GDPR and HIPAA - How to achieve and manage both Compliance?

Published on : 06 Jan 2021

gdpr vs hipaa

GDPR and HIPAA are two Compliance Standards that have taken the industry by storm. Both the Standards have for long been a topic of discussion as organizations scramble around to ensure Compliance.  While the EU General Data Protection Regulation is a data security law that came into effect in 2018, the US Health Insurance Portability and Accountability Act is a health information security law that came into effect in 1996. 

GDPR and HIPAA share many common principles and overlapping standard requirements with the same goals of protecting an individual’s privacy. Both regulate the way how personal information is secured when used, disclosed, maintained, and transmitted. But, despite some similarities, there are significant differences between the two regulations. In today’s article, we have drawn out a comparative analysis of both GDPR VS HIPAA that will serve as a guide for organizations looking to achieve Compliance in both the regulation. Take a closer look at some of the similarities and differences mapped out in this article for a better understanding of Data Privacy Regulations.


Organizations looking to achieve Compliance in both standards should consider understanding GDPR and HIPAA Regulations, the process of implementation, including the scope of regulated entities, types of data regulated, and data that is permitted to use and disclosed. Given below are some key similarities and differences between GDPR and HIPAA (GDPR VS HIPAA)

Regulated DataGDPR Compliance regulates not just Protected Health Information (PHI) but also extends to any kind of personally identifiable information (PII) and special category information as stated in the regulation. HIPAA Compliance specifically regulates Protected Health Information (PHI) and applies to people having access to such information.
Applicability of Regulation GDPR Regulation applies to any Data Controllers (the entity who deals with or processes Personal Data) and Data Processors (the entity who deals or processes Personal Data on behalf of the Data Controller). HIPAA applies to organizations or Covered Entities including healthcare providers, health plans, and healthcare clearinghouses, and Business Associates which typically includes any entity working on behalf of a covered entity. 
Privacy Rights GDPR gives the citizens of EU the right  Be informed about privacy and cookie policies, terms, and consent. Right to rectify records. Right to access personal data.  Right to erase or be forgotten or delete data.  Right to restrict processing of data. Right to data portability which includes downloading data in a common format. Right to revoke consent HIPAA Privacy rights that are covered under consent and portability gives patients the right to access, update, and transfer healthcare information.
Consent GDPR Requires organizations to obtain explicit consent for processing personal health data. But in case the data may be processed without consent if it  falls under the conditions of Processing in Article 9 of the GDPR.HIPAA does not mention the requirement of explicit consent for processing or disclosure of PHI data for the purpose of treatment. 
Security of Data GDPR requires organizations to take appropriate security measures for Personal data. With the specific mention of  Data protection by design and default implementing encryption.  HITRUST is one cybersecurity Framework that aligns closely with GDPR and data protection by design and by default.HIPAA requires entities to take appropriate measures for ensuring the Security and Privacy of Personal Health Information. It provides guidance and outlines best practices for data security. Organizations often turn to HITRUST since the security framework aligns with HIPAA Compliance Requirements.
Breach NotificationAs stated under GDPR Regulation organizations are required to disclose a data breach within 72 hours of the breach discovered. As stated under HIPAA Regulation organizations are required to notify the public of a breach within 60 days. In case the number of individuals impacted is less than 500, the notification can be annual. 
Penalties GDPR levies up to €10 million, or 2% of the worldwide annual revenue of the financial year, whichever is higher or on a high side may levy up to  €20 million, or 4% of the worldwide annual revenue of the financial year, whichever is higherHIPAA has outlined different levels of penalties for non-compliance. This includes-  Level1- Lack of awareness – $100 to $50,000 per violation, up to $1.5M per year Level2- Lack of due diligence – $1,000 to $50,000 per violation, up to $1.5M per year Level3- Wilfully default and neglect – $10,000 to $50,000 per violation, up to $1.5M per year Level 4: Wilfully neglect with no effort to correct – $50,000 per violation, up to $1.5M per year  Individuals involved may also face potential criminal charges:  Unknowingly or with Reasonable Cause: up to 1 year False Pretences: up to 5 years and $100,000 fine Fraud: up to 10 years and $250,000 fine
Privacy or Data Protection OfficerThe organization needs to appoint a Data Protection Officer (DPO) who process sensitive Personal Data. The DPO is required to ensure data management and handling is in line with the GDPR Compliance. Their responsibilities would include enforcing the GDPR Regulation. HIPAA requires the appointment of a Privacy Officer and a Data Security Officer. The responsibility of the Privacy Officer is to oversee and ensure implementation of privacy policy in line with HIPAA regulation. It further includes ensuring maintenance of security policies and procedures to enforce Compliance.
Assessment GDPR requires organizations to perform Data Protection Impact Assessment every 3 years or when data processing is likely to result in a high risk to data subjects.HIPAA requires entities to conduct Risk Assessment annually to ensure HIPAA Compliance. 


GDPR and HIPAA are both Compliance Standards that regulate Data Protection and Privacy. Organizations looking to achieve compliance in GDPR and HIPPA must as a part of their compliance process understand both the regulations and map out the requirements stated in both the Compliance.

This will highlight requirements that overlap in both regulations and make the process of compliance a lot easier.  We further suggested organizations conduct a thorough data assessment, identify risk exposure to the data, determine the current compliance status, and accordingly establish relevant policies and procedures to meet the requirements. Organizations should look to collaborate with a cyber-security consulting firm like us who possess the industry expertise and knowledge pertaining to various regulations and compliance standards.

VISTA InfoSec is a cybersecurity consulting company in the industry for nearly two decades. We can guide organizations like you in the journey of compliance and make it a lot more achievable for you. For more details on our cybersecurity consulting services, you can visit our website 


Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.