Comparison · Health Data

HIPAA vs GDPR

Two of the world's most significant health data protection regulations, one from the US, one from the EU. Vietnamese HealthTech often needs both when expanding internationally.

By pTrackly Compliance Team · Updated July 2026 · HIPAA 45 CFR & GDPR 2016/679
HIPAA

Protects US PHI

Health Insurance Portability and Accountability Act, requires protecting US patients' Protected Health Information. Applies to Covered Entities and Business Associates.

View HIPAA Hub →
VS
GDPR

Protects EU data

General Data Protection Regulation, comprehensive EU personal data protection. Health data is 'special category data' with enhanced protection requirements.

View GDPR Hub →

Detailed comparison

Aspect HIPAA GDPR
Origin Mỹ (1996, cập nhật 2013) EU (2018)
Data scope Protected Health Information (PHI), 18 loại nhận dạng + thông tin y tế All personal data of EU persons; health data is Special Category
Who it applies to Covered Entities + Business Associates (processing PHI) Any organization processing EU persons' data, regardless of location
Consent Not always required, multiple lawful bases available One of 6 lawful bases; health data requires explicit consent
Business Associate Agreement Mandatory with all Business Associates accessing PHI Equivalent: Data Processing Agreement (DPA)
Breach notification 60 days to HHS (if >500 people) + individual notification 72 hours to DPA; no minimum threshold
Data Subject Rights Right to access, amend their own PHI 8 full rights: access, erasure, portability, objection...
DPO No equivalent requirement Mandatory in some cases (large-scale health data processing)
Penalties Tiered based on level of negligence Up to 4% global annual revenue or €20M (whichever higher)
Best for HealthTech targeting US market, US healthcare service providers Any company processing EU user data, regardless of industry

Doing both: Where do they overlap?

If your HealthTech targets both US and EU markets, you need both HIPAA and GDPR. The good news is there's significant overlap in technical controls:

Technical Safeguards / Security

Encryption at rest and in transit, access control, audit logs, MFA, satisfies both HIPAA Technical Safeguards and GDPR Article 32.

Vendor Contracts

BAA (HIPAA) and DPA (GDPR), same vendor but two types of contracts. Many terms are similar.

Incident Response

Process for detecting, assessing, and handling breaches, build once, apply to both.

Staff Training

Security awareness and privacy training, significant content overlap, can be combined into one program.

Difference: Consent

GDPR requires explicit consent for health data; HIPAA is more flexible on lawful basis. Building consent flow to meet GDPR (stricter) standard is sufficient for both.

Difference: Breach Timeline

GDPR: 72 hours. HIPAA: 60 days. Build process to GDPR standard (72h) satisfies both.

🇻🇳
For Vietnamese HealthTech specifically:

Beyond HIPAA and GDPR, HealthTech operating in Vietnam must also comply with PDPD (Decree 13/2023) when processing health data of Vietnamese users — this is classified as sensitive data under PDPD and requires registration with the Ministry of Public Security. If you're expanding to US and EU markets while still serving Vietnamese users, all three regulations apply.

FAQ

Does Vietnamese HealthTech need HIPAA or GDPR?

Depends on your market: HIPAA if your platform processes US patient data (including via API or US healthcare system integration). GDPR if you have EU patients. Many Vietnamese HealthTech companies target both markets and need both.

If already GDPR-compliant, what else does HIPAA require?

HIPAA additionally requires: (1) Specific Business Associate Agreements with all vendors accessing PHI, (2) Specific technical safeguards per HIPAA Security Rule, (3) Minimum Necessary rule, only share PHI as needed, (4) HIPAA workforce training, (5) Designated Privacy and Security Officer.

Do personal health apps need to comply with HIPAA?

Not always. HIPAA only applies to Covered Entities (hospitals, health insurance, healthcare providers) and their Business Associates. Personal health apps selling directly to end consumers (consumer wellness apps) are typically not Covered Entities, unless integrated with formal healthcare systems.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo