Skip to main content

HIPAA vs GDPR Compliance: What’s the Difference?

We’ve been getting tons of questions about HIPAA vs GDPR compliance lately. Businesses want to know what these two frameworks have in common and what sets them apart. 

Then there’s the question of overlap. For example, which requirements do these two frameworks share (if any)? And if you’re already compliant with one of them, does that reduce the effort required to get compliant with the other?

We’ll answer all these pressing questions and more in our HIPAA vs. GDPR compliance H2H.


What Is HIPAA?

If you’re looking for a complete primer on HIPAA, we’ve got you covered right here. If not, no worries. We’ll give you the quick and dirty below.

HIPAA, AKA the Health Insurance Portability and Accountability Act of 1996, is a U.S. law. It ensures that covered entities in the healthcare space safeguard the security and privacy of protected health information (or PHI). However, before we unpack what covered entities are, let’s dive into PHI.

PHI is anything that includes personal identifiers, from your name to your home address. 

HIPAA applies to covered entities and their business associates. Covered entities are:

  • Health insurers (health insurance companies, company health plans, etc.)
  • Healthcare providers (doctors, clinics, dentists, chiropractors, pharmacies, etc.)
  • Healthcare clearinghouses (entities that process nonstandard health information which they receive from another entity into a standard format)

To keep things simple, HIPAA covers any organization that handles PHI. 

As mentioned above, HIPAA is law. However, unlike other healthcare-related security frameworks, like HITRUST, HIPAA doesn’t have a certification body. Because it doesn’t have a certification body, you can’t get HIPAA certified. In other words, all those fancy HIPAA badges businesses have on their websites are pretty much meaningless. That said, HIPAA is enforced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). If you’re non-compliant, you could face serious fines and irreparable damage to your reputation.

The law includes three rules: the Privacy Rule, Security Rule and Breach Notification Rule. These three rules work together to protect individuals and give them rights to their personal information.



If you’re a covered entity or a business associate of a covered entity, then you must be HIPAA compliant, plain and simple. 

The Process of HIPAA Certification

Covered entities and their business associates must follow HIPAA’s privacy, security and breach notification rules. The law’s Security Rule also includes an evaluation standard. It requires organizations to perform regular technical and nontechnical evaluations to ensure compliance. 


What Is GDPR?

The General Data Protection Regulation (or GDPR) became law on May 25, 2018, and it’s among the toughest data privacy and security laws on the planet. It applies to all organizations targeting or collecting data related to people in the U.K. or E.U.—even if they operate outside of those jurisdictions. This data, better known as personally identifiable information (or PII), covers anything that can be used to clearly identify a person and organizations are required by law to safeguard it. 

Under the GDPR, organizations must take documented steps to limit access to PII. If your company collects banking information, only job roles that specifically require that data should be able to access it.

The documented steps need to cover the following:


The GDPR prohibits the use of confusing terms and conditions, so be clear and concise. Whenever data is used for new purposes, a new request for consent is required. And, it must be as easy to withdraw consent as it is to give it. 

Breach Notifications

Organizations have 72 hours to notify all data subjects of a security breach, either by email, phone or through a public announcement.

Right to Access

Organizations must be transparent with U.K. and E.U. citizens about how their PII is used. 

Right to Be Forgotten

Organizations must delete PII if an individual requests it. They must also cease further distribution of that data.

Privacy by Design

Organizations can only process information essential to the completion of their business.

Data Protection Officers

Organizations must appoint a Data Protection Officer (DPO) to oversee the implementation of the GDPR. This individual protects personal data from misuse, unauthorized access and other security breaches. 

Regardless of size, an organization must appoint a DPO if:

  • It is a public authority or body.
  • Its core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
  • Its core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offenses.



If you handle PII that belongs to individuals in the U.K. and E.U., then you are required by law to comply with the GDPR. Failure to do so could result in some pretty hefty fines: up to €20 million, or four percent of your worldwide annual revenue from the previous year—whichever is higher.


The Process of GDPR Certification

Timelines for GDPR implementation can vary between processors and controllers and are impacted significantly by company structure, but the process can take anywhere from six to 36 weeks.

Once implemented, organizations must complete internal GDPR assessments periodically to demonstrate their compliance. They can also apply for certification, though it is voluntary.

More Certifications, Less Work

Find out how to leverage your existing InfoSec program to get compliant with new frameworks faster.

Find Framework Overlaps

HIPAA vs GDPR: Purpose

While HIPAA and GDPR both aim to protect how personal information is used, they have entirely different scopes.

HIPAA oversees how healthcare organizations and their business associates handle PHI in the U.S. The GDPR, on the other hand, is much broader. It oversees how all organizations handle the PII of U.K. and E.U. citizens. 


Differences Between HIPAA vs GDPR Compliance

The most apparent differences between HIPAA vs GDPR are the jurisdictions and industries where both laws apply. There are three noteworthy differences between HIPAA and GDPR.


HIPAA permits some degree of PHI disclosure without patient consent. For example, healthcare providers can send PHI to another provider for treatment purposes. Or, in some circumstances, a healthcare provider can disclose PHI to other providers or business associates without patient consent.

Under GDPR, consent must always be given, even for patient care.


Right to Be Forgotten

GDPR gives data subjects the “Right to be Forgotten,” while HIPAA is forever. With GDPR, individuals may tell an organization to erase their data. HIPAA and medical records, in general, can not be altered or deleted. 


Data Breaches

The most significant healthcare data breaches reported in 2021 each impacted more than 1 million patients, totaling roughly 22.64 million people.

Under the HIPAA Breach Notification Rule, covered entities and business associates must notify affected individuals of breaches. If the incident involves more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified, as well as all affected individuals, within 60 days. In addition, the OCR and affected individuals need notification for more minor breaches by the end of the reporting year. 

GDPR is a different ball game and size does not matter. Under Article 33 of GDPR, there is a 72-hour breach reporting requirement and care providers must report all breaches to supervisory authorities. 


Similarities of HIPAA vs GDPR Compliance

If your organization is already HIPAA or GDPR compliant, you already have several safeguards in place to protect data. While there are more differences than similarities for HIPAA vs GDPR, there is some framework overlap.

  • Both require controlled access to sensitive data, 
  • Both require methods for detecting unauthorized changes to PHI
  • Both require you to encrypt PHI at rest and in transit.
  • Both require an appointed data protection officer.
  • Both HIPAA and GDRP compliance provide organizations the security they need to focus their clients, patients and employees’ privacy.


Tugboat Logic Can Help

HIPAA vs GDPR compliance gets a little fuzzy sometimes. So, if you’re looking for a more in-depth understanding, chat with one of our experts! They have tons of experience supporting organizations as they navigate HIPAA and GDPR. 

Or, if you’ve got it all figured out and are ready to take your first steps, we can help you get compliant fast, starting with a free trial of our platform!