GDPR vs HIPAA: Key Differences and When Both Apply
By Custodia · March 27, 2026 · 10 min read
Your health tech startup just closed its first EU customer. Congratulations — you now have a compliance problem. Not because you did anything wrong, but because you're now operating under two of the most demanding data privacy frameworks in the world simultaneously: GDPR and HIPAA.
Most founders treat GDPR vs HIPAA as an either/or question. "We're a US company, so we follow HIPAA." Or: "We have EU customers, so we worry about GDPR." The reality is that for any health tech company operating internationally, both frameworks apply — and they overlap in complicated ways.
This guide explains both frameworks, compares them side by side, and tells you exactly how to build a dual-compliance strategy that satisfies both.
What HIPAA Covers
HIPAA — the Health Insurance Portability and Accountability Act — is US federal law, enacted in 1996 and updated repeatedly since. It applies to:
- Covered entities: healthcare providers (hospitals, clinics, physicians), health plans (insurers, HMOs), and healthcare clearinghouses
- Business associates: any vendor or service provider that handles Protected Health Information (PHI) on behalf of a covered entity — this includes software companies, cloud providers, billing services, and analytics platforms
The key data category under HIPAA is Protected Health Information (PHI): any individually identifiable information relating to the health, healthcare, or healthcare payment of an individual, held or transmitted by a covered entity or business associate. This includes names, addresses, birth dates, Social Security numbers, diagnoses, treatment records, and more — in any format (paper, electronic, verbal).
ePHI (electronic PHI) is PHI stored or transmitted electronically. The HIPAA Security Rule applies specifically to ePHI.
HIPAA is enforced by the HHS Office for Civil Rights (OCR). Penalties range from $100 to $50,000 per violation, capped at $1.9 million per violation category per year. Criminal violations can result in prison time.
What GDPR Covers
GDPR — the General Data Protection Regulation — is EU law, in force since May 2018. Its reach is explicitly extraterritorial: it applies to any organisation, anywhere in the world, that processes personal data of individuals located in the EU.
For health data, GDPR goes further. Health information is classified as special category data under Article 9, alongside biometric data, genetic data, racial or ethnic origin, and religious beliefs. Special category data requires a higher legal basis for processing — explicit consent or one of the specific Article 9(2) exemptions (healthcare provision, public health, research, etc.).
GDPR applies to you if:
- You have EU-based users, customers, or patients (regardless of where your company is incorporated)
- You operate an office or subsidiary in an EU member state
- You monitor the behaviour of individuals in the EU (e.g., analytics on EU website visitors)
Enforcement is by national data protection authorities (DPAs) — the ICO in the UK, CNIL in France, the BfDI in Germany, etc. Fines reach €20 million or 4% of global annual turnover, whichever is higher.
GDPR vs HIPAA: Side-by-Side Comparison
| Feature | GDPR | HIPAA |
|---|---|---|
| Jurisdiction | Global (any org processing EU resident data) | United States only |
| Who it applies to | Any data controller or processor of EU personal data | Covered entities and business associates |
| Regulated data | All personal data; health as "special category" | Protected Health Information (PHI/ePHI) |
| Consent for processing | Required (explicit for health data, or Article 9 basis) | Not required for treatment, payment, or operations (TPO) |
| Breach notification | 72 hours to supervisory authority; notify individuals "without undue delay" | 60 days to HHS; 60 days to individuals; media if >500 affected in a state |
| Right to erasure | Yes — Article 17 (with exceptions for legal obligations, public health) | No general right to erasure |
| Right of access | Yes — within 1 month | Yes — within 30 days |
| Data portability | Yes — machine-readable format on request | Yes — right to access records in electronic format |
| Data minimisation | Required — Article 5(1)(c) | Required — "minimum necessary" standard |
| Security safeguards | Required — appropriate technical and organisational measures | Required — Administrative, Physical, Technical Safeguards |
| Penalties (max) | €20M or 4% of global turnover | $1.9M per violation category per year; criminal liability |
| Enforcement body | National DPAs (ICO, CNIL, BfDI, etc.) | HHS Office for Civil Rights |
| Vendor agreements | Data Processing Agreement (DPA) required | Business Associate Agreement (BAA) required |
Key Similarities Between GDPR and HIPAA
Despite their different origins and mechanisms, GDPR and HIPAA share significant common ground:
Data minimisation: Both frameworks require you to collect only the data necessary for the stated purpose. GDPR calls it the "data minimisation" principle. HIPAA calls it the "minimum necessary" standard. In both cases, bulk data collection "just in case" is not acceptable.
Security safeguards: Both require appropriate technical and organisational measures to protect data. HIPAA is more prescriptive (it names specific safeguard categories), while GDPR is more principles-based — but both point toward encryption, access controls, audit logs, and incident response procedures.
Individual rights: Both give individuals rights over their data, including the right to access their own records. Both also impose response deadlines — 30 days under HIPAA, one month under GDPR.
Breach notification: Both require mandatory breach notification, though the timelines differ significantly (see below).
Data processor/vendor controls: Both require formal written agreements when you share data with vendors. Under GDPR, this is a Data Processing Agreement. Under HIPAA, it's a Business Associate Agreement. Both serve the same underlying purpose: ensuring downstream vendors handle data with the same care you're required to apply.
Key Differences Between GDPR and HIPAA
This is where GDPR vs HIPAA gets complicated — and where dual-compliance strategies must be thought through carefully.
1. Consent requirements differ fundamentally
HIPAA does not require patient consent for treatment, payment, or healthcare operations (collectively, "TPO"). A hospital can share your records with a specialist treating you, or with an insurer processing a claim, without asking your permission. Consent is required only for specific uses beyond TPO.
GDPR takes the opposite approach for health data. Because health information is special category data, processing requires either:
- Explicit consent (the individual has clearly agreed), or
- A specific Article 9(2) basis (e.g., healthcare provision, public health necessity, research)
If you're building a health tech product that processes EU user data, relying on HIPAA's TPO exception won't satisfy GDPR. You need a separate legal basis for each processing activity.
2. Breach notification timelines are very different
GDPR requires you to notify your supervisory authority within 72 hours of becoming aware of a breach — one of the strictest timelines of any privacy framework globally. You must also notify affected individuals "without undue delay" if the breach poses a high risk to their rights and freedoms.
HIPAA gives you 60 days from discovery of the breach. For breaches affecting more than 500 individuals in a US state, you must also notify prominent media outlets in that state.
If you're dual-compliant, the GDPR timeline governs. A breach at 9am Monday means you have until 9am Thursday to notify EU authorities — which also gives you time to satisfy HIPAA's 60-day requirement.
3. Right to erasure exists under GDPR, not HIPAA
Under GDPR Article 17, individuals can request the deletion of their personal data. The right applies when:
- The data is no longer needed for its original purpose
- The individual withdraws consent (where consent was the legal basis)
- The individual objects to processing under legitimate interest
- The data was processed unlawfully
Under HIPAA, there is no equivalent right to erasure. Covered entities may be required to retain medical records for specific periods under state law.
For dual-compliant organisations, erasure requests from EU individuals must be honoured under GDPR — unless a HIPAA retention obligation or other exception applies. These conflicts require case-by-case legal analysis.
4. Geographic scope is completely different
HIPAA is US-only. It applies to covered entities and business associates operating in the United States. A healthcare company in Germany does not need to comply with HIPAA unless it transmits data to or works with US covered entities.
GDPR's reach is global. Any organisation — US, European, or otherwise — that processes the personal data of EU residents must comply. This is the key asymmetry in GDPR vs HIPAA: HIPAA is territorial, GDPR is extraterritorial.
When Both GDPR and HIPAA Apply
Both frameworks apply whenever a US-regulated healthcare organisation intersects with EU individuals. Common scenarios include:
US health tech company with EU customers or patients: If you sell a health app, telehealth platform, or patient management system to EU-based healthcare providers or consumers, both HIPAA (if you're a business associate of US covered entities) and GDPR (for EU user data) apply simultaneously.
US company with an EU office: If you have employees or contractors in EU member states, their personal data is covered by GDPR — even if your core business is HIPAA-regulated.
EU company entering the US market: An EU digital health startup partnering with US healthcare providers or insurers may need to comply with HIPAA as a business associate, in addition to their existing GDPR obligations.
Research platforms: Clinical trial or health research platforms that recruit participants across the US and EU face both frameworks for different participant populations.
How to Manage Dual GDPR and HIPAA Compliance
The core strategy for managing GDPR vs HIPAA is to build to the stricter standard wherever the frameworks conflict, and to maintain clear documentation of your legal basis for each processing activity under each framework.
Build to GDPR's 72-hour breach window: This automatically satisfies HIPAA's 60-day requirement. Your incident response plan should treat 72 hours as the default deadline regardless of which jurisdiction is affected.
Implement explicit consent flows for EU users: HIPAA doesn't require consent for TPO, but GDPR requires explicit consent for special category (health) data unless another Article 9(2) basis applies. Build separate consent flows for EU users and document your legal basis by user geography.
Honour erasure requests with legal review: EU users can request deletion under GDPR. Before complying, check whether any HIPAA record retention obligation applies. If records must be retained under HIPAA, document the conflict and apply GDPR's legitimate interest or legal obligation exception.
Apply "minimum necessary" / data minimisation universally: Both frameworks require this. Implement it once, across all user populations.
Use the stricter security standard: HIPAA's Security Rule is prescriptive about safeguard categories. GDPR requires "appropriate" measures. Implementing HIPAA-grade security satisfies GDPR's security requirements.
Business Associate Agreement (BAA) vs Data Processing Agreement (DPA)
These are the two most important vendor contracts in dual-compliance, and they are not interchangeable.
A HIPAA Business Associate Agreement (BAA) is required between covered entities and any vendor that handles PHI on their behalf. It specifies what the business associate can do with the PHI, how it must be protected, and what happens in the event of a breach. No BAA = HIPAA violation.
A GDPR Data Processing Agreement (DPA) is required under Article 28 whenever a data controller engages a data processor to process personal data on its behalf. It must specify the nature and purpose of processing, categories of data, and the processor's obligations. No DPA = GDPR violation.
If you're a SaaS health tech company, you likely need both:
- A BAA for each US covered entity client or vendor that shares PHI with you
- A DPA for each client or vendor that shares EU personal data (including health data) with you
Some SaaS vendors provide a combined HIPAA/GDPR addendum. Most don't — review each vendor relationship separately.
Practical Checklist: 8 Steps for Dual GDPR/HIPAA Compliance
Use this checklist if your organisation operates under both frameworks:
Map your data flows: Document every category of health data you collect, where it comes from, where it goes, and which users it relates to (US, EU, or both). You cannot comply with either framework without this.
Determine your HIPAA status: Are you a covered entity or a business associate? If you handle PHI on behalf of US healthcare providers or plans, you're a business associate. Sign BAAs with all covered entity clients and ensure your subcontractors sign BAAs with you.
Establish your GDPR legal basis by processing activity: For each type of health data processing involving EU individuals, identify your Article 9(2) basis. Document it in your Records of Processing Activities (RoPA).
Build separate consent flows for EU users: If consent is your Article 9(2) basis, implement explicit, granular consent for EU users. Integrate this with your cookie consent and privacy notice infrastructure.
Update your incident response plan to the 72-hour standard: Ensure your breach response procedures treat GDPR's 72-hour notification window as the default. Test this plan annually.
Execute all required vendor agreements: Sign BAAs with HIPAA business associates. Sign DPAs with GDPR data processors. Maintain a vendor register with agreement status.
Implement HIPAA-grade security controls: Encryption at rest and in transit, access controls, audit logs, workforce training, and a Business Associate Management Policy. These satisfy both HIPAA and GDPR security requirements.
Build a DSAR/rights request process: Handle access requests within 30 days (both frameworks). Handle erasure requests under GDPR within one month, with a review step for any HIPAA retention conflicts.
The Bottom Line on GDPR vs HIPAA
GDPR and HIPAA are both serious, enforceable frameworks with real financial consequences for non-compliance. They share a foundation — data minimisation, security, individual rights, breach notification — but differ sharply on consent, breach timelines, erasure rights, and geographic scope.
For health tech companies operating in both the US and EU, the answer to GDPR vs HIPAA is not to choose one. It's to build a compliance programme that satisfies both — starting with the stricter standard in each area of conflict, maintaining clear documentation, and treating compliance as an ongoing programme rather than a one-time project.
Scan Your Patient-Facing Web Presence for GDPR Compliance Gaps
Before you can certify dual compliance, you need to know what your website is actually doing with visitor data. Most health tech sites have tracking scripts, analytics tools, and embedded third-party widgets that collect personal data before any consent is obtained — a clear GDPR violation, regardless of your HIPAA status.
Custodia's free website scanner identifies trackers, cookies, and data collection points on your patient-facing web presence — in 60 seconds, with no signup required. If you have EU visitors or patients, this is the first step.
Scan your website free at app.custodia-privacy.com
This post provides general information about GDPR and HIPAA compliance. It does not constitute legal advice. Dual-compliance programmes should be developed with qualified legal counsel familiar with both US healthcare law and EU data protection law.
Top comments (0)