HIPAA focuses on healthcare organizations and how personal health information is used in the US. GDPR, on the other hand, is broader legislation that supervises any organization handling personally identifiable information (PII) of an EU or UK citizen.

GDPR governs the use of and applies to all personal data of persons within its scope. In contrast, HIPAA’s narrower scope only applies to HIPAA-protected health information (PHI).

GDPR sets compliance standards for all entities within its scope. HIPAA sets standards for covered entities and business associates (BAA).

Regarding consent, GDPR requires explicit consent for processing personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the processing conditions in Article 9 of GDPR and a legal basis applies.

A HIPAA authorization is consent obtained from an individual that permits a covered entity or business associate to use or disclose that individual’s protected health information to someone else for a purpose otherwise not permitted by the HIPAA Privacy Rule. HIPAA allows disclosure of some PHI for 12 national priority purposes, including treatment purposes, without the individual’s consent (authorization).

We’ve written some posts to help you understand GDPR requirements and how they might apply to you:

Be sure to also read our HIPAA-related content:


  • What is protected health information (PHI)? A guide for healthcare marketers

    Quick summary What PHI is: Any individually identifiable health information created, received, maintained, or transmitted by a covered entity or its business associates Who it applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates Why it matters for marketing: Marketing tools that collect or transmit PHI without a BAA create HIPAA compliance…

  • We checked 59 hospital websites. 73% kept tracking visitors after opt-out.

    A new study by Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites for tracking and data compliance. The findings show just how common it is for major US healthcare websites to run marketing tools that weren’t built for a regulated environment. What we actually found Across the 59 scanned sites,…