Iubenda logo
Start generating


Table of Contents

GDPR vs HIPAA – What are the differences and how to comply

What is the difference between the GDPR and HIPAA and do their requirements overlap? How does the GDPR affect US health care providers? And how do you comply with both the GDPR and HIPAA? In this post we take a look at the GDPR vs HIPAA, what they require and the easiest way to comply with both.

What is the GDPR and who does it apply to?

The General Data Protection Regulation (GDPR), which became enforceable May 2018, is intended to increase data protection rights for persons whose personal information fall within its scope of application. It places added requirements and responsibilities on entities that handle that personal data, and grants comprehensive rights to users.

Who must comply with the GDPR?

Any entity that:

  • has base of operations is in the EU (in this case the entity must apply GDPR protections to ALL users);
  • offers goods or services (even if the offer is for free) to people in the EU; or
  • monitors the behavior of people who are in the EU, whether the entity is established in the EU or not.

Therefore, a US-based care provider would be required to comply with the GDPR if they process the personal data of EU-based users.


The GDPR governs the use of and applies to all personal data of the persons that fall within its scope, while HIPAA having a much narrower scope, only applies to HIPAA protected health information (PHI). In the table below, we’ll look at the Key differences between the GDPR and HIPAA.

Protected data Any data that relates to, or can lead to the identification of a living person. Any information about health status, care, or payment that is created or collected by a HIPAA Covered Entity (or a Business Associate of a Covered Entity), that can be linked to a specific individual.
Scope Sets compliance standards for all entities that fall within its scope Sets standards for covered entities and their business associates
Consent Explicit consent is mandatory for the processing of personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the conditions of processing in Article 9 of the GDPR and a legal basis applies. Allows disclosure of some PHI for “treatment purposes” without the consent of the individual
Right to be forgotten Under the GDPR, individuals have the right to be forgotten (or to have their data deleted upon request) HIPAA does not grant this right
Data breaches The Supervisory Authority must be notified within 72 hours. Affected persons must also be notified. Organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.

How to Comply with the GDPR

We’ve written this post to help you understand what the GDPR requires and how it might apply to you.

About us


GDPR compliance for your site, app and organization


See also