The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. It protects personal health information by requiring appropriate security and privacy measures. Essentially, patients need to consent to the sharing of their information with other organizations before their information can be shared - but there are some important exceptions, such as treatment, billing, and healthcare operations.


GDPR sets standards for all sensitive personal data, while HIPAA deals with only Protected Health Information (PHI).

The PHI includes any information that can be used to identify a patient, such a name, address, DOB, bank/credit card details, social security number, photos and insurance information combined with health information.

The GDPR, on the other hand, includes any information that can be used to directly or indirectly to identify persons when they are in the EU. This information includes race, religion, political affiliations, sexual preferences, biometric or genetic data, and any other information relating to their health. Personal health information protection is the only common denominator.

HIPAA standards are limited to health information held by Covered Entities like doctors, employers who offer health benefits or insurance companies. Business Associates – like shredding companies, IT companies, or transcription services are regulated by HIPAA.

The GDPR, however, applies to all organizations dealing with personal data.

HIPAA Makes GDPR Compliance Easier

If your organization is already HIPAA compliant, you likely have several technical safeguards in place to protect patient data, making you that much closer to complying with GDPR.