formisoft
Blog
Client Intake

HIPAA and GDPR: How to Comply With Both When Collecting Patient Data

January 31, 2026 · Formisoft Team

Formisoft

From the team at Formisoft, the HIPAA-ready platform for patient intake, scheduling, and payments. Learn more →

Most healthcare providers know they need to comply with HIPAA. Fewer realize they might also need to comply with GDPR — the EU's General Data Protection Regulation — if they serve any patients who are EU residents. And the two frameworks, while sharing some principles, have meaningfully different requirements.

Here's how to handle both without losing your mind.

Where HIPAA and GDPR Overlap

Both laws care about the same fundamental things:

  • Consent. You need a legal basis for collecting and processing personal data. Both require clear, informed consent for sensitive data.
  • Data minimization. Collect only what you need. Don't hoard information "just in case."
  • Security. Protect the data you collect with appropriate technical and organizational measures.
  • Breach notification. If something goes wrong, you have to tell people about it.
  • Access rights. Individuals can request to see what data you have about them.

If you're already doing HIPAA well, you have a foundation for GDPR compliance. But it's not sufficient on its own.

Where They Diverge

Consent standards

HIPAA consent for treatment, payment, and healthcare operations (TPO) is relatively broad. Once a patient signs a general consent form, you can use their PHI for most treatment-related purposes.

GDPR consent is stricter. It must be:

  • Freely given (no "sign this or we won't treat you" pressure)
  • Specific to each processing purpose
  • Informed (in plain language, not legalese)
  • Easy to withdraw at any time

If you're collecting data from EU residents, your consent forms may need to be more granular than what HIPAA alone requires.

The right to be forgotten

GDPR gives individuals the right to request deletion of their personal data. HIPAA has no equivalent — in fact, HIPAA requires you to retain medical records for at least 6 years (and many states require longer).

For patients who are EU residents, you'll need a policy that explains which data can be deleted under GDPR and which must be retained under HIPAA or state law. This gets complicated, and you may need legal counsel to sort it out.

Data Protection Officers

GDPR requires organizations processing sensitive data at scale to appoint a Data Protection Officer (DPO). HIPAA requires a Privacy Officer and a Security Officer. If you're subject to both, you need to have these roles filled — though one person can serve multiple roles in smaller organizations.

Scope

HIPAA applies to covered entities and business associates handling PHI. GDPR applies to any organization processing personal data of EU residents, regardless of where the organization is located. A dental practice in Ohio that treats a patient from Germany on vacation is technically subject to GDPR for that patient's data.

Practical Steps for Dual Compliance

1. Upgrade your consent forms

Build consent into your intake workflow with e-signature fields that explicitly cover:

  • What data you're collecting
  • Why you need it
  • How it will be used and stored
  • Who it may be shared with
  • How to withdraw consent

Conditional logic can help here — if a patient identifies as an EU resident, additional consent fields can appear automatically.

2. Implement data minimization rigorously

Both laws require this, so do it well. Review every field on your forms. If you can't articulate why you need a piece of information, remove it. Use conditional logic so patients only see questions relevant to their situation.

3. Lock down your security

This is the area with the most overlap. A strong security posture covers both frameworks:

  • AES-256 encryption at rest
  • TLS 1.3 in transit
  • Role-based access controls
  • Comprehensive audit logging
  • US-hosted infrastructure (for HIPAA; GDPR requires that data transferred outside the EU has adequate protections)

4. Document everything

Both HIPAA and GDPR require evidence of compliance. Maintain records of:

  • What data you collect and why
  • Consent records with timestamps
  • Access logs showing who viewed what data
  • Security measures in place
  • Breach response procedures

5. Have a breach response plan

HIPAA gives you 60 days to notify affected individuals of a breach. GDPR gives you 72 hours to notify the supervisory authority. The GDPR clock is much faster, so if you're subject to both, plan for the shorter timeline.

6. Choose compliant tools

Your form platform, cloud storage, email provider — every tool that touches patient data needs to support your compliance requirements. Look for platforms that offer BAAs (for HIPAA), data processing agreements (for GDPR), encryption, audit logging, and role-based access.

The Bottom Line

If you only serve US patients and have no EU connections, HIPAA is your focus. But if there's any chance you're collecting data from EU residents — even occasionally — you need to understand GDPR's additional requirements.

The good news is that the two frameworks reinforce each other. Strong consent practices, data minimization, robust security, and thorough documentation serve both. Build your compliance program around these principles, choose tools designed for healthcare data protection, and you'll be well-positioned for both.

Related Articles

HIPAA Breach Notification Requirements: Timelines, Rules, and What You Must Do

Feb 2026

HIPAA Explained: What It Actually Requires and Why It Exists

Jan 2026

What Makes a Patient Intake Form Actually HIPAA-Compliant

Jan 2026

Ready to digitize your intake?

Start building HIPAA-ready patient intake forms in minutes.

Get Started