NAALA | Not An Average Legal Advisor

Are HIPAA and GDPR the same?

By: Anne Sophie Dil – Co-founder of NAALA

Published on 4 August, 2021

The other side of the world is becoming more accessible. Data is flowing from one continent to another. This brings tremendous opportunities, but also raises questions. How should you, as an organization, deal with such data? Which laws are important for this?

For organizations that work with health data, HIPAA and GDPR surely sound familiar. However, their impact may be less well known. To what extent do the US federal law and European Regulation correspond? And what is the impact of HIPAA on EU-based organizations, and of the GDPR on US-based entities?

HIPAA is short for Health Insurance Portability and Accountability Act. HIPAA is a United States federal law on the protection of protected health information (PHI). As a result, this PHI cannot be disclosed without the patient’s consent or knowledge.

The HIPAA Privacy Rule is the implementation of the requirements of HIPAA. Flows of health information are necessary to deliver high quality health care, as well as to protect public health. However, protecting PHI from unauthorized disclosure is also of great importance. Therefore, part of the purpose of the HIPAA Privacy Rule is to protect PHI in the flow of information for the purpose of good health care.

GDPR is short for General Data Protection Regulation. GDPR is the European Regulation on the protection of natural persons regarding the processing of personal data. Moreover, the GDPR provides standards on the free movement of personal data.

In other words, the GDPR has the following goals:

  1. the protection of individuals in the processing of personal data as a fundamental right,
  2. to update the rules in this regard, given technological and social developments, and
  3. aligning privacy rules across the European Union, which has become extra important due to the increasing amount of international data flows.

The main difference between HIPAA and the GDPR is the purpose. Specifically: the focus and scope of the purpose. While the GDPR focuses on natural persons within the European Union who deserve protection, HIPAA focuses on organizations that handle PHI within the U.S. As a result, HIPAA only applies to so-called Covered Entities, such as doctors, health insurers and employers providing health benefits. The GDPR, on the other hand, applies to any organization that can access, store, use, or otherwise process personal data of individuals in the EU.

Thus, the difference is not only in area of application, but also in the broadness of the scope (personal data in general vs. PHI). The GDPR does impose conditions on the processing of personal data about health, but imposes similar conditions on the processing of other sensitive information, e.g., racial or ethnic origin, religion, sexual orientation, and/or political affiliations. HIPAA, on the other hand, is limited to PHI.

In short, GDPR is more person-centric, whereas HIPAA is organization-centric. In addition, there are several differences between the two regulations. The (only) common denominator between the GDPR and HIPAA is the protection of PHI.

HIPAA applies to Covered Entities and Business Associates. A Covered Entity is:

  • a health care provider that transmits information in an electronic form related to a HIPAA-covered transaction (e.g., electronic billing of a health care plan), such as:
    • doctors
    • clinics
    • psychologists
    • dentists
    • chiropractors
    • nursing homes
    • pharmacies
  • a health care plan, i.e., entities that provide or pay for medical care expenses, such as:
    • health insurance companies
    • HMOs
    • corporate health plans
    • government programs that pay for health care, such as the health care program for military personnel and veterans
  • a healthcare clearing house, which includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. Besides, it checks the medical claims for errors, ensuring the claims can get correctly processed by the payer.

However, in fact, the above entities do not always perform the HIPAA covered activities themselves. The HIPAA Privacy Rule allows Covered Entities to disclose PHI to so-called Business Associates if those Business Associates use the information solely to perform the activities on behalf of the Covered Entity.

Thus, Business Associates are external entities that perform activities on behalf of Covered Entities in the healthcare process, where the disclosure of PHI is necessary to perform those activities. Business Associates’ activities include, for example, payment, care operations, processing of claims, data analytics, quality assurance, etc.

It has been said that HIPAA is a U.S. federal law. HIPAA will likely not apply outside the U.S. After all, both the HIPAA statute and its implementing regulations, such as the Privacy Rule, do not address applicability beyond U.S. borders.

If Covered Entities (whether through Business Associates or otherwise) process PHI of non-U.S. residents within the U.S., HIPAA applies to them as well.
In short, HIPAA applies to U.S.-based Covered Entities and Business Associates, regardless of whether the PHI applies to U.S. citizens or residents.

The GDPR applies to Data Controllers and to Data Processors. A Data Controller is:

  • a natural or legal person,
  • a government agency,
  • a service, or
  • any other body,

who/which determines the purpose and means of processing personal data. This means, the Data Controller is the (legal) entity who determines:

  1. that personal data is needed,
  2. why the personal is needed, and
  3. how it is to be obtained.

As with the HIPAA Covered Entities, in some cases, Data Controllers do not perform activities involving the processing of personal data themselves. Hence, they engage Data Processors. A Data Processor is:

  • a natural or legal person,
  • a government agency,
  • a service, or
  • another body,

who/which processes personal data on behalf of the Controller.

The GDPR applies to the following entities:

  • entities with the basis of their operations in the EU,
  • entities that offer goods or services (whether paid or unpaid) to people (physically) within the EU, and
  • entities that monitor behavior of people wo are (physically) in the EU.

It is irrelevant whether the entity is located within the EU. As a result, the GDPR also applies outside the EU, if entities from outside the EU fall under the above conditions. In conclusion, the GDPR may apply to US-based entities.

We have found that HIPAA and GDPR are hardly similar. It is true that PHI is covered by both regulations, but other than that there is little similarity.

Security is at the heart of both regulations, so there still is some overlap. If an organization is HIPAA compliant, chances are that several technical measures have been taken to ensure the security of PHI. This may significantly simplify compliance with the GDPR. After all, the GDPR also requires technical safeguards to protect personal information.

However, it is important to realize that the GDPR and HIPAA are minimally similar. Thus, complying with HIPAA is not the same as complying with the GDPR. Given the strict requirements of the GDPR, it is more likely that GDPR compliance will lead to HIPAA compliance than the other way around. Nonetheless, additional controls are always needed, because at their core, GDPR and HIPAA are not the same thing.


Are you curious about what NAALA can do for you in the area of international data exchange in healthcare? Or would you like to know more about this topic? Feel free to contact us! 

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis. 

Other articles you may be interested in:

Liked the article? Maybe others will too. Feel free to share!