"The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons" by Stacey A. Tovino

Document Type


Publication Date



In this Article, Professor Tovino compares and contrasts three illustrative concepts and rights in the Privacy Rule and/or the GDPR, including the concepts of authorization and consent, the rights of amendment and rectification, and the right to erasure. Identified similarities reflect the core values of HHS and the EU with respect to maintaining the confidentiality and privacy of personal data and protected health information, respectively. Identified differences reflect the Privacy Rule's original, narrow focus on health industry participants and individually identifiable health information compared to the GDPR's broad focus on data controllers and personal data. Other differences reflect, perhaps, the U.S. health care industry's significant experience with heavy regulation, the health care industry's willingness to accept additional regulation in furtherance of the course of business, and specific concerns about the ways in which employers, insurers, and other institutions have used individuals' health information to their detriment.

Publication Citation

47 Seton Hall L. Rev. 973 (2017).
