Crosswalk Library/GDPR ↔ HIPAA
ELDR Institute · Governance Crosswalk
GDPR
HIPAA

Map GDPR data protection requirements to HIPAA Privacy and Security Rule obligations for healthcare organizations processing both EU personal data and US protected health information, identifying documentation overlaps and distinct obligations.

Scope & Applicability

GDPR Articles 1-99 mapped to HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (Subpart C). Applicable to healthcare organizations, pharma companies, and health technology companies operating across EU and US jurisdictions.

Crosswalk Overview

GDPR and HIPAA share a foundational purpose — protecting individuals' data rights in sensitive contexts — but take materially different approaches. GDPR is comprehensive, applying to all personal data across all sectors. HIPAA is sector-specific, applying to PHI held by covered entities. Healthcare organizations processing EU patient data must satisfy both; documentation obligations are additive, not substitutable.

Areas of Overlap
GDPR HIPAA
GDPR Art. 5 (Principles)HIPAA Privacy Rule Minimum Necessary
GDPR Art. 25 (Privacy by Design)HIPAA Security Rule Technical Safeguards
GDPR Art. 32 (Security of Processing)HIPAA Security Rule (45 CFR 164.306)
GDPR Art. 33-34 (Breach Notification)HIPAA Breach Notification Rule (45 CFR 164.400-414)
Key Differences
Scope of Protected Data
GDPR protects all personal data of EU residents across all sectors. HIPAA protects only PHI held by covered entities and business associates.
Lawful Basis Requirement
GDPR requires documented lawful basis for every processing activity. HIPAA permits or prohibits specific uses without lawful basis documentation.
Individual Rights
GDPR provides access, rectification, erasure, portability, objection, and restriction rights. HIPAA provides access and amendment rights but no right to erasure or portability.
Cross-Border Transfer
GDPR restricts transfer to countries without adequate protection. HIPAA has no cross-border restrictions — PHI can be transferred internationally with BAA.
Breach Notification Timeline
GDPR: 72 hours to supervisory authority. HIPAA: 60 days to HHS and affected individuals.
Data Processing Agreements
GDPR: Data Processing Agreements (DPAs) per Art. 28. HIPAA: Business Associate Agreements (BAAs) — similar function, different requirements.
Evidence Requirements
GDPR Evidence
Records of Processing Activities (ROPA) per Art. 30
Data Processing Agreements per Art. 28
Privacy Notices per Art. 13-14
DPIA records per Art. 35
Consent records (where consent is lawful basis)
Cross-border transfer mechanism documentation
HIPAA Evidence
Notice of Privacy Practices (NPP)
Business Associate Agreements (BAAs)
PHI access and disclosure logs
Security Risk Assessment per 45 CFR 164.308(a)(1)
Security policies (Administrative, Physical, Technical safeguards)
Breach Risk Assessment per 45 CFR 164.402
Control Mapping Table

Selected high-overlap control mappings. Full crosswalk documentation available on request.

GDPR Control HIPAA Control
GDPR Art. 5 (Data minimization)
HIPAA Minimum Necessary Standard
GDPR Art. 9 (Special categories)
HIPAA PHI definition
GDPR Art. 25 (Privacy by Design)
HIPAA Security Rule 164.306(a)
GDPR Art. 28 (Processor agreements)
HIPAA BAA (164.308(b))
GDPR Art. 32 (Technical measures)
HIPAA Security Rule Technical Safeguards
GDPR Art. 33 (72-hour breach notice)
HIPAA 60-day breach notice
Related Institute Research
ELDR Advisory

Multi-framework programs
require unified documentation.

Request an Engagement Discussion

Full Crosswalk Library →