While HIPAA and GDPR both oversee how personal information is used, they maintain entirely different scopes.
HIPAA is focused on healthcare organizations and how personal health information is used in the US. GDPR, on the other hand, is a broader legislation that supervises any organization handling personally identifiable information of an EU or UK citizen.
We compare the two frameworks in more detail below, including the similarities and differences that set HIPAA and GDPR apart.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US law that limits the use of protected health information (PHI) by healthcare organizations, which it refers to as covered entities.
A covered entity can be any of the following:
HIPAA defines PHI as any information that qualifies as a personal identifier. For example, billing information, insurance accounts, medical histories, mental health conditions, or laboratory results.
While HIPAA doesn’t have a certifying body or official certification, it’s enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR).
Cases of non-compliance or violations can result in fines and penalties, as well as a damaged reputation.
Any covered entity or business associate of a covered entity is legally required to be HIPAA compliant. The process involves performing routine technical and nontechnical evaluations to ensure compliance against HIPAA’s three main rules:
The General Data Protection Regulation, or GDPR, became law on May 25, 2018, and exists as one of the most stringent data privacy and security laws around the world.
It applies to all organizations targeting or collecting personally identifiable information (PII) of people in the UK or the EU, regardless of whether they physically operate within those jurisdictions. The data is referred to as personally identifiable information (PII) and includes anything that can be used to clearly identify a person.
Under the GDPR, organizations are required to safeguard and provide documentation of the protocols used to protect PII. The documented steps should cover the following:
Regardless of size, an organization must appoint a DPO if:
If you handle PII of individuals in the UK and EU, you are legally required to comply with the GDPR. Failure to do so could result in hefty fines up to €20 million or 4% of your worldwide annual revenue.
Timelines for GDPR implementation vary between processors, controllers, and company structure, but typically take anywhere from six to 36 weeks.
Once implemented, an internal GDPR assessment must be completed periodically for organizations to demonstrate their continued compliance. An organization can also apply for an optional certification.
The most apparent difference between HIPAA vs. GDPR is the jurisdiction and industry in which each law applies. Here are three other differences between HIPAA and GDPR:
With the GDPR, breach size does not matter. Article 33 of the GDPR places a 72-hour breach reporting deadline and requires providers to report all breaches to supervisory authorities.
Organizations that are either HIPAA- or GDPR-compliant already have existing safeguards in place to protect data. While there are more differences than similarities between HIPAA and. GDPR, there is some framework overlap:
HIPAA and GDPR compliance are two legal requirements that benefit both the organization and the individuals they serve. While each one involves distinct rules and regulations, they do have some overlap in their aim and process to protect data subjects.
Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.