How Does GDPR Compare to HIPAA?


Post By: Rachael Borghi, MPH, CHC

For years, many healthcare compliance professionals have studied, implemented, questioned every nuance, and educated on the Health Insurance Portability & Accountability Act (HIPAA) privacy standard. Dependent on your organization, you may also need to consider the General Data Protection Regulation (GDPR). GDPR is a regulation on data protection and privacy in the European Union (EU). An organization will need to be compliant with GDPR if they 1) are operationally based in the EU, 2) offer goods or services to EU-based users, or 3) process the personal data of EU-based users.

Thinking as a covered entity and the requirements of HIPAA (or the stricter state laws that may supersede HIPAA) is often enough of a challenge. While there is some overlap between HIPAA and GDPR (both support the rights of individuals to have their information maintained / transmitted in a protected manner), there are some significant differences.

  • GDPR defines protected data as any data that can lead to the identification of a person. GDPR defines ‘sensitive data’ as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic / biometric data, health data, or sex life / sexual orientation. HIPAA defines protected data as any information about health status, care, or payment that is created or collected by a HIPAA covered entity. GDPR has a far broader definition of the types of information that fall under the regulation.
  • Consent to share information is also different. Under GDPR, explicit consent is mandatory for the processing of sensitive data, whereas HIPAA allows disclosure of Protected Health Information (PHI) for “treatment, payment, and operational purposes” without the consent of the individual.
  • Both HIPAA and GDPR require breach reporting, however there are separate paths for notification. HIPAA requires breaches affecting 500+ individuals to be reported no later than 60 days. GDPR by contrast requires that all breaches must be reported to a designated GDPR regulator within 72 hours.
  • Another significant difference under GDPR is that individuals have the right to be ‘forgotten’ (to have their data deleted upon request). Organizations can no longer hold data indefinitely and must delete information permanently upon request. HIPAA does not grant this right. In fact, HIPAA covered entities are expected to store PHI until the state set requirement for when record destruction can occur (for instance, in Massachusetts there is a minimum 7-year retention requirement after the last date of patient encounter).

The biggest similarity between GDPR and HIPAA is that privacy is at their core. Both regulations require appropriate measures to ensure the security and integrity of data. However, the two are significantly different. The good news? If your organization is already HIPAA compliant, you likely have several technical and administrative safeguards in place, making you that much closer to complying with GDPR.