Does GDPR apply to U.S. companies?

It can. Under Article 3, GDPR applies to organizations outside the EU if they offer goods or services to people in the EU/EEA or monitor their behavior — even with no EU office or establishment. So a U.S. company with EU customers, patients, or website users that processes their personal data is generally in scope. HIPAA, by contrast, applies to covered entities and business associates that handle PHI in the United States.

Do I need to comply with both HIPAA and GDPR?

You do if both apply to you — most often a U.S. organization that handles PHI and also processes the personal data of people in the EU, such as a digital-health firm with EU patients. HIPAA governs the PHI; GDPR governs the EU personal data, where health information is treated as a 'special category' with heightened protection. The efficient approach is one program with controls mapped to both frameworks rather than two separate sets of policies.

How fast must I report a breach under HIPAA vs GDPR?

The deadlines differ sharply. Under HIPAA's Breach Notification Rule you must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI; HHS must be notified within 60 days for breaches affecting 500 or more individuals, while smaller breaches are logged and reported to HHS annually. Under GDPR Article 33 you must notify the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach, and notify affected individuals without undue delay where the breach poses a high risk to their rights.

HIPAA vs GDPR: Key Differences and Which One You Need

HIPAA is a U.S. sectoral law that protects health information (PHI/ePHI) held by healthcare providers, health plans, healthcare clearinghouses, and their business associates; GDPR is an EU regulation that protects all personal data of people in the EU/EEA, regardless of industry. Neither is a certification you can buy or earn — both are legal obligations enforced by regulators (the HHS Office for Civil Rights for HIPAA, national Data Protection Authorities for GDPR). For most organizations it is not an either/or choice: your geography and the type of data you handle decide which applies, and a U.S. health-tech company with EU patients can owe both.

HIPAA vs GDPR at a glance

	HIPAA	GDPR
Type	U.S. federal law (45 CFR Parts 160 & 164) — the Privacy, Security, and Breach Notification Rules	EU regulation (Regulation 2016/679) — directly applicable across all EU/EEA member states
Enforced by	HHS Office for Civil Rights (OCR) for civil penalties; OCR refers potential criminal violations to the U.S. Department of Justice	National Data Protection Authorities, coordinated by the European Data Protection Board (EDPB)
Geography	United States	EU/EEA — plus extraterritorial reach (Art. 3) over non-EU organizations that offer goods/services to, or monitor, people in the EU
Data protected	Protected health information (PHI/ePHI) handled by covered entities and business associates	All personal data of people in the EU; health data is a 'special category' with extra protection
Who must comply	Covered entities (providers, health plans, healthcare clearinghouses) and their business associates	Controllers and processors of EU/EEA personal data, in any sector
Best for	U.S. healthcare organizations and the vendors that handle PHI on their behalf (e.g., medical, dental, and behavioral-health practices, health-tech and billing vendors)	Any organization, in any industry, that processes the personal data of people in the EU/EEA — including non-EU companies with EU customers or users
Breach notification	Affected individuals without unreasonable delay and no later than 60 days after discovery; HHS notified within 60 days for breaches affecting 500+ individuals, or logged and reported annually for smaller breaches	Supervisory authority within 72 hours of becoming aware (Art. 33); affected individuals 'without undue delay' where there is a high risk to their rights (Art. 34)
Penalties	Tiered civil monetary penalties by level of culpability, with per-violation amounts and annual caps that are adjusted for inflation, plus possible criminal penalties for knowing misuse of PHI	Up to €20M or 4% of total worldwide annual turnover, whichever is higher (Art. 83(5)); lower tier up to €10M or 2% (Art. 83(4))
Certification?	No — there is no official 'HIPAA certified' status; compliance is self-determined and OCR-enforced	No certificate proves compliance; Art. 42 allows voluntary certification mechanisms, but they don't by themselves confer compliance

Key differences

The cleanest way to tell them apart is scope: HIPAA is sectoral — it only governs health information held by healthcare providers, health plans, healthcare clearinghouses, and the business associates that handle PHI on their behalf — while GDPR is omnibus, covering every category of personal data about people in the EU/EEA, in any industry. The second big difference is reach: HIPAA applies in the United States, but GDPR's Article 3 extends to non-EU companies that offer goods or services to, or monitor, individuals in the EU/EEA. The most memorable operational contrast is the breach clock — HIPAA requires individual notice no later than 60 days after discovery (with HHS notified within 60 days for breaches of 500+ individuals, or annually for smaller ones), whereas GDPR requires notification to the supervisory authority within 72 hours of becoming aware. Crucially, neither is something you "get certified" in: both are legal obligations you must operate and be able to demonstrate, not a badge a template or vendor can grant.

Which should you choose?

This is rarely an either/or decision — your geography and the data you handle decide it for you. A U.S. medical, dental, or behavioral-health practice that creates or transmits PHI needs HIPAA; a business that handles personal data of people in the EU/EEA needs GDPR, even if it has no EU office. Many organizations owe both: a U.S. digital-health company serving EU patients, for example, must meet HIPAA for its PHI and GDPR for the EU personal data it processes. When both apply, build one documentation program and map shared controls — risk assessment, access control, breach response, vendor/processor management — to each framework rather than maintaining two disconnected sets of policies. Editable templates can accelerate that documentation work, but they don't by themselves make you compliant — you still have to operate the controls and be able to demonstrate them.

Recommended toolkits

HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off with codeView toolkit

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Frequently asked questions

Is HIPAA the same as GDPR?: No. HIPAA is a U.S. sectoral law that protects health information (PHI) held by healthcare providers, health plans, healthcare clearinghouses, and their business associates, and is enforced by the HHS Office for Civil Rights. GDPR is an EU regulation that protects all personal data of people in the EU/EEA, in any industry, and is enforced by national Data Protection Authorities. They overlap only where health data and EU/EEA data subjects intersect — and where both apply, you must satisfy each one separately.
Does GDPR apply to U.S. companies?: It can. Under Article 3, GDPR applies to organizations outside the EU if they offer goods or services to people in the EU/EEA or monitor their behavior — even with no EU office or establishment. So a U.S. company with EU customers, patients, or website users that processes their personal data is generally in scope. HIPAA, by contrast, applies to covered entities and business associates that handle PHI in the United States.
Do I need to comply with both HIPAA and GDPR?: You do if both apply to you — most often a U.S. organization that handles PHI and also processes the personal data of people in the EU, such as a digital-health firm with EU patients. HIPAA governs the PHI; GDPR governs the EU personal data, where health information is treated as a 'special category' with heightened protection. The efficient approach is one program with controls mapped to both frameworks rather than two separate sets of policies.
How fast must I report a breach under HIPAA vs GDPR?: The deadlines differ sharply. Under HIPAA's Breach Notification Rule you must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI; HHS must be notified within 60 days for breaches affecting 500 or more individuals, while smaller breaches are logged and reported to HHS annually. Under GDPR Article 33 you must notify the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach, and notify affected individuals without undue delay where the breach poses a high risk to their rights.

← Browse the framework guides