GDPR vs. HIPAA: How are they different?

Rey Palmares
June 12, 2018

Last May 25, 2018, the United Kingdom effected a new law entitled ‘The General Data Protection Regulations’ (GDPR). At its face, GDPR is described to be a law which provides for guidelines as to how personal data is kept safe. If that sounds familiar, it maybe because it is.

Since GDPR’s conception in English legislature last April 14, 2016, many people have noted the similarities it bears with the US’s Health Insurance Portability and Accountability ACT (HIPAA).

While many of its provisions are already in place thanks to HIPAA, there are some differences worth noting.

Territorial Effect

Doctors in the US are advised to be knowledgeable of GDPR because unlike HIPAA which is limited to territoriality, GDPR continues to take effect so long as the information being handled belongs to a UK national. When an American national receives treatment abroad, non HIPAA-compliant organizations may treat them without question. On the other hand, GDPR transcends territorial limits and does not limit itself to organizations’ compliance but rather pursues its citizens’ protection.

Active Consent

While HIPAA allows compliant organizations to freely process, store, and transmit information within the confines of its regulations, GDPR emphasizes ownership of the information.

Companies in the US can sell the information to marketing agencies so long as names, home addresses, and the like are omitted. With GDPR, it’s something else. Receiving the information does not guarantee free reign within the rules. Organizations dealing with patient information must seek active consent from such patients for any and all procedures that involve said information.

The Right to Erasure

Further in line with the idea of empowered ownership, GDPR provides for patients’ rights to erase medical information. This is a technically sensitive topic when it comes to HIPAA as US patients have very little control over the information the moment it is transmitted. With GDPR, UK nationals can demand their information be permanently erased and healthcare organizations must comply with this request. This is predicted to be an insurance nightmare as people with storied medical histories have easier access to premiums that would otherwise have been denied but it otherwise grants patients the ‘right to be forgotten’.  

Coverage and Prosecution

HIPAA, as the name goes, is solely dedicated to healthcare information. GDPR has a much wider range that covers all aspects of an individual’s information. While HIPAA violations need to be proven to have caused ‘significant harm’, merely overstepping by noncompliance of protocol can get one prosecuted under GDPR.

In its current stage, GDPR is still very much new and the effects of its provisions cannot be objectively assessed as of yet. Where the rest of the world was quick to imitate HIPAA, it remains to be seen whether or not this may be an improvement or a retrogration of policies concerning sensitive information.


Writing should be one part informative and one part entertaining. It's what differentiates a generic piece of text from a well-written article. Rey Palmares dedicates much of his time to fine-tune that craft, juggling the joys and frustrations of writing with those of his law school life outside of the office. He's making it work so far.