Healthcare and health-tech organisations often have to reconcile two very different privacy regimes: the EU’s GDPR and the United States’ HIPAA. They protect overlapping data but were built for different purposes, which can make GDPR-grade GDPR compliance feel at odds with a HIPAA programme.
This guide compares GDPR and HIPAA across the points that matter — scope, rights, consent, breaches and penalties — and explains how to satisfy both for the same data.
The short answer
GDPR and HIPAA both protect sensitive information, but they operate at very different scopes. GDPR is a broad data protection law covering all personal data in every sector. HIPAA is a narrow, sector-specific US law that protects only protected health information (PHI) held by healthcare providers, health plans and their vendors.
If you handle the health data of people in the EU, GDPR treats it as “special category” data with extra protections. If you are a US healthcare organisation, HIPAA governs that same data. International health businesses often need to satisfy both.
GDPR vs HIPAA at a glance
The table compares the two on the points that matter most in practice.
| Aspect | GDPR (EU) | HIPAA (US) |
|---|---|---|
| Data covered | All personal data | Protected health information (PHI) only |
| Who must comply | Any controller/processor handling EU data | Covered entities & their business associates |
| Sectors | Every sector | Healthcare and health plans |
| Permission model | Lawful basis (incl. explicit consent for health data) | Authorization for uses beyond treatment, payment, operations |
| Breach notice | 72 hours to the regulator | Without unreasonable delay, no later than 60 days |
| Vendor contract | Data Processing Agreement (Art 28) | Business Associate Agreement (BAA) |
| Regulator | National DPAs / EDPB | HHS Office for Civil Rights (OCR) |
Free resource
The Ultimate Guide to GDPR
Protect health data once, properly, across GDPR and overlapping regimes.
Scope: all personal data vs health data only
The defining difference is breadth. GDPR applies to any personal data — names, emails, location, behaviour — across every industry. HIPAA applies only to PHI: individually identifiable health information created or held by covered entities in connection with healthcare.
So a hospital’s marketing email list is personal data under GDPR but generally not PHI under HIPAA, while a patient’s diagnosis is protected under both. Understanding which data falls into which bucket is the first step to compliance.
Who must comply
GDPR binds any controller or processor that handles EU residents’ data, regardless of sector or location. HIPAA binds covered entities — healthcare providers, health plans and clearinghouses — and their business associates, the vendors that handle PHI on their behalf.
This means a software vendor can be a GDPR processor and a HIPAA business associate at the same time, taking on obligations under both frameworks for the same dataset.
Individual rights compared
Both give people rights over their data, but GDPR’s are broader. GDPR provides access, rectification, erasure, restriction, portability and objection. HIPAA gives patients the right to access and amend their records, to an accounting of disclosures, and to request restrictions — but it has no general right to erasure, because medical records must often be retained by law.
If you serve patients in both regimes, build a request workflow that recognises which rights apply to which data and routes each request accordingly.
Consent vs authorization
GDPR requires a lawful basis for processing, and for health data it usually requires explicit consent or another special-category condition. HIPAA permits use of PHI for treatment, payment and healthcare operations without separate authorization, but requires a signed authorization for most other uses, such as marketing.
The models differ in default: GDPR starts from “you need a basis”, HIPAA from “core healthcare uses are allowed, everything else needs authorization”.
Breach notification timelines
Both require breach notification, but on different clocks. GDPR requires reporting a qualifying breach to the supervisory authority within 72 hours of awareness, and to individuals where the risk is high. HIPAA requires notifying affected individuals and HHS without unreasonable delay and no later than 60 days, with large breaches reported to HHS and the media.
An international health breach can therefore trigger both clocks at once, so your incident response plan should account for the stricter 72-hour GDPR deadline.
Vendor contracts: DPA vs BAA
Both regimes require contracts with vendors who handle protected data. Under GDPR this is a Data Processing Agreement (Article 28). Under HIPAA it is a Business Associate Agreement (BAA). They cover similar ground — permitted uses, safeguards, breach reporting and return or destruction of data — but use different terminology and statutory hooks.
A vendor serving healthcare clients across both regions will often need both agreements in place, sometimes combined into a single document.
Security requirements
GDPR’s Article 32 requires “appropriate technical and organisational measures” on a risk basis, leaving the specifics to you. HIPAA’s Security Rule is more prescriptive for electronic PHI, setting out administrative, physical and technical safeguards such as access controls, audit logs, encryption and contingency planning.
In practice, implementing the HIPAA Security Rule will satisfy much of GDPR’s Article 32 for the same systems, since both demand strong, documented security proportionate to the risk.
Enforcement and penalties
GDPR fines reach up to €20 million or 4% of global annual turnover, issued by national data protection authorities. HIPAA is enforced by the HHS Office for Civil Rights, with tiered civil penalties based on culpability and annual caps per violation category, plus potential criminal penalties for wilful misuse of PHI.
Both regulators weigh the strength of your safeguards and the quality of your response, so good documentation and prompt action materially reduce exposure under either law.
EU health data is “special category” data
It is worth stressing that GDPR singles out health data for extra protection as special category data. Processing it is prohibited unless a specific condition applies — typically explicit consent, or provision of healthcare under a contract with a health professional. That makes EU health data arguably harder to process than ordinary personal data, even though GDPR is sector-neutral.
US healthcare organisations expanding into the EU are sometimes surprised by this: HIPAA compliance does not automatically satisfy GDPR’s special-category rules.
If you must comply with both
Health businesses operating internationally frequently fall under both regimes for the same data. The efficient approach is to treat HIPAA’s detailed safeguards as your security baseline, then layer GDPR’s broader obligations — lawful basis, the full set of data subject rights, the 72-hour breach clock and records of processing — on top.
ISpectra Technologies helps healthcare and health-tech organisations map a single programme that satisfies HIPAA and GDPR together, so the same dataset is protected once, properly, rather than twice with gaps in between.
Cross-border transfers of health data
One area HIPAA barely addresses but GDPR treats seriously is international data transfers. If a US health organisation moves EU patients’ data out of the EU, GDPR requires a valid transfer mechanism — Standard Contractual Clauses, the EU–US Data Privacy Framework, or another safeguard — on top of the special-category conditions for health data.
This catches many HIPAA-focused teams off guard, because moving PHI between US systems raises no equivalent GDPR-style transfer question domestically. When EU residents’ health data is involved, map every transfer and document the mechanism that legitimises it, just as you would for any other category of GDPR-regulated data.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Where to start
Begin with a data inventory that flags which records are PHI, which are EU personal data, and which are both. That single map drives your HIPAA safeguards, your GDPR records of processing, and your response to access or deletion requests under either regime, and prevents the gaps that appear when teams treat the two laws as separate projects.