HIPAA vs GDPR: Key Differences HealthTech Companies Need to Know
HIPAA vs GDPR is not a choice — for most HealthTech SaaS companies, it is a both. HIPAA governs health data in the United States. GDPR governs personal data of EU residents regardless of where the processing company is based. Build a product used by US patients and European patients, and you are operating under both simultaneously.
This brief maps the two frameworks side by side: what triggers each, how their core requirements compare, where they overlap, and what running both looks like in practice.
What Triggers Each Framework
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — and their business associates who handle Protected Health Information (PHI) on their behalf.
Trigger: you are a covered entity, or you provide a service to a covered entity that involves accessing, processing, or storing PHI.
SaaS relevance: if a hospital, health plan, or clinic signs your contract and your product touches patient data, you are a business associate under HIPAA. A signed Business Associate Agreement (BAA) is required before data flows.
GDPR
GDPR (General Data Protection Regulation) applies to any organization that processes personal data of individuals in the EU or UK — regardless of where the organization is incorporated or located.
Trigger: you process personal data of EU or UK residents. Location of the data, the processor, or the server is irrelevant — residency of the data subject is what matters.
SaaS relevance: if any EU-based user, customer, or patient uses your product, GDPR applies to that data.
PHI vs Personal Data: The Scope Difference
| HIPAA PHI | GDPR Personal Data | |
|---|---|---|
| Definition | Individually identifiable health information held by a covered entity or BA | Any information relating to an identified or identifiable natural person |
| Health specificity | Health data only | All personal data; health data = special category (Art. 9) |
| Geographic scope | US persons, US entities | EU/UK residents, any entity worldwide |
| De-identification | 18-identifier Safe Harbor or Expert Determination | Anonymization standard is higher — pseudonymized data is still personal data |
The key practical difference: GDPR's definition of personal data is broader than PHI. A patient's email address alone is personal data under GDPR but is only PHI under HIPAA if linked with health information. When both frameworks apply, design your data handling to the stricter definition — which is almost always GDPR's.
Consent and Lawful Basis
HIPAA
HIPAA does not use consent as the primary mechanism for most healthcare operations. Treatment, payment, and healthcare operations (TPO) are permitted uses without patient authorization. For disclosures outside TPO — marketing, research, or sharing with non-covered third parties — a specific patient authorization is required.
HIPAA's model: permitted uses for standard operations, authorization for everything else.
GDPR
GDPR requires a lawful basis for every processing activity. Article 6 provides six options: consent, contract, legal obligation, vital interests, public task, or legitimate interests. For health data (special category under Article 9), a second-layer basis is required — typically explicit consent, health care provision, or public health.
GDPR's model: no processing without a documented legal basis, and health data needs two stacked bases.
Practical implication: a HIPAA-compliant treatment disclosure may not satisfy GDPR's lawful basis requirement for EU patients. Audit each processing activity independently under both frameworks.
Breach Notification Comparison
| Requirement | HIPAA | GDPR |
|---|---|---|
| Notify regulator | HHS — within 60 days of discovery | Supervisory authority — within 72 hours of discovery |
| Notify individuals | Within 60 days | Without undue delay if high risk |
| Threshold | Breaches affecting PHI (small breaches have delayed reporting) | Any breach likely to result in risk to individuals |
| Media notification | Required for 500+ affected in a state | Not required; supervisory authority handles public communication |
| Documentation | Required regardless of notification | Required regardless of notification |
GDPR's 72-hour window is the harder requirement. If you are subject to both, design your incident response procedure around GDPR's clock — it is stricter, and meeting it automatically satisfies HIPAA's longer window.
Penalties
| HIPAA | GDPR | |
|---|---|---|
| Maximum fine | $1.9M per violation category per year | €20M or 4% of global annual turnover, whichever is higher |
| Enforcement body | HHS Office for Civil Rights (OCR) | National Data Protection Authorities (DPAs) |
| Criminal liability | Yes — up to 10 years imprisonment for knowing violations | Yes — varies by member state |
| Willful neglect | Mandatory investigation and minimum $10,000 fine per violation | Considered an aggravating factor |
GDPR's penalty ceiling is higher in absolute terms for large companies. HIPAA's enforcement has historically been more active in healthcare. Operating under both means two separate regulatory enforcement bodies can act independently.
Where the Frameworks Overlap
Running both is more efficient than it sounds. The following requirements satisfy both frameworks:
- Data mapping — HIPAA's requirement to document PHI flows and GDPR's Record of Processing Activities (RoPA) are different documents but draw from the same underlying data inventory
- Access controls — HIPAA's minimum necessary standard and GDPR's data minimization principle both require limiting access to what is needed for the specific purpose
- Encryption — HIPAA's addressable encryption requirement and GDPR's Article 32 technical measures both point to encryption in transit and at rest
- Vendor contracts — HIPAA BAAs and GDPR Data Processing Agreements (DPAs) serve parallel functions; for EU processors handling PHI, a single agreement can be structured to satisfy both
- Incident response — one IR procedure can satisfy both, designed to GDPR's 72-hour window
- Training — one security awareness program covers both frameworks' workforce training requirements
Where They Diverge
Individual rights: GDPR grants EU residents extensive rights — access, rectification, erasure, portability, restriction, objection. HIPAA grants patients the right of access and amendment, but not erasure or portability in the GDPR sense. A single data subject rights workflow cannot cover both — you need GDPR-specific erasure and portability handling that has no HIPAA equivalent.
Consent for marketing: HIPAA prohibits using PHI for marketing without authorization. GDPR requires a separate legitimate interest assessment or explicit consent for marketing. They align directionally but the legal mechanics differ.
Data transfers: GDPR restricts transfers of EU personal data to third countries without adequate safeguards (Standard Contractual Clauses, adequacy decision, etc.). HIPAA has no equivalent cross-border restriction — a BAA covers the relationship regardless of geography. For EU health data processed in the US, GDPR transfer requirements apply on top of HIPAA.
DPO requirement: GDPR may require a Data Protection Officer if you process health data at scale. HIPAA has no equivalent role requirement.
Running Both: The Practical Pattern
The most efficient dual-compliance pattern:
- One data inventory — document all data flows, tag each record as PHI / GDPR personal data / both
- One vendor agreement template — structure BAAs to include DPA clauses for EU data; legal review required per vendor
- Incident response on GDPR's clock — 72-hour supervisory notification triggers automatically; HIPAA's 60-day window is automatically met
- Separate rights workflows — HIPAA access and amendment requests, plus GDPR access, erasure, rectification, portability, and restriction requests
- Lawful basis register — document Article 6 and Article 9 bases for every processing activity involving EU health data; no HIPAA equivalent but creates useful operational clarity regardless
For US-specific HealthTech compliance detail, see HIPAA compliance for HealthTech startups and the HIPAA compliance service page. For EU privacy requirements, see GDPR for SaaS and the GDPR compliance service page.
Frequently Asked Questions
Does GDPR apply to HIPAA covered entities? Yes, if the covered entity processes personal data of EU residents — regardless of where the entity is based. A US hospital system with an EU-facing patient portal, or a HealthTech SaaS with European customers, is subject to GDPR for that EU data independently of any HIPAA obligations. The two frameworks run in parallel with no carve-out.
Is PHI considered personal data under GDPR? Almost always yes. PHI under HIPAA typically qualifies as personal data under GDPR, and most PHI also qualifies as special category health data under GDPR Article 9, which carries stricter processing requirements. If it's PHI under HIPAA, assume it's special category health data under GDPR until proven otherwise.
Do I need both HIPAA and GDPR? If you process health data of US individuals and any personal data of EU residents, yes. HIPAA applies based on data type and covered entity status. GDPR applies based on data subject location. A HealthTech SaaS with both US and European customers almost always needs both.
Which has stricter breach notification requirements — HIPAA or GDPR? GDPR is stricter on timing: 72 hours to notify the supervisory authority, with no minimum threshold. HIPAA allows 60 days. Design your incident response around GDPR's window and HIPAA compliance follows automatically.
Ready to Map Your Obligations?
ShieldKey works with HealthTech SaaS companies operating under both HIPAA and GDPR. We scope your obligations, identify the overlap, and build a single program that satisfies both.