Understanding the differences between GDPR vs. HIPAA in the Digital Health Care World

Did you know that 30% of the world’s data volume relates to healthcare? According to Coughlin et al., 2018, this avalanche of data will come from the 4,909 daily interactions with a healthcare data generating device that will occur for each one of us.

The numerous wearable will generate these health data we will wear from earbuds, sweat sensors, smartwatches, smart clothes including smart bras, up to smart cutlery.

When it comes to data protection, each country abides by its own rules. In a nutshell, the General Data Protection Regulation (GDPR) applies in Europe, and the Health Insurance Portability and Accountability Act (HIPAA) in the United States.

When it comes to data related to healthcare, the differences are not only geographic but also more fundamental. In this article, we will go through how regulations aim at securing your personal information, health information, sensitive data, and if you can continue wearing and using your digital health gadgets in total confidence.

Scopes of Application


The HIPAA regulations apply directly to covered entities (health plans, healthcare clearinghouses, and healthcare organizations) and are concerned with personally identifiable health information security.

This includes information that (a) identifies the individual (or has a reasonable basis to believe it can be used to identify the individual) and (b) relates to I the individual’s past, present, or future physical or mental health or condition; (ii) the provision of healthcare to the individual; or (iii) payment for the provision of healthcare to the individual.

Protected health information refers to information kept or transferred by a covered entity or its business associate in any form or medium (PHI).

When they may be correlated with the individual, PHI contains numerous standard identifiers (e.g., name, address, birthday, and Social Security Number). Because the Privacy Rule only applies to PHI that can be identified, it does not apply to health information that has been lawfully de-identified (as defined in the Rule itself).

Furthermore, the Privacy Rule excludes from the definition of PHI health information preserved in employment records in the role of a covered business as an employer and education records according to the Family Educational Rights and Privacy Act.

GDPR Scope

The GDPR’s primary purpose is to protect data belonging to EU individuals and residents. As a result, the legislation applies to firms that handle such data whether they are headquartered in the EU or not.

In that sense, a company based in the U.S. but collecting data from European citizens will have to treat the data according to the GDPR rules.

GDPR and Healthcare

The GDPR has issues across many businesses, including healthcare. The regulation defines “personal data” as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that physical, physiological, genetic, mental, economic, cultural, or social identity. In addition to this term, GDPR includes three additional, critical definitions about health data:

The GDPR defines “data about health” as “personal data relating to a natural person’s physical or mental health, including the provision of health care services, which disclose information about his or her health state.”

The GDPR defines “genetic data” as “personal data relating to inherited or acquired genetic characteristics of a natural person that give unique information about the physiology or health of that natural person and that result, in particular, from an analysis of a biological sample from the natural person in question.”

“Biometric data” is defined as “personal data arising from specialized technological processing on a natural person’s physical, physiological, or behavioral features, which allow or confirm the unique identification of that natural person.”

According to GDPR Article 6, processing of personal data is lawful if: 

(1) the data subject has given consent; 

(2) it is necessary for the performance of a contract to which the data subject is a party; 

(3) it is necessary for compliance with a legal obligation; (4) it is necessary to protect the vital interests of the data subject or another natural person; 

(5) it is necessary for the performance of a task carried out in the public interest; and 

(6) it is necessary for the performance of a task carried out in the public

However, healthcare companies that commonly manage health data face an additional responsibility of maintaining “data about health,” “genetic data,” and “biometric data” to a higher degree of safety than personal data in general. The GDPR forbids the processing of various types of health data unless one of the three requirements listed below is met.

The data subject must have provided “explicit consent.”

“Processing is required for preventative or occupational medicine, assessing an employee’s working capability, medical diagnosis, providing health or social care or treatment, or managing health or social care systems and services…”

“Processing is required for reasons of public interest in the field of public health, such as protecting against major cross-border dangers to health or guaranteeing high standards of quality and safety of health care and pharmaceutical goods or medical equipment…”


HIPAA Geography

HIPAA will apply to covered companies and business partners in the United States, including non-U.S. citizens or residents.

GDPR Geography

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden are all covered by the GDPR.

Differences in case of breach

Both sets of standards need the implementation of adequate safeguards to maintain the security and integrity of data. The main distinction is in breach reporting. HIPAA requires you to report breaches that affect 500 or more records within 60 days. In contrast, under GDPR, any breaches impacting people’s rights must be disclosed to your authorized GDPR authority within 72 hours.

Was this article helpful?