Quiz Entry - updated: 2026.06.19
Beyond the GDPR and the Swiss revDSG, what do the US privacy laws HIPAA and CCPA each protect?
HIPAA protects US health data (PHI); the CCPA gives California consumers rights over their personal data.
Data-protection law isn't only European. Two US frameworks come up repeatedly:
- HIPAA (Health Insurance Portability and Accountability Act, 1996) — a US federal law governing Protected Health Information (PHI): medical records, treatment, and payment data held by healthcare providers, insurers, and their partners. Its de-identification safe-harbor rule (45 C.F.R. § 164.514(b)) famously lists 18 identifiers that must be stripped.
- CCPA (California Consumer Privacy Act, in force 2020) — a US state law giving California consumers rights to know what personal data is collected, to have it deleted, and to opt out of its sale. It protects identifiers like names, addresses, IP addresses, and purchase behaviour, and applies to businesses meeting certain size/revenue thresholds that handle Californians' data.
Why it matters: HIPAA is sectoral (health only) and CCPA is state-level and consumer-focused, in contrast to the GDPR's broad, omnibus reach. A global service often has to satisfy all of them at once.
Tip: HIPAA = health data in the US; CCPA = California consumers' data. Neither is as broad as the GDPR.