HIPAA vs GDPR
Two of the world's most significant health data protection regulations, one from the US, one from the EU. Vietnamese HealthTech often needs both when expanding internationally.
Protects US PHI
Health Insurance Portability and Accountability Act, requires protecting US patients' Protected Health Information. Applies to Covered Entities and Business Associates.
View HIPAA Hub →Protects EU data
General Data Protection Regulation, comprehensive EU personal data protection. Health data is 'special category data' with enhanced protection requirements.
View GDPR Hub →Detailed comparison
| Aspect | HIPAA | GDPR |
|---|---|---|
| Origin | Mỹ (1996, cập nhật 2013) | EU (2018) |
| Data scope | Protected Health Information (PHI), 18 loại nhận dạng + thông tin y tế | All personal data of EU persons; health data is Special Category |
| Who it applies to | Covered Entities + Business Associates (processing PHI) | Any organization processing EU persons' data, regardless of location |
| Consent | Not always required, multiple lawful bases available | One of 6 lawful bases; health data requires explicit consent |
| Business Associate Agreement | Mandatory with all Business Associates accessing PHI | Equivalent: Data Processing Agreement (DPA) |
| Breach notification | 60 days to HHS (if >500 people) + individual notification | 72 hours to DPA; no minimum threshold |
| Data Subject Rights | Right to access, amend their own PHI | 8 full rights: access, erasure, portability, objection... |
| DPO | No equivalent requirement | Mandatory in some cases (large-scale health data processing) |
| Penalties | Tiered based on level of negligence | Up to 4% global annual revenue or €20M (whichever higher) |
| Best for | HealthTech targeting US market, US healthcare service providers | Any company processing EU user data, regardless of industry |
Doing both: Where do they overlap?
If your HealthTech targets both US and EU markets, you need both HIPAA and GDPR. The good news is there's significant overlap in technical controls:
Encryption at rest and in transit, access control, audit logs, MFA, satisfies both HIPAA Technical Safeguards and GDPR Article 32.
BAA (HIPAA) and DPA (GDPR), same vendor but two types of contracts. Many terms are similar.
Process for detecting, assessing, and handling breaches, build once, apply to both.
Security awareness and privacy training, significant content overlap, can be combined into one program.
GDPR requires explicit consent for health data; HIPAA is more flexible on lawful basis. Building consent flow to meet GDPR (stricter) standard is sufficient for both.
GDPR: 72 hours. HIPAA: 60 days. Build process to GDPR standard (72h) satisfies both.
Beyond HIPAA and GDPR, HealthTech operating in Vietnam must also comply with PDPD (Decree 13/2023) when processing health data of Vietnamese users — this is classified as sensitive data under PDPD and requires registration with the Ministry of Public Security. If you're expanding to US and EU markets while still serving Vietnamese users, all three regulations apply.
FAQ
Does Vietnamese HealthTech need HIPAA or GDPR?
Depends on your market: HIPAA if your platform processes US patient data (including via API or US healthcare system integration). GDPR if you have EU patients. Many Vietnamese HealthTech companies target both markets and need both.
If already GDPR-compliant, what else does HIPAA require?
HIPAA additionally requires: (1) Specific Business Associate Agreements with all vendors accessing PHI, (2) Specific technical safeguards per HIPAA Security Rule, (3) Minimum Necessary rule, only share PHI as needed, (4) HIPAA workforce training, (5) Designated Privacy and Security Officer.
Do personal health apps need to comply with HIPAA?
Not always. HIPAA only applies to Covered Entities (hospitals, health insurance, healthcare providers) and their Business Associates. Personal health apps selling directly to end consumers (consumer wellness apps) are typically not Covered Entities, unless integrated with formal healthcare systems.
Ready to get audit-ready?
Book a 15-minute call. See the platform. Decide if it fits.
Book Free Demo 15 min, no commitment