and safeguard against anticipated threats to the security of the information
◦ Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
◦ Certify compliance by their workforce”

In contrast, GDPR takes a rights-based approach and places strong emphasis on obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.

We speak with many organisations looking to ensure cross-legislation compliance, who anticipate that meeting their obligations for one standard will largely mean meeting them for all. As our examination of HIPAA & GDPR demonstrates, that’s not the case.

While HIPAA primarily focuses on safeguarding the health data of USA citizens, GDPR extends its protective umbrella beyond health in a more holistic approach to individuals’ rights. While compliance with both laws does share some basic DNA, there are significant differences.

GDPRLocal can help ensure you correctly comply with the data protection legislation of all the territories in which you trade. Get expert help in managing your data protection here, appoint your Article 27 GDPR rep, or call +1 303 317 5998.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy