HIPAA vs International Privacy Laws: How Six Frameworks Differ
HIPAA is not universally applicable; it is a sector-specific United States law that binds only Covered Entities and Business Associates as defined in 45 CFR § 160.103, while most other countries regulate health data through omnibus privacy laws such as the EU GDPR, Canada's PIPEDA, Australia's Privacy Act 1988, Japan's APPI, and Brazil's LGPD. The frameworks differ on four structural points: who is regulated, what legal basis permits processing health data, how fast breaches must be reported, and how penalties are calculated. This article compares all six side by side.
TL;DR: Quick answer
- HIPAA regulates a sector (healthcare providers, plans, clearinghouses, and their vendors under 45 CFR § 160.103); GDPR, PIPEDA, the Australian Privacy Act, APPI, and LGPD are omnibus laws that regulate organizations across all industries.
- Maximum penalties span two orders of magnitude: HIPAA caps at $2,190,294 per provision per year (45 CFR § 102.3, 2026), GDPR reaches EUR 20 million or 4% of global annual turnover, and Australia's Privacy Act reaches the greater of AUD 50 million, three times the benefit gained, or 30% of domestic turnover.
- Breach notification deadlines range from 72 hours to a supervisory authority under GDPR Article 33 to 60 days to individuals under 45 CFR §§ 164.400-414.
- HIPAA permits treatment, payment, and operations uses of PHI without patient consent (45 CFR § 164.502); GDPR, APPI, and LGPD generally require an explicit legal basis or consent for health data.
- HIPAA can reach non-US companies only contractually, through a BAA with a US Covered Entity under 45 CFR § 164.504(e).
Sector-specific vs omnibus: the structural difference
HIPAA's scope is defined by role, not by data type alone. It applies to Covered Entities (healthcare providers conducting electronic standard transactions, health plans, and clearinghouses) and to Business Associates that handle protected health information (PHI) on their behalf (45 CFR § 160.103). Health data held by anyone else, such as a fitness app with no Covered Entity relationship, sits outside HIPAA entirely.
Omnibus laws invert this. GDPR applies to any controller or processor handling personal data of people in the EU, with health data treated as a special category under Article 9. PIPEDA applies to private-sector organizations in Canada engaged in commercial activity. Australia's Privacy Act 1988 applies to most businesses with annual turnover above AUD 3 million plus all private health service providers regardless of size. Japan's APPI and Brazil's LGPD likewise apply economy-wide. The practical consequence: a wellness startup that escapes HIPAA in the US would still be fully regulated if it operated in the EU, Canada, Australia, Japan, or Brazil.
Comparison table: HIPAA, GDPR, PIPEDA, Australia, Japan, Brazil
| Framework | Scope | Legal basis for health data | Breach notification | Maximum penalty |
|---|---|---|---|---|
| HIPAA (US) | Sector-specific: Covered Entities and Business Associates (45 CFR § 160.103) | No consent needed for treatment, payment, operations; authorization for most other uses (45 CFR § 164.502) | Individuals within 60 days; HHS OCR within 60 days (immediately if 500+ affected) (45 CFR §§ 164.400-414) | $73,011 per violation; $2,190,294 annual cap per provision (45 CFR § 102.3, 2026) |
| GDPR (EU) | Omnibus: all controllers and processors, with extraterritorial reach (Art. 3) | Health data prohibited by default; needs Art. 9(2) exception such as explicit consent or healthcare provision | Supervisory authority within 72 hours (Art. 33); individuals without undue delay if high risk (Art. 34) | EUR 20 million or 4% of global annual turnover, whichever is higher (Art. 83) |
| PIPEDA (Canada) | Omnibus: private-sector commercial activity; provincial health laws like Ontario's PHIPA cover custodians | Meaningful consent as the default rule, calibrated to sensitivity; health data treated as highly sensitive | Report to Privacy Commissioner and notify individuals as soon as feasible if real risk of significant harm | Fines up to CAD 100,000 per offence for specific violations, via prosecution |
| Privacy Act 1988 (Australia) | Omnibus: businesses over AUD 3 million turnover, plus all private health providers | Consent generally required to collect health information, with care-provision exceptions (APP 3) | Notify OAIC and individuals as soon as practicable after an eligible data breach; 30-day assessment window | Greater of AUD 50 million, 3x benefit obtained, or 30% of adjusted domestic turnover (2022 amendments) |
| APPI (Japan) | Omnibus: all businesses handling personal information | Consent required to acquire "special care-required" data, including medical history | Report to the Personal Information Protection Commission and notify individuals for defined breach categories (2022 rules) | Corporate fines up to JPY 100 million for violating PPC orders or unlawful disclosure of databases |
| LGPD (Brazil) | Omnibus: processing in Brazil or targeting Brazilian data subjects | Sensitive data, including health data, needs specific consent or a listed legal basis (Art. 11) | Notify the ANPD and data subjects; ANPD regulation sets a 3-business-day window | Up to 2% of Brazil revenue, capped at R$50 million per infraction |
How does enforcement philosophy differ?
HHS OCR enforces HIPAA through investigations, corrective action plans, and civil money penalties in four culpability tiers ranging from $145 to $73,011 per violation at the low end and up to $2,190,294 for willful neglect left uncorrected (45 CFR § 102.3). The 2019 Notice of Enforcement Discretion still lowers annual caps for the first three tiers. Our breakdown of HIPAA violation fines and penalties covers the tier structure in detail.
GDPR authorities issue administrative fines directly and have done so at scale since 2018. Canada's federal Commissioner, by contrast, primarily issues findings and compliance agreements; PIPEDA's monetary penalties require prosecution, which is why Canadian reform efforts keep proposing stronger fining powers. Australia moved sharply toward GDPR-style deterrence with its 2022 penalty amendments, and its regulator issued its first major civil penalties in the years since. Japan's PPC relies heavily on guidance and orders, with criminal-backed fines as the backstop. Brazil's ANPD began applying sanctions in 2023 after publishing its dosimetry regulation.
What counts as health data also differs
HIPAA protects PHI: individually identifiable health information held by a Covered Entity or Business Associate (45 CFR § 160.103). Identical data held outside that relationship is not PHI. GDPR Article 9, Japan's special care-required category, and LGPD Article 11 instead attach protection to the data itself, wherever it sits. PIPEDA calibrates consent to sensitivity, and Ontario's PHIPA adds custodian-specific rules; our companion article on HIPAA, Canadians, and PIPEDA covers the Canadian stack in depth.
When does HIPAA reach across borders?
HIPAA has no general extraterritorial scope. A clinic in Berlin or Sydney owes nothing to HHS OCR. But a non-US company that creates, receives, maintains, or transmits PHI on behalf of a US Covered Entity becomes a Business Associate, must sign a BAA under 45 CFR §§ 164.308(b) and 164.504(e), and is subject to enforcement, with the practical caveat that collecting against offshore entities is harder. We examine this scenario for non-US founders in does HIPAA only apply to US sites.
For infrastructure decisions this means one rulebook rarely suffices. A telehealth platform serving the US and EU needs both BAA-covered hosting and GDPR-compliant processing terms. Our HIPAA-compliant hosting guide explains the US layer; hipaacomplianthosting.com provides managed HIPAA hosting on AWS, including HIPAA cloud hosting with a signed BAA. That is our business, stated plainly.
Frequently asked questions
Is GDPR stricter than HIPAA?
In scope and fines, yes: GDPR covers all sectors and fines reach 4% of global turnover versus HIPAA's $2,190,294 annual cap per provision. HIPAA is more prescriptive in places, with specific safeguard standards at 45 CFR §§ 164.308-312 and a six-year documentation retention rule at § 164.316(b)(2)(i).
Which countries have a direct HIPAA equivalent?
Few have a sector-specific national health privacy law like HIPAA. Most regulate health data as a sensitive category inside omnibus laws, while Canada layers provincial health statutes such as Ontario's PHIPA on top of PIPEDA.
Does complying with GDPR make a company HIPAA compliant?
No. The frameworks overlap on encryption, access control, and breach response, but HIPAA adds US-specific requirements such as BAAs (45 CFR § 164.504(e)), a documented risk analysis (§ 164.308(a)(1)(ii)(A)), and its own breach notification timelines.
Which law applies if a US patient uses a European health service?
Usually GDPR, because the provider is an EU controller. HIPAA applies only if the European company acts as a Covered Entity or as a Business Associate of one, which a direct-to-consumer EU service typically does not.
Why are HIPAA's fines lower than GDPR's?
HIPAA's caps are set by statute and adjusted annually for inflation under 45 CFR § 102.3, while GDPR and Australia's Privacy Act use turnover-based formulas designed to scale with company size.
This article is general information, not legal advice. Consult counsel about which frameworks apply to your organization, and base your safeguards on a documented risk analysis. Reviewed June 2026.
Sources
- 45 CFR § 160.103, Definitions (ecfr.gov)
- 45 CFR § 102.3, Adjusted civil money penalty amounts (ecfr.gov)
- GDPR Article 9, Processing of special categories of personal data (gdpr-info.eu)
- GDPR Article 83, Administrative fines (gdpr-info.eu)
- Office of the Privacy Commissioner of Canada, PIPEDA (priv.gc.ca)
- Information and Privacy Commissioner of Ontario, PHIPA (ipc.on.ca)
- OAIC, The Privacy Act 1988 (oaic.gov.au)
- Personal Information Protection Commission Japan, Laws and Policies (ppc.go.jp)
- HHS, Breach Notification Rule (hhs.gov)