HIPAA vs GDPR: How Health Data Privacy Differs Between the U.S. and Europe

Health data is among the most sensitive categories of personal information that organizations handle. A patient's diagnosis, medication history, or mental health record carries real-world consequences if misused or exposed, consequences that can affect insurance eligibility, employment, and personal safety. It’s precisely because of this sensitivity that both the United States and the European Union have constructed dedicated legal frameworks to govern how health data is collected, processed, stored, and shared.

Those frameworks are HIPAA and GDPR. While both aim to protect individuals, they approach privacy from fundamentally different philosophical and structural starting points. One was written in 1996 to modernize the American healthcare industry. The other emerged in 2018 as the EU's sweeping answer to the digital age. Understanding where they align, and more importantly, where they diverge, is vital for any organization operating at the intersection of healthcare, data, and technology.

What is HIPAA, and who does it apply to?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted in 1996. Its original purpose was to make it easier for Americans to keep health insurance when changing jobs, but it’s best known today for the privacy and security standards it imposes on the healthcare industry. HIPAA's Privacy Rule, which took effect in 2003, established national standards for the protection of what the law calls Protected Health Information, or PHI.

PHI is defined broadly. It includes medical records, lab results, prescriptions, insurance billing details, and any other individually identifiable health information created or received by a covered entity. Identifiers like a patient's name, address, date of birth, Social Security number, and phone number all fall within scope when linked to health data.

HIPAA applies to a specific set of organizations, referred to as "covered entities." These include healthcare providers such as hospitals, clinics, physicians, dentists, and pharmacies; health plans such as insurance companies, HMOs, and Medicare/Medicaid programs; and healthcare clearinghouses. The law also extends to "business associates," meaning any third-party vendor or contractor that handles PHI on behalf of a covered entity. This includes billing companies, cloud storage providers, IT contractors, and legal firms involved in healthcare matters.

An important nuance: HIPAA compliance is determined by the nature of the organization, not merely by geography. If an international company processes PHI on behalf of a U.S. covered entity, it is subject to HIPAA regardless of where it is headquartered.

What is GDPR, and who does it apply to?

The General Data Protection Regulation (GDPR) became enforceable on May 25, 2018, and is widely regarded as the most comprehensive data protection law in the world. Unlike HIPAA, GDPR is not sector-specific. It applies to any organization, anywhere in the world, that collects or processes the personal data of individuals located in the European Union or the European Economic Area.

GDPR's definition of personal data is intentionally broad. It covers any information that can directly or indirectly identify a person, including names, IP addresses, location data, cookie identifiers, and health information. Health data is treated as a special category of sensitive personal data under GDPR Article 9, meaning it receives an additional layer of protection beyond the baseline requirements.

Jurisdiction under GDPR is determined by the data subject's location, not the organization's. A U.S.-based pharmaceutical company that runs a clinical trial involving EU residents must comply with GDPR. A software company in Singapore that offers a health app to users in Germany must comply with GDPR. The extraterritorial reach of the regulation is one of its defining characteristics, and it is one of the most significant ways it differs from HIPAA.

How do the scope and jurisdictional reach differ?

The most fundamental difference between the two frameworks is scope. HIPAA is vertical and narrow: it governs one sector (healthcare), one type of data (PHI), in one country (the United States). GDPR is horizontal and global: it governs all personal data across all industries for all EU residents, wherever in the world their data is being processed.

This distinction matters enormously in practice. A hospital in the U.S. that treats EU patients must comply with GDPR in addition to HIPAA. A health technology company building a product for both American and European markets must navigate both frameworks simultaneously. And critically, compliance with one does not guarantee compliance with the other.

Another jurisdictional nuance worth noting: HIPAA's jurisdiction is entity-based, meaning it attaches to covered entities and business associates regardless of where they are located. GDPR's jurisdiction is data-subject-based, meaning it follows the individual whose data is being processed. These two approaches can create overlapping obligations for organizations with international operations in healthcare.

What counts as protected data under each framework?

Under HIPAA, the protected data category is PHI: health information that is individually identifiable. This specifically includes 18 categories of identifiers ranging from names and dates to geographic data and biometric identifiers when they are associated with a person's health condition, treatment, or payment for care.

GDPR takes a wider view. It protects all personal data, and health data is elevated to "special category" status. But GDPR's protections do not stop at health information. A person's name, email address, financial data, racial or ethnic origin, religious beliefs, sexual orientation, and political opinions are all covered. For organizations operating in healthcare, this means that even data not typically considered clinical in nature, such as a patient's email address or device IP, falls within GDPR's scope.

The practical implication is that an organization might be handling data that is not PHI under HIPAA but is still personal data under GDPR, requiring a compliance response that HIPAA alone would not prompt.

How do consent requirements compare?

Consent is one of the starkest philosophical dividing lines between the two frameworks.

HIPAA operates largely on a model of implied consent for certain uses of PHI. Healthcare providers can share patient information with other providers for treatment purposes, with insurers for payment processing, and for standard healthcare operations without obtaining explicit patient authorization. HIPAA's approach reflects a practical acknowledgment that healthcare delivery requires information flow, and that requiring explicit consent at every step would be operationally disruptive.

GDPR takes the opposite view. It requires a lawful basis for every instance of personal data processing, and explicit consent is the most demanding of the six available lawful bases. When an organization relies on consent under GDPR, that consent must be freely given, specific, informed, and unambiguous. It cannot be bundled into lengthy terms and conditions, and individuals must find it just as easy to withdraw consent as to give it. GDPR also prohibits conditioning a service on consent for data processing that is not strictly necessary to deliver that service.

For health data specifically, GDPR requires explicit consent as the default lawful basis unless another specific exception applies, such as the necessity of processing for medical treatment or public health reasons.

What rights do individuals have over their health data?

Individual rights are another area where the two frameworks diverge, with GDPR granting significantly broader protections.

Under HIPAA, patients have the right to access and obtain copies of their health records, the right to request amendments to correct inaccurate information, and the right to an accounting of certain disclosures. These rights are meaningful but focused narrowly on the patient-provider relationship and the integrity of clinical records.

GDPR grants eight distinct rights to data subjects. Beyond access and rectification, EU individuals have the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object to processing. Organizations must respond to these requests within 30 days.

The right to be forgotten under Article 17 of GDPR represents a direct conflict with HIPAA's approach to data retention. HIPAA requires covered entities to retain certain records for a minimum of six years from the date of creation or the date when the record was last in effect. Some U.S. state laws extend this obligation even further. Organizations operating under both frameworks must architect their data systems carefully, applying GDPR erasure rights to non-clinical data like marketing records and account information while preserving the clinical records that HIPAA mandates must be retained.

GDPR also introduced the right to data portability under Article 20, which requires organizations to provide personal data in a structured, machine-readable format and to transmit it directly to another controller upon request. HIPAA's access rights do not include an equivalent obligation, though the 21st Century Cures Act has pushed interoperability forward through separate information blocking rules.

How do breach notification requirements differ?

Both frameworks require organizations to notify affected parties following a data breach, but the timelines and thresholds are very different.

Under HIPAA's Breach Notification Rule, covered entities must notify affected individuals, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), and in some cases media outlets, when a breach of unsecured PHI occurs. The window for notification is 60 days from discovery of the breach. For smaller breaches affecting fewer than 500 individuals, organizations may report to OCR on an annual basis by March 1 of the following year.

GDPR imposes a significantly tighter standard. Article 33 requires organizations to notify the relevant supervisory authority within 72 hours of becoming aware of a breach, regardless of how many individuals are affected. If the breach poses a high risk to the rights and freedoms of individuals, affected data subjects must also be notified without undue delay. There is no minimum threshold, meaning even small breaches that might fall under HIPAA's annual reporting window must be escalated immediately under GDPR.

For any organization managing health data across both jurisdictions, this means incident response infrastructure must be built around the stricter 72-hour standard. A 60-day clock that satisfies HIPAA will not satisfy GDPR for any data involving EU residents.

‍

What are the penalties for non-compliance?

Both frameworks impose meaningful financial consequences for violations, though the magnitude and structure differ.

HIPAA penalties are tiered based on culpability. The minimum fine for a Tier 1 violation, which involves a lack of knowledge, starts at $100 per violation. Tier 4 violations, which involve willful neglect not corrected within 30 days of discovery, carry penalties that can reach $50,000 per violation, with annual caps up to $1.9 million per violation category. Criminal charges are also possible in cases of intentional misconduct.

GDPR's penalty structure operates on a different scale. The most serious violations, such as processing data without a lawful basis or failing to obtain valid consent, can result in fines of up to €20 million or 4% of the organization's total global annual revenue, whichever is greater. Less severe violations carry fines of up to €10 million or 2% of global revenue. For large technology companies or multinational healthcare organizations, these figures represent a fundamentally different order of financial exposure than HIPAA's caps.

What organizational requirements does each framework impose?

Both frameworks require organizations to implement documented security programs, conduct risk assessments, train staff, and maintain records of their data handling practices. But the specific structural requirements differ.

HIPAA requires covered entities to sign Business Associate Agreements (BAAs) with any third-party vendor that handles PHI, outlining the vendor's obligations for data protection. There is no requirement under HIPAA to appoint a dedicated privacy officer at the same level of formality that GDPR demands.

GDPR requires organizations to enter into Data Processing Agreements (DPAs) with processors, and in many cases mandates the appointment of a Data Protection Officer (DPO). A DPO is required when an organization processes large volumes of sensitive personal data or engages in systematic monitoring. The DPO must have expert knowledge of data protection law and practice, and must report directly to the organization's highest level of management.

GDPR also requires Data Protection Impact Assessments (DPIAs) prior to processing that is likely to result in a high risk to individuals' rights, such as large-scale processing of health data. HIPAA has no precise equivalent, though its Security Rule requires ongoing risk analysis.

How should organizations handle dual compliance?

For organizations that manage health data for both American and European patients, operating under both frameworks is not optional. The challenge lies in building systems that can satisfy both sets of requirements without creating redundant compliance architectures.

A practical approach adopted by many healthcare technology companies is to use GDPR as the foundation, since its requirements for consent, individual rights, and data protection are generally broader and more demanding than HIPAA's in most areas. Layering HIPAA-specific requirements on top, such as BAAs, specific retention periods, and the Security Rule's technical safeguards, is more efficient than maintaining two entirely separate systems.

The key exception is data retention. Where HIPAA mandates retention for clinical records, GDPR's right to erasure must yield to that legal obligation. But for data that is not subject to HIPAA's retention mandate, such as marketing records, browsing behavior, or contact details, GDPR's erasure rules apply in full.

This is precisely where the sophistication of your de-identification and data management approach matters. Knowing exactly what data you hold, where it lives, what regulatory category it belongs to, and what rights apply to it is not a spreadsheet exercise. It requires purpose-built tooling that understands the difference between a clinical record and a marketing cookie, and that can route deletion requests, access requests, and breach notifications through the correct regulatory channel automatically.

If your organization handles health data on both sides of the Atlantic, Limina can help you build a de-identification and data governance workflow that reflects the requirements of both frameworks. Get in touch with our team to discuss your compliance needs.

Does de-identification offer a path through both frameworks?

One area where HIPAA and GDPR share meaningful common ground is in their treatment of de-identified or anonymized data. Under both frameworks, data that has been properly stripped of identifying information falls outside the scope of the regulations.

HIPAA defines two methods for achieving de-identification: 

1. The Safe Harbor method requires the removal of 18 specific categories of identifiers. 
2. The Expert Determination method requires a statistical expert to certify that the risk of re-identification is very small. Data that meets either standard is no longer considered PHI and is not subject to HIPAA's requirements.

GDPR does not prescribe specific de-identification methods, but it distinguishes between anonymization, which removes all means of identification, and pseudonymization, which replaces identifying information with a pseudonym but retains a key that could re-identify the data. Truly anonymized data falls outside GDPR's scope entirely. Pseudonymized data, however, remains personal data under GDPR because re-identification remains theoretically possible.

This distinction is significant for organizations using de-identification to enable secondary uses of health data, such as research, analytics, or AI model training. HIPAA Safe Harbor may be sufficient for U.S. purposes, but the same dataset may still be considered personal data under GDPR if a re-identification key exists anywhere in the system.

This is one of the more technically demanding compliance challenges in cross-jurisdictional health data management, and it requires de-identification tooling that is built with linguistic and contextual awareness, not just pattern matching. Limina's healthcare data de-identification solution is built by linguists, meaning it understands context, entity relationships, and the subtle ways that identifying information can appear in clinical text, including in free-text notes, imaging reports, and unstructured correspondence.

Recent regulatory developments worth knowing

Both frameworks are actively evolving. In 2025, the U.S. Department of Health and Human Services issued a Notice of Proposed Rulemaking to update HIPAA's Security Rule, shifting several previously "addressable" safeguards to required status. Among the proposed changes are mandatory multi-factor authentication for all access points to electronic PHI and compulsory encryption of ePHI both at rest and in transit. These updates, if finalized, would narrow the gap between HIPAA's technical requirements and those that GDPR already mandates.

On the European side, the EU-U.S. Data Privacy Framework, which replaced the invalidated Privacy Shield arrangement, established a new mechanism for transatlantic data transfers. Healthcare organizations transferring data between the U.S. and EU must ensure they have a compliant transfer mechanism in place, whether through the Data Privacy Framework, Standard Contractual Clauses, or Binding Corporate Rules.

Organizations operating in pharmaceutical research and life sciences face additional complexity, as the pharma and life sciences regulatory environment requires managing patient data across multiple jurisdictions, often for extended periods, in a way that satisfies both HIPAA and GDPR simultaneously.

What does this mean for your data operations?

Both HIPAA and GDPR are fundamentally about giving individuals confidence that their most sensitive information is being handled with care. For organizations, the practical effect is a set of obligations that touch every layer of the data lifecycle: collection, storage, processing, sharing, retention, and deletion.

Getting this right requires more than legal awareness. It requires tooling that can operationalize compliance at scale. The volume of health data being generated by electronic health records, telehealth platforms, wearable devices, and clinical trials makes manual compliance review both impractical and unreliable. Organizations that treat de-identification and data governance as technical afterthoughts rather than foundational capabilities will find themselves exposed, whether to a regulatory audit, a breach notification obligation, or a patient rights request they cannot fulfill.

Limina's data de-identification platform is designed specifically for organizations that need to manage sensitive data at scale while maintaining compliance with frameworks like HIPAA and GDPR. Because it is built by linguists rather than engineers working from pattern libraries, it understands the difference between a medication name mentioned in context and one used as an incidental reference. It processes documents the way a skilled human would, and at a speed and consistency no human team can match.

Ready to take a more rigorous approach to health data compliance? Talk to the Limina team today.