Blog

GDPR vs. HIPAA

HIPAA
June 13, 2022
Discover the key differences between GDPR and HIPAA, including data protection scope, consent requirements, right to be forgotten, and data breach notification rules.

GDPR vs HIPAA

In the compliance world, a source of many questions is how GDPR and HIPAA are different. Many people are required to comply with both if their work relates to the healthcare system in the United States or with any personal data in the United Kingdom. In this article we’ll do a quick breakdown of the key distinctions between these two legislations. 

The GDPR governs the use of all personal data of the persons that fall within its scope, while HIPAA has a much more focused scope, only applying to protected health information (PHI). Below we’ll break down the core points of what HIPAA and GDPR do.

Protected Data

GDPR

Personal Data: Any data that relates to, or can lead to the identification of a living person. This includes:

  • Name
  • Identification number
  • Location data
  • Physical address
  • Email address
  • IP address
  • Radio frequency identification tag
  • Photograph
  • Video
  • Voice recording
  • Biometric data (eye retina, fingerprint, etc.)
  • An online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person.
HIPAA

Protected Health Information: Any information about health status, care, or payment that is created or collected by a HIPAA Covered Entity (or a Business Associate of a Covered Entity), that can be linked to a specific individual. This includes:

  • Name
  • Address
  • DOB
  • Bank/credit card details
  • Social security number 
  • Photos
  • Insurance information
  • Health information

Classifications of Entities

GDPR

In GDPR, you’re either a data processor or a data controller. The structures don’t mirror each other 100% but controllers, like covered entities, are the organizations that ultimately own personal data. Whereas processors, like business associates, provide services, or data processing, for controllers. GDPR defines controllers as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” GDPR defines entities based on the ownership of data.

HIPAA

You’re either a Covered Entity (CE) or a Business Associate (BA). For example: subcontractors are just business associates of business associates. A hospital would be considered a covered entity and a software company offering a service to a hospital would be a business associate. HIPAA strictly defines covered entities based on functions in healthcare as providers, payers, and clearinghouses. HIPAA defines entities based on the function of the organization.

Scope

GDPR

This law sets compliance standards for all entities that fall within its scope. That scope is:

  • Has a base of operations in the EU (in this case the entity must apply GDPR protections to ALL users).
  • Offers goods or services (even if the offer is for free) to people in the EU.
  • Monitors the behavior of people who are in the EU, whether the entity is established in the EU or not.
HIPAA

This regulation sets standards for covered entities and their business associates. HIPAA applies to anyone dealing with PHI of US citizens and any entity or business intending to do business and deliver their services in the United States.

Consent

GDPR

Explicit consent is required for the processing of personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the conditions of processing in Article 9 of the GDPR and a legal basis applies.

HIPAA

Allows disclosure of some PHI for “treatment purposes” without the consent of the individual. More clarification on this can be found here

Right To Be Forgotten

GDPR

Under the GDPR, individuals (Data Subjects) have the right to be forgotten (or to have their data deleted upon request).

HIPAA

On the other hand, HIPAA does not grant this right to be forgotten. The PHI belongs to the doctor who doesn’t have to comply with that request compared to GDPR where it is required. Part of this is due to the nature of healthcare related services where patient or insurance records are required to be kept for years on end. 

Data Breaches

GDPR

The Supervisory Authority must be notified within 72 hours. Affected persons must also be notified.

HIPAA

Organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.

More from the Blog

Why was the CCPA Introduced?
Privacy Compliance

Why was the CCPA Introduced?

Why is Personal Data Valuable?
Privacy Compliance

Why is Personal Data Valuable?

What is Personal Information Under the CPRA?
Privacy Compliance

What is Personal Information Under the CPRA?

What is Personal Data under the GDPR?
HIPAA

What is Personal Data under the GDPR?

The Truth about Data Security
Data Security

The Truth about Data Security

What is a HIPAA Lawyer?
HIPAA

What is a HIPAA Lawyer?

What Is a Data Processor?
HIPAA

What Is a Data Processor?

What is a Data Controller?
HIPAA

What is a Data Controller?

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy