Map GDPR data protection requirements to HIPAA Privacy and Security Rule obligations for healthcare organizations processing both EU personal data and US protected health information, identifying documentation overlaps and distinct obligations.
GDPR Articles 1-99 mapped to HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (Subpart C). Applicable to healthcare organizations, pharma companies, and health technology companies operating across EU and US jurisdictions.
GDPR and HIPAA share a foundational purpose — protecting individuals' data rights in sensitive contexts — but take materially different approaches. GDPR is comprehensive, applying to all personal data across all sectors. HIPAA is sector-specific, applying to PHI held by covered entities. Healthcare organizations processing EU patient data must satisfy both; documentation obligations are additive, not substitutable.
| GDPR | HIPAA | |
|---|---|---|
| GDPR Art. 5 (Principles) | ↔ | HIPAA Privacy Rule Minimum Necessary |
| GDPR Art. 25 (Privacy by Design) | ↔ | HIPAA Security Rule Technical Safeguards |
| GDPR Art. 32 (Security of Processing) | ↔ | HIPAA Security Rule (45 CFR 164.306) |
| GDPR Art. 33-34 (Breach Notification) | ↔ | HIPAA Breach Notification Rule (45 CFR 164.400-414) |
Selected high-overlap control mappings. Full crosswalk documentation available on request.
| GDPR Control | HIPAA Control | |
|---|---|---|
GDPR Art. 5 (Data minimization) | → | HIPAA Minimum Necessary Standard |
GDPR Art. 9 (Special categories) | → | HIPAA PHI definition |
GDPR Art. 25 (Privacy by Design) | → | HIPAA Security Rule 164.306(a) |
GDPR Art. 28 (Processor agreements) | → | HIPAA BAA (164.308(b)) |
GDPR Art. 32 (Technical measures) | → | HIPAA Security Rule Technical Safeguards |
GDPR Art. 33 (72-hour breach notice) | → | HIPAA 60-day breach notice |