HIPAA vs GDPR: What US Companies Need to Know
Last updated: 2026-04-05 — ComplianceStack Editorial Team
Both HIPAA and GDPR protect individuals' personal information — but they take different approaches, cover different data types, and impose different obligations. US healthcare companies that serve EU patients (or accept EU clinical trial data) must comply with both.
HIPAA vs GDPR: Side-by-Side
| Dimension | HIPAA | GDPR |
|---|---|---|
| Jurisdiction | United States (federal law) | EU and UK (applies to any org handling EU/UK data) |
| Data covered | Protected Health Information (PHI) — health data only | All personal data of EU/UK residents |
| Who it applies to | Covered entities + Business Associates | Any organization processing EU/UK personal data |
| Consent model | Opt-out for treatment/payment; opt-in for some marketing | Explicit opt-in consent required for most processing |
| Individual rights | Right to access, amendment, accounting of disclosures | Access, erasure, portability, restriction, objection |
| Data breach notification | 60 days to notify HHS; 60 days to notify individuals | 72 hours to notify supervisory authority |
| Penalties | Up to $2.19M/year per violation category (2026 adjusted) | Up to 4% global annual revenue or €20M |
| Enforcement body | HHS Office for Civil Rights (OCR) | National Data Protection Authorities (DPAs) |
| Data processor agreements | Business Associate Agreements (BAAs) | Data Processing Agreements (DPAs) |
| International transfers | No specific mechanism required domestically | Standard Contractual Clauses or Adequacy Decision required |
Who Needs Both?
- US telehealth providers treating EU patients
- Clinical research organizations with EU trial participants
- Health tech companies with EU users
- US labs processing samples from EU facilities
Key Differences Summarized
HIPAA is health-data-specific and US-only. GDPR is broader (all personal data) and extraterritorial. GDPR's breach notification window (72 hours) is much shorter than HIPAA's (60 days). GDPR requires a legal basis for every data processing activity; HIPAA allows TPO (Treatment, Payment, Operations) as a general permission.
Frequently Asked Questions
Does GDPR apply to US hospitals?
Only if they process personal data of EU residents — for example, through telehealth visits with EU patients or clinical trials involving EU subjects. Most US-only hospitals don't need GDPR compliance.
If I'm HIPAA compliant, am I GDPR compliant?
No. HIPAA compliance does not equal GDPR compliance. GDPR has stricter consent requirements, shorter breach windows (72 hours vs. 60 days), and covers all personal data, not just health data.
Which has higher penalties?
GDPR penalties can be higher for large companies (4% of global revenue). HIPAA penalties cap at ~$2.19M per violation category per year, but criminal charges are also possible.
Try ComplianceStack Free
Free risk calculator, compliance quiz, and deadline tracker. No credit card required.
Start Free Assessment →