HIPAA vs GDPR: What US Companies Need to Know

Both HIPAA and GDPR protect individuals' personal information — but they take different approaches, cover different data types, and impose different obligations. US healthcare companies that serve EU patients (or accept EU clinical trial data) must comply with both.

Dimension

HIPAA

GDPR

Jurisdiction	United States (federal law)	EU and UK (applies to any org handling EU/UK data)
Data covered	Protected Health Information (PHI) — health data only	All personal data of EU/UK residents
Who it applies to	Covered entities + Business Associates	Any organization processing EU/UK personal data
Consent model	Opt-out for treatment/payment; opt-in for some marketing	Explicit opt-in consent required for most processing
Individual rights	Right to access, amendment, accounting of disclosures	Access, erasure, portability, restriction, objection
Data breach notification	60 days to notify HHS; 60 days to notify individuals	72 hours to notify supervisory authority
Penalties	Up to $2.19M/year per violation category (2026 adjusted)	Up to 4% global annual revenue or €20M
Enforcement body	HHS Office for Civil Rights (OCR)	National Data Protection Authorities (DPAs)
Data processor agreements	Business Associate Agreements (BAAs)	Data Processing Agreements (DPAs)
International transfers	No specific mechanism required domestically	Standard Contractual Clauses or Adequacy Decision required

Key Differences

HIPAA is health-data-specific and US-only. GDPR is broader (all personal data) and extraterritorial. GDPR's breach notification window (72 hours) is much shorter than HIPAA's (60 days). GDPR requires a legal basis for every data processing activity; HIPAA allows TPO (Treatment, Payment, Operations) as a general permission.

Who Must Comply with Both

US telehealth providers treating EU patients
Clinical research organizations with EU trial participants
Health tech companies with EU users
US labs processing samples from EU facilities

Common Questions

Does GDPR apply to US hospitals?

GDPR applies to US hospitals only if they process personal data of EU residents — for example, through telehealth visits with EU patients, clinical trials with EU subjects, or research collaborations with EU institutions (GDPR Article 3(2)). A hospital treating only US patients with no EU data subjects has no GDPR obligations. The key test is whether the hospital deliberately targets or monitors EU residents, not whether it uses EU cloud infrastructure.

If I'm HIPAA compliant, am I GDPR compliant?

No. HIPAA compliance does not equal GDPR compliance. GDPR requires a documented lawful basis for every processing activity under Article 6 (consent, legitimate interest, contract, etc.) — HIPAA's broad TPO permission does not satisfy this. GDPR's breach notification window is 72 hours to the supervisory authority (Article 33) vs. HIPAA's 60 days. GDPR covers all personal data about EU residents, not just health data. Organizations subject to both must maintain separate compliance programs addressing each framework's distinct requirements.

Which has higher penalties?

GDPR has higher theoretical maximums for large companies: up to €20,000,000 or 4% of global annual turnover for Tier 2 violations (Article 83(5)). Meta's 2023 GDPR fine was €1.2 billion. HIPAA penalties are capped at ,134,831 per violation category per year under 45 CFR §160.404 — significant but not revenue-proportionate. For smaller organizations, HIPAA's Tier 4 minimum of 1,162 per violation is often the more immediate financial exposure.

Assess Your Compliance → Framework Guides

More Framework Comparisons