SaaS and cloud-providers operating in the healthcare space have to tackle HIPAA compliance. Once you’ve done that, a common question we hear is “how do I stack up when it comes to GDPR.” Why? Because SaaS and Cloud-based products operate without boundaries when it comes to acquiring customers.

Even without a dedicated sales teams trying to win new business in the EU, self-service free trials and community accounts means users are going to find their way into your tool. Successfully navigating the right to privacy requirements set out by GDPR can be a tall task.

Comparing the Privacy Regulations

Outlined below you can spot some of the key differences between the two privacy requirements.

Data Scope

HIPAA compliance is very specifically tied to people with access to PHI/ePHI.

GDPR extends beyond just PHI/ePHI to people with access to PII (personally identifiable information) and special category information.

Organization Definitions

The organization definitions under HIPAA include Covered Entities (health care providers, health plans, and health care clearinghouses) and Business Associates (people carrying out work on behalf of a covered entity.

GDPR applies to Data Controllers (the entity who determines the purposes for which, and the way in which, personal data is processed) and Data Processors (those acting on the behalf of the Data Controller). These are essentially European equivalents to Covered Entities and Business Associates.

Breach Notifications

Under HIPAA regulations, organizations are required to notify the public of a breach within 60 days. Should there be fewer than 500 individuals impacted, notification can occur annually.

GDPR requires organizations to disclose a data breach within 72 hours of the breach being discovered.


HIPAA privacy is covered under consent and portability, giving patients the right to access, update and move their healthcare information.

GDPR gives EU citizens specific data protection rights to:

  • be informed: privacy policies, cookie policies, terms, consent
  • access: no charge access to personal data
  • rectification: update personal data
  • erasure: “to be forgotten”: delete data and account (unless technically infeasible i.e. data logs)
  • restrict processing: stop using an individual’s personal data
  • data portability: download data in common format
  • object: consent revoke


Within HIPAA, there are numerous levels of offense and fines.

  • Tier 1: Lack of awareness – $100 to $50,000 per violation, up to $1.5M per year
  • Tier 2: Lack of due diligence – $1,000 to $50,000 per violation, up to $1.5M per year
  • Tier 3: Willful neglect – $10,000 to $50,000 per violation, up to $1.5M per year
  • Tier 4: Willful neglect with no effort to correct – $50,000 per violation, up to $1.5M per year

On top of fines, organizations and individuals involved also face potential criminal charges:

  • Unknowingly or with Reasonable Cause: up to 1 year
  • False Pretenses: up to 5 years and $100,000 fine
  • Fraud: up to 10 years and $250,000 fine

GDPR has only two levels of penalties for organizations that are not compliance, but the penalties carry a much larger fiscal weight.

  • Lower Level:Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
  • Higher Level: Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher

Required Roles

HIPAA regulations require a Privacy Officer to oversee the creation and maintain a HIPAA-Compliant privacy policy and a Security Officer to to oversee the creation and maintain security policies and procedures that enable the enforcement of the privacy policy

GDPR requires the appointment of a data protection officer (DPO). This person is tasked with ensuring that data management and handling are compliant GDPR. This responsibility includes enforcing the regulations of the GDPR and making contact with a data subject should that be required by law.


HIPAA has a security rule that provides high-level guidance and best practices. The HIPAA security rule is not scripted in terms of controls and implementations, though. Organizations turn to HITRUST because they find that the security framework aligns with HIPAA Compliance Requirements, as well as others.

GDPR requires data protection by design and data protection by default, which include specific notes around encryption. The HITRUST Cybersecurity Framework also aligns very closely with GDPR, including data protection by design and by default promotes only processing and storing what’s needed, deleting data when no longer needed, a plain language, user-friendly privacy defaults, options, controls, preferences and baked-in data protection.


Organizations handling PHI/ePHI as well as Covered Entities and Business Associates are required by law to be HIPAA compliant, so there are no certifications to display.

While there are no officially designated certification, organizations can adopt the Privacy Shield requirements and/or an EU GDPR Representative.


Organizations must complete an annual risk assessment in order to be HIPAA compliant.

Similarly, GDRP requires a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to data subjects.

More on GDPR Data Breach Notifications

Within 72 Hours

Within 72 hours after discovery of a data breach, an organization must carry out a thorough investigation to determine the nature of the breach. The goal is to answer the questions: who accessed what and when, who are those that carried out the breach, how is the data being used and who are the impacted individuals.

Organizations should put together a record of the work that has been done and the assets put in place to prevent a breach, then draft a comprehensive containment, mitigation and remediation plan. Lastly, the impacted organization needs to notify authorities within 72 hours and the affected individuals without undue delay.

Leverage HITRUST to Align with GDPR

Not Required, But Helpful

For organizations operating in healthcare, HIPAA and HITRUST go hand in hand enough on their own. But there is value for SaaS organizations not operating in healthcare to consider HITRUST as a supportive framework for enforcing the privacy requirements in GDPR that are not featured or prioritized in ISO 27001 (Security-focused), NIST 800-53 (Privacy is secondary) or PCI (nothing on privacy).

To be clear, a complete HITRUST certification makes little sense when you consider the costs and efforts. But adopting some of the controls and requirements would help your organization align with the GDPR privacy requirements of how data is stored, processed and deleted.


Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.


cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.