HIPAA & GDPR - What are the differences?


Confidentiality is a must in healthcare. A patient's medical information is the property of that patient and should only be shared amongst those who are directly responsible for the treatment they receive. That is the reason why regulations such as HIPAA or GDPR  have been developed around healthcare and not only. 

What is HIPAA?

HIPAA, also known as the Health Insurance Portability and Accountability Act of 1996, is a US law that ensures that healthcare organizations maintain the security and confidentiality of Protected Health Information (or PHI).

What is GDPR?

The General Data Protection Regulation (GDPR) is a law that protects the privacy of all individuals by requiring companies to have robust processes in place for handling and storing personal information. This helps to ensure that users are not contacted without their express permission and that personal data is kept safe.

What are the differences between HIPAA and GDPR?


The GDPR sets high standards for all sensitive personal data, while HIPAA only deals with sensitive health information.

Over the years, many healthcare compliance professionals have studied, implemented, and questioned the Health Insurance Portability and Accountability Act (HIPAA) privacy standard.

PHI includes any information that can be used to identify a patient, such as name, address, DOB, bank/credit card details, social security number, photos, and insurance information combined with health information.

Depending on your organization, you may also need to consider the General Data Protection Regulation (GDPR). GDPR is a data protection and privacy regulation in the European Union (EU).

Falling under GDPR compliance are organizations that meet one of the following:

  1. Are operationally based in the EU
  2. Offer goods or services to European customers
  3. Process the personal data of European users

For sure there is some overlap in terms of GDPR and HIPAA regulations (e.g. both focus on the rights of users to have their information kept and transmitted in a secure and protected manner), but there are some important differences worth mentioning:


What kind of data is the focus of GDPR & HIPAA?


  1. The new GDPR regulations protect any data that could be used to identify a person, including sensitive data like race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and health data.
  2. The HIPAA standards only apply to health information held by Covered Entities, like doctors, employers who offer health benefits, or insurance companies. Business associates like IT companies or transcription services are also regimented by HIPAA regulations.



Consent required by the user in GDPR & HIPAA


Consent to share information is also different. Under GDPR, explicit consent is mandatory for the processing of sensitive data, while HIPAA allows disclosure of PHI for "treatment, payment, and operational purposes" without the consent of the individual.


Breach and issues reporting


HIPAA and GDPR both require reporting of breaches, but there are different timelines for notification. HIPAA requires breaches affecting 500 or more people to be reported within 60 days. GDPR, on the other hand, requires that all breaches be reported to a designated GDPR regulator within 72 hours.


The right “to be forgotten”


The main difference between GDPR and HIPAA is that, under GDPR, individuals have the right to have their data deleted if they request it, while HIPAA does not grant this right. This means that organizations cannot hold data indefinitely and must delete it permanently upon request, as opposed to the 7-year retention requirement under HIPAA.




Organizations that want to meet GDPR and HIPPA compliance requirements must have a deep understanding of the regulations and the specific requirements outlined in both standards. By doing so, they can easily create a plan to meet all of the standards.

We strongly advise organizations to conduct a data assessment to identify any risks to the data and to take appropriate measures to ensure compliance with requirements. Organizations also have the opportunity to collaborate on the patient's data safety and security, with companies that offer HIPAA & GDPR-compliant data and imagine management platforms, as Medicai does.


Medicai handles your patients' data through its decentralized cloud-based infrastructure for medical imaging. It integrates with existing PACS / VNA infrastructure and grants unified access to medical imaging or acts as a standalone cloud-native PACS solution. 

Our healthcare data access solution offers granular, remote, and fast access to patient data, while also meeting GDPR and HIPAA compliance requirements.

If you'd like to test Medicai's safe and secure GDPR & HIPAA compliant medical imaging solution, feel free to contact our sales team or book a demo on:


Draeger, J. (2021, December 6). How Does GDPR Compare to HIPAA? The Compliance and Ethics Blog. https://www.complianceandethics.org/how-does-gdpr-compare-to-hipaa/

General Data Protection Regulation (GDPR) | Access Tufts. (n.d.). https://access.tufts.edu/general-data-protection-regulation-gdpr

Lutkevich, B. (2020, August 28). HIPAA (Health Insurance Portability and Accountability Act). Health IT. https://www.techtarget.com/searchhealthit/definition/HIPAA


About the author - David Arjan

David Arjan is a Growth Marketing Specialist at Medicai. He has a BA degree in Communication and Media Studies from NHL Stenden, and is passionate about digital marketing, healthcare marketing, and healthcare IT and interoperability.