Get in Touch
Documentation / Healthcare Standards / HIPAA & GDPR
Back to Documentation

HIPAA & GDPR

8 min read Privacy & Compliance

Why Privacy Matters in Healthcare

Healthcare data is deeply personal. Medical records reveal diagnoses, treatments, medications, mental health history, genetic information, and more. Mishandling this data can harm patients through discrimination, embarrassment, or identity theft.

Two major regulatory frameworks govern healthcare data privacy: HIPAA in the United States and GDPR in the European Union. While they have different origins and scopes, both aim to protect individuals' health information and give them control over how it's used.

HIPAA: The US Healthcare Privacy Standard

The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996. While it covers several aspects of healthcare administration, the Privacy and Security Rules are what most people think of when they hear "HIPAA."

Who Must Comply with HIPAA?

HIPAA applies to:

  • Covered Entities: Healthcare providers (hospitals, clinics, doctors), health plans (insurers, HMOs), and healthcare clearinghouses that process claims
  • Business Associates: Any company that handles protected health information on behalf of covered entities (IT vendors, billing companies, consultants)

Importantly, HIPAA does not apply to all health data. Fitness apps, employer wellness programs, and many health tech startups fall outside HIPAA unless they work directly with covered entities. This creates gaps in protection.

What is Protected Health Information (PHI)?

PHI is any health information that can identify an individual. This includes:

  • Medical records, diagnoses, treatment plans
  • Lab results, imaging studies, prescriptions
  • Billing and payment information
  • Identifiers: names, addresses, Social Security numbers, medical record numbers, etc.

De-identified data (where 18 specific identifiers are removed) is not considered PHI and can be used more freely. This enables research and analytics while protecting privacy.

Core HIPAA Requirements

Privacy Rule: Governs how PHI can be used and shared

  • Patients must be notified about privacy practices
  • PHI can be used for treatment, payment, and healthcare operations without explicit consent
  • Other uses require patient authorization
  • Patients have rights to access their records, request amendments, and get an accounting of disclosures
  • Minimum necessary standard: only access the data needed for the task

Security Rule: Protects electronic PHI (ePHI)

  • Administrative safeguards: policies, training, risk assessments
  • Physical safeguards: facility access controls, workstation security, device disposal
  • Technical safeguards: access controls, encryption, audit logs, transmission security

Breach Notification Rule: What to do when PHI is exposed

  • Notify affected individuals within 60 days
  • Notify HHS (the government agency) if more than 500 people affected
  • Notify media if breach affects more than 500 people in a state
  • Document the breach and response actions

Example: HIPAA in Practice

A doctor's office uses a cloud EHR system. The EHR vendor is a business associate and must sign a Business Associate Agreement (BAA) promising to protect PHI. The vendor must:

  • Encrypt data in transit (TLS/SSL) and at rest
  • Implement access controls so only authorized users see patient data
  • Maintain audit logs of who accessed what
  • Conduct regular security risk assessments
  • Train employees on privacy and security
  • Have an incident response plan for breaches

If the vendor's database is hacked and patient data stolen, they must notify the doctor's office immediately, who must then notify patients and HHS.

GDPR: Europe's Data Protection Framework

The General Data Protection Regulation (GDPR) took effect in 2018. Unlike HIPAA, it's not healthcare-specific - it covers all personal data. But health data is "special category" data with extra protections.

Who Must Comply with GDPR?

GDPR applies to any organization that:

  • Operates in the EU
  • Offers goods or services to EU residents (even if based elsewhere)
  • Monitors behavior of EU residents

A US clinic treating EU patients or a health app used by someone in France must comply with GDPR for that data.

Core Principles of GDPR

  1. Lawfulness, fairness, transparency: Clear about data collection and use
  2. Purpose limitation: Collect data for specific purposes, don't repurpose without consent
  3. Data minimization: Only collect what's needed
  4. Accuracy: Keep data accurate and up to date
  5. Storage limitation: Don't keep data longer than necessary
  6. Integrity and confidentiality: Protect against unauthorized access
  7. Accountability: Demonstrate compliance

Individual Rights Under GDPR

GDPR grants extensive rights:

  • Right to be informed: Clear privacy notices
  • Right of access: Individuals can request copies of their data
  • Right to rectification: Correct inaccurate data
  • Right to erasure ("right to be forgotten"): Delete data under certain conditions
  • Right to restrict processing: Limit how data is used
  • Right to data portability: Get data in machine-readable format to transfer to another service
  • Right to object: Stop processing for certain purposes (marketing, profiling)
  • Rights related to automated decision-making: Not be subject to purely automated decisions with significant effects

Consent Under GDPR

For most health data processing, explicit consent is required. This means:

  • Freely given (no coercion)
  • Specific (clear what you're consenting to)
  • Informed (understand the implications)
  • Unambiguous (clear affirmative action, no pre-ticked boxes)
  • Withdrawable (can revoke consent easily)

There are exceptions - processing necessary for healthcare treatment, public health, or legal obligations doesn't always require explicit consent.

Data Protection Officer (DPO)

Organizations processing large amounts of health data must appoint a DPO - someone responsible for monitoring compliance, advising on data protection, and serving as a contact point for regulators.

Data Protection Impact Assessments (DPIAs)

Before launching new projects that involve high-risk data processing (like AI analyzing patient data), organizations must conduct DPIAs to:

  • Describe the processing and its purposes
  • Assess necessity and proportionality
  • Identify risks to individuals
  • Define mitigation measures

Breach Notification Under GDPR

If a breach is likely to result in risk to individuals:

  • Notify supervisory authority within 72 hours
  • Notify affected individuals without undue delay if high risk
  • Document all breaches regardless of notification requirement

HIPAA vs GDPR: Key Differences

Aspect HIPAA GDPR
Scope Healthcare data only All personal data (health data has extra protections)
Geography US-based covered entities EU residents' data, regardless of where organization is based
Consent Not always required for treatment, payment, operations Explicit consent required for most health data processing
Breach notification Within 60 days Within 72 hours to authority
Individual rights Access, amendment, accounting of disclosures Extensive rights including erasure and portability
Penalties Up to $1.5M per violation category per year Up to €20M or 4% of global revenue (whichever is higher)
Encryption Addressable (recommended but not strictly required) Expected as part of security measures

Practical Compliance Steps

For Healthcare Organizations

1. Conduct Risk Assessments

  • Identify where PHI/personal data exists (databases, paper records, laptops, backups)
  • Assess vulnerabilities (weak passwords, unencrypted devices, unauthorized access)
  • Prioritize risks and create mitigation plans

2. Implement Technical Safeguards

  • Encryption: Encrypt data at rest and in transit
  • Access controls: Role-based access, strong authentication, automatic logoff
  • Audit logs: Track who accessed what, when
  • Backup and disaster recovery: Regular backups, tested recovery procedures

3. Establish Policies and Procedures

  • Privacy policies explaining data use
  • Security policies covering passwords, device use, remote access
  • Incident response plans for breaches
  • Data retention schedules
  • Vendor management processes (BAAs, security reviews)

4. Train Staff

  • Annual privacy and security training
  • Role-specific training (IT staff need different training than clinicians)
  • Phishing awareness
  • Document training completion

5. Manage Vendors

  • Vet vendors' security practices before engagement
  • Sign BAAs (HIPAA) or data processing agreements (GDPR)
  • Periodically reassess vendor security
  • Have termination procedures to ensure data return or destruction

6. Enable Patient Rights

  • Process for patients to access their records (within 30 days for HIPAA)
  • Mechanism for amendments and corrections
  • Under GDPR, processes for erasure, portability, objection

7. Document Everything

  • Risk assessments
  • Policy acknowledgments
  • Training completion
  • Vendor agreements
  • Breaches and responses

Common Compliance Mistakes

  • Emailing unencrypted PHI: Use secure messaging or patient portals
  • Leaving patient charts visible: Turn monitors away from public view, don't leave files out
  • Over-sharing: Discussing patients in elevators, posting about cases on social media
  • Not signing BAAs: Any vendor that might access PHI needs a BAA
  • Weak passwords: "password123" is not compliant
  • No mobile device management: If staff access PHI on phones/tablets, those devices must be secured
  • Ignoring paper records: Compliance isn't just digital - lock filing cabinets, shred documents

Enforcement and Penalties

HIPAA Enforcement

The Office for Civil Rights (OCR) enforces HIPAA. Penalties depend on the level of negligence:

  • Unknowing violation: $100-$50,000 per violation
  • Reasonable cause: $1,000-$50,000 per violation
  • Willful neglect (corrected): $10,000-$50,000 per violation
  • Willful neglect (not corrected): $50,000 per violation

Annual cap: $1.5 million per violation category. OCR can also require corrective action plans and ongoing monitoring.

GDPR Enforcement

Each EU country has a supervisory authority (like the UK's ICO). Fines are tiered:

  • Lower tier: Up to €10M or 2% of global revenue (for issues like inadequate records)
  • Upper tier: Up to €20M or 4% of global revenue (for violations of core principles or individual rights)

Authorities consider severity, duration, intent, and mitigation efforts when setting fines. They can also issue warnings, reprimands, and temporary processing bans.

International Data Transfers

GDPR restricts transferring personal data outside the EU unless the destination has adequate protection. Mechanisms include:

  • Adequacy decisions: EU recognizes certain countries as providing adequate protection
  • Standard contractual clauses: Pre-approved contract terms for data transfers
  • Binding corporate rules: For multinational organizations transferring data internally
  • Explicit consent: Individual agrees to transfer despite risks

A US hospital partnering with an EU research institution needs these safeguards for data sharing.

Beyond Compliance: Building Trust

Compliance is the floor, not the ceiling. Beyond avoiding penalties, privacy protections build trust. Patients are more willing to share sensitive information if they trust it will be protected. Clinicians can focus on care rather than worrying about security incidents.

Best practices beyond minimum requirements:

  • Zero-trust architecture (never trust, always verify)
  • Privacy by design (build privacy into systems from the start)
  • Regular penetration testing and vulnerability scanning
  • Transparent communication about data use
  • Giving patients more control than legally required

Staying Current

Privacy regulations evolve. New laws emerge (like California's CCPA), guidance gets updated, enforcement priorities shift. Stay informed through:

  • Official sources: HHS.gov for HIPAA, ICO and other EU authorities for GDPR
  • Professional associations: HIMSS, AHIMA, IAPP
  • Legal counsel: Privacy attorneys who specialize in healthcare
  • Industry news: Healthcare IT publications covering compliance

Key Takeaways

  • HIPAA protects health data in the US; GDPR protects all personal data for EU residents
  • Compliance requires administrative, physical, and technical safeguards
  • Encryption, access controls, audit logs, and training are essential
  • Business associates and vendors must have agreements in place
  • Breach notification is time-sensitive (60 days HIPAA, 72 hours GDPR)
  • Penalties can be severe - both financial and reputational
  • Privacy is not just legal compliance - it's building patient trust