Does OCPA Exempt HIPAA Covered Entities? Scope, Limits, and Next Steps

Overview of OCPA and HIPAA

The Oregon Consumer Privacy Act (OCPA) is a comprehensive state privacy law that sets baseline rules for personal data processing by organizations serving Oregon residents. It applies based on regulatory thresholds—generally 100,000 consumers annually, or 25,000 with at least 25% of revenue from the sale of personal data—rather than on revenue alone.

HIPAA governs the privacy and security of Protected Health Information within the health care ecosystem. Because both regimes can affect the same organization, HIPAA-covered entities need to scope which data and activities fall under OCPA and which remain solely under HIPAA, then align compliance controls accordingly.

Definition of Protected Health Information

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a HIPAA covered entity or its business associate that relates to a person’s past, present, or future physical or mental health or condition, health care provision, or payment for care. PHI includes common identifiers—such as name, address, full-face photos, or device identifiers—when linked to health data. By contrast, data de-identified under HIPAA is not PHI.

It’s important to distinguish PHI from consumer health or wellness information collected outside HIPAA contexts (for example, website analytics, mobile app telemetry, or retail purchase histories). Those categories may be personal data under OCPA even if they feel “health-related.”

OCPA Applicability to HIPAA Entities

Does OCPA exempt HIPAA covered entities? No, not at the entity level. OCPA includes data-level exemptions for PHI processed in accordance with HIPAA, but HIPAA covered entities and business associates remain subject to OCPA for non-PHI personal data when they meet the regulatory thresholds.

In practice, this means OCPA can apply to consumer interactions outside HIPAA treatment, payment, and operations—for example, website cookies and pixels, patient portal marketing preferences, retail or e-commerce activities, loyalty programs, events, or adtech. Employment and business-to-business data are outside OCPA’s consumer scope, and personal data processed solely to complete a payment transaction is excluded from threshold counting.

OCPA also treats certain categories as sensitive data (for example, precise geolocation, biometric and genetic data, data about mental or physical condition, status as transgender or nonbinary, and a child’s data). Processing sensitive data generally requires opt-in consent, which is separate from HIPAA consent constructs.

Compliance Requirements for HIPAA Entities

If you meet OCPA’s applicability thresholds for consumer data, you assume controller obligations for that non-PHI data. Key requirements include:

• Data minimization and purpose limitation: collect only what is adequate, relevant, and reasonably necessary for disclosed purposes.
• Sensitive data consent: obtain clear opt-in consent before processing sensitive data; under 13 requires parental consent, and ages 13–15 generally require consent for targeted advertising, sale, or certain profiling.
• Consumer request handling: respond within statutory timelines (typically 45 days) to Consumer Data Access, correction, deletion, portability, and opt-out requests, and offer a clear appeals process.
• Universal opt-out signals: honor valid browser-based or platform preference signals for sale/targeted advertising by the required effective date.
• Data protection assessments: conduct and document assessments for high-risk activities (e.g., targeted advertising, sale, sensitive data processing, or profiling that produces legal or similarly significant effects).
• Processor management: execute contracts with processors that define Personal Data Processing instructions, confidentiality, subprocessor controls, audit support, and deletion/return of data.
• Security safeguards and no dark patterns: implement appropriate administrative, technical, and physical controls and avoid consent flows that manipulate choice.
• Enforcement context: OCPA is enforced by the Oregon Attorney General; penalties can reach up to $7,500 per violation, and a limited cure period applies before it sunsets.

Consumer Rights under OCPA

OCPA grants Oregon consumers robust Data Subject Rights for personal data that is not exempt PHI. You must enable:

• Consumer Data Access and confirmation of processing, plus data portability.
• Data Correction Obligations to fix inaccuracies.
• Deletion of personal data, including data obtained from third parties and, uniquely, certain derived data.
• Opt-out of sale, targeted advertising, and profiling that produces legal or similarly significant effects.
• A right to a list of specific third parties to whom you disclosed personal data (not just categories), which requires accurate data-sharing inventories.
• A timely and transparent appeals process for denied requests, without discrimination for exercising rights.

These rights apply to consumer-context personal data outside HIPAA’s PHI carve-out. You should clearly explain this boundary in your notices and workflows.

Privacy Policy Updates

To meet Privacy Policy Requirements, publish a readily accessible notice that, at minimum, describes categories of personal data processed, purposes, the lawful basis or consent where relevant, and how consumers can exercise their rights and appeal. State whether you sell personal data, engage in targeted advertising, or conduct profiling with significant effects, and how consumers can opt out, including recognition of universal opt-out signals.

Include how you handle sensitive data and consent withdrawal, retention practices, the types of personal data shared, and the categories of third parties with whom you share it. Provide contact methods and identity verification steps and explain authorized agent submissions. Keep your HIPAA Notice of Privacy Practices separate for PHI, but cross-reference so consumers understand which notice covers which data.

Data Processing Best Practices for Compliance

Scope and Segregate

Build a data map that distinguishes PHI from non-PHI personal data. Tag systems and vendors by processing purpose, data category, and sensitivity to prevent accidental commingling and to streamline rights fulfillment.

Strengthen Governance and Risk

Adopt privacy-by-design. Update retention schedules, minimize collection, and schedule Data Protection Assessments for targeted ads, sale, profiling, and sensitive data. Document outcomes and remediation steps.

Modernize Consent and Opt-Out

Deploy clear, plain-language consent flows for sensitive data; avoid dark patterns. Implement preference centers and honor universal opt-out signals. Ensure non-account holders can submit requests and receive responses.

Tighten Vendor Management

Inventory processors and sub-processors. Update data processing agreements to meet OCPA terms, verify technical safeguards, audit at risk-based intervals, and require timely deletion or return of data at contract end.

Operationalize Consumer Requests

Stand up repeatable workflows for access, correction, deletion (including derived data where required), and portability. Maintain logs that support the right to a list of specific third parties. Train staff and test turnaround times.

Conclusion

OCPA does not exempt HIPAA covered entities at the organizational level. It exempts PHI processed under HIPAA, but you must comply with OCPA for non-PHI consumer data if you meet the thresholds. Map your data, update notices, obtain sensitive data consents, enable rights, assess high-risk processing, and reinforce processor controls to meet the law’s scope and timelines.

FAQs

What personal data does OCPA cover for HIPAA entities?

OCPA covers non-PHI personal data processed in a consumer context, such as website or app identifiers, precise geolocation, device and ad IDs, marketing and loyalty information, customer support records, and other data not created or used as PHI under HIPAA. Employment and business-to-business records are outside consumer scope, and PHI processed in accordance with HIPAA is exempt from OCPA.

How does OCPA define protected health information?

OCPA does not redefine PHI; it recognizes HIPAA’s definition. PHI is individually identifiable health information handled by a HIPAA covered entity or business associate that relates to health status, care, or payment. Data de-identified under HIPAA is not PHI, while health-related data collected outside HIPAA contexts may still be personal or sensitive data under OCPA.

What steps must HIPAA-covered entities take to comply with OCPA?

Confirm you meet applicability thresholds, then inventory non-PHI consumer data and segregate it from PHI. Update your privacy policy for Oregon, implement rights workflows (access, correction, deletion, portability, opt-outs, appeals), obtain consent for sensitive data and for teens where required, recognize universal opt-out signals by the effective date, conduct data protection assessments for high-risk processing, and update processor contracts and technical safeguards to align with OCPA.