Does the Iowa Consumer Data Protection Act Exempt HIPAA Covered Entities?

Yes. The Iowa Consumer Data Protection Act (Iowa CDPA), effective January 1, 2025, expressly exempts HIPAA covered entities and their Business Associates. The law also excludes Protected Health Information (PHI) regulated by federal health privacy law, ensuring HIPAA remains the primary framework for medical privacy in Iowa.

Exempt Entities Under Iowa Consumer Data Protection Act

HIPAA covered entities and Business Associates

Hospitals, physician groups, health plans, and clearinghouses that are HIPAA covered entities are exempt, as are their Business Associates performing Personal Data Processing on their behalf. This exemption recognizes HIPAA’s comprehensive privacy and security rules.

Other commonly exempt organizations

The Act also exempts certain categories of organizations outside healthcare, such as financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and state or local government bodies. If your organization fits one of these categories, the Iowa CDPA generally does not apply.

Affiliates and corporate structure

Exemptions do not automatically extend to legally separate affiliates. If an affiliate is not itself a HIPAA covered entity, a Business Associate, or otherwise exempt, it must independently assess Iowa CDPA applicability.

Specific Data Exemptions in the Act

Health and financial data carve-outs

PHI governed by HIPAA is excluded from the Iowa CDPA. Patient-identifying information under 42 C.F.R. Part 2 and data regulated by GLBA are also outside scope, reflecting deference to sectoral federal frameworks.

Publicly available, de-identified, and employment data

Publicly available information and de-identified data are excluded. The law also carves out data collected in an employment or B2B context, which means workplace records are not treated as consumer personal data under the Act.

Other statutory exclusions

Data processed pursuant to federal laws such as the Fair Credit Reporting Act (FCRA) or the Drivers Privacy Protection Act (DPPA) is typically excluded when handled in compliance with those regimes.

Applicability Criteria for Iowa Consumer Data Protection Act

Iowa Resident Data Criteria

The law applies to businesses that conduct business in Iowa or target products or services to Iowa residents and meet volume thresholds for Iowa consumer data. “Consumer” means an Iowa resident acting in an individual or household context, not in employment or commercial roles.

Volume thresholds

The Act generally covers controllers that during a calendar year control or process personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction), or at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

What counts as processing

Processing includes collection, use, storage, disclosure, analysis, and deletion of personal data. De-identified and publicly available information are outside the definition of personal data for Iowa CDPA purposes.

Interaction Between HIPAA and Iowa CDPA

Federal Health Privacy Law remains primary

HIPAA, as a Federal Health Privacy Law, governs PHI handled by covered entities and Business Associates. The Iowa CDPA defers to HIPAA by exempting those entities and excluding PHI, minimizing conflicting rules for regulated healthcare operations.

Non-PHI and mixed environments

Marketing websites, consumer apps, or retail operations that do not involve PHI can still generate personal data. If those activities are conducted by non-exempt affiliates or vendors and meet thresholds, Iowa CDPA obligations may apply despite HIPAA coverage elsewhere in the enterprise.

Practical takeaway

If you are a HIPAA covered entity or Business Associate, your HIPAA-regulated activities are exempt under the Iowa CDPA. Still, confirm whether any non-HIPAA lines of business, separate affiliates, or vendors fall within the Act.

Compliance Requirements for Non-Exempt Entities

Core Data Controller Obligations

• Publish a clear privacy notice describing categories of personal data, processing purposes, how consumers can exercise rights, and whether you engage in sale or targeted advertising.
• Limit collection to what is reasonably necessary for disclosed purposes and implement reasonable security safeguards.
• Honor consumer rights to confirm processing, access their personal data, delete personal data provided by the consumer, and obtain a portable copy where feasible.
• Offer opt-out mechanisms for the sale of personal data and targeted advertising involving Iowa residents.
• Execute data processing agreements with processors, defining instructions, confidentiality, and assistance with consumer requests.

Sensitive data and children’s data

Treat sensitive data with heightened care and align consent or notice practices with Iowa CDPA requirements and COPPA for children’s data. Validate age and document your approach when offering services likely to be used by teens or families.

Operational readiness

Stand up request intake and authentication workflows, track deadlines, and maintain records of decisions. Train staff and align incident response, retention, and minimization policies with your public disclosures.

Impact on Business Associates of HIPAA Covered Entities

When the exemption applies

Business Associates performing services that involve PHI for covered entities fall within the Iowa CDPA entity exemption tied to HIPAA. Their PHI-related Personal Data Processing is therefore outside the Act’s scope.

Services beyond HIPAA engagements

BA organizations may also serve non-healthcare clients or process non-PHI data. For those engagements, if the BA meets Iowa’s thresholds and no other exemption applies, it must comply as a controller or processor for that processing.

Contract architecture

Maintain clear separation between BAAs for HIPAA work and data processing agreements for Iowa CDPA–covered engagements. Map data flows to confirm which datasets are PHI, which are exempt under other statutes, and which are in-scope consumer data.

Enforcement and Penalties Under the Iowa CDPA

Attorney General enforcement

The Iowa Attorney General has exclusive enforcement authority. There is no private right of action under the Act, reducing class-action exposure but not regulatory risk.

Cure periods and penalties

Businesses typically receive a cure period to remediate alleged violations. Uncured violations can result in civil penalties of up to $7,500 per violation, along with injunctive relief and potential recovery of costs and fees.

What this means for your program

Even if you are exempt, documenting your exemption and maintaining accurate notices and contracts is prudent. Non-exempt entities should implement a right-sizing roadmap that prioritizes opt-out controls, disclosures, and DSR handling.

Conclusion

The Iowa CDPA exempts HIPAA covered entities and their Business Associates and excludes PHI, preserving HIPAA as the controlling framework for medical privacy. Non-exempt organizations that meet Iowa Resident Data Criteria must implement practical Data Controller Obligations around notices, security, opt-outs, and consumer request handling.

FAQs

What entities are exempt from the Iowa Consumer Data Protection Act?

Entities exempt from the Iowa CDPA include HIPAA covered entities and Business Associates, financial institutions subject to GLBA, and certain government bodies. Exemptions are entity- and data-specific, so legally separate affiliates should confirm their own status.

How does HIPAA affect Iowa CDPA compliance?

HIPAA, a Federal Health Privacy Law, governs PHI and takes precedence for covered healthcare operations. Because the Iowa CDPA exempts HIPAA covered entities and Business Associates and excludes PHI, HIPAA-regulated activities are generally outside Iowa CDPA scope.

Are business associates of HIPAA-covered entities exempt?

Yes. Business Associates are exempt when governed by HIPAA for the services they provide. If they process non-PHI for non-exempt clients and meet Iowa thresholds, Iowa CDPA obligations may apply to that processing.

What types of data are excluded from the Iowa CDPA?

Excluded data categories include Protected Health Information (PHI), patient records governed by 42 C.F.R. Part 2, data regulated by GLBA, publicly available information, de-identified data, certain employment or B2B records, and data processed under other federal statutes when handled in compliance with those laws.