Does the Maryland Online Data Privacy Act Apply to HIPAA Covered Entities?

Scope of the Maryland Online Data Privacy Act

The Maryland Online Data Privacy Act (MODPA) governs the personal data processing of Maryland residents by entities that conduct business in Maryland or target Maryland consumers. It establishes controller and processor duties, consumer rights, data minimization rules, and data security requirements designed to strengthen data privacy compliance across sectors.

MODPA focuses on “personal data,” a broad category that extends beyond clinical records to include identifiers like online IDs, device information, precise location, and inferences. It generally excludes de-identified and publicly available information, subject to conditions that prevent re-identification. MODPA’s applicability turns on your activities and processing volume, not your industry alone.

When HIPAA-covered organizations fall within scope

HIPAA status does not automatically remove an organization from MODPA. If you are a hospital, health plan, clinic, or related organization that handles non-PHI personal data—such as website analytics, marketing lists, event registrations, or non-clinical mobile app data—those activities can trigger MODPA obligations if statutory thresholds are met.

Definition of HIPAA Covered Entities

A HIPAA Covered Entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. These organizations handle Protected Health Information (PHI) under HIPAA’s Privacy, Security, and Breach Notification Rules.

Covered Entities vs. Business Associates

Business associates are vendors or partners that create, receive, maintain, or transmit PHI for a HIPAA Covered Entity. While business associates are not “covered entities,” both must safeguard PHI. Under MODPA, however, both covered entities and business associates should evaluate non-PHI personal data activities for potential obligations.

Exemptions for Protected Health Information

MODPA includes regulatory exemptions for PHI as defined by HIPAA. Personal data that is PHI—and processed in compliance with HIPAA—falls outside MODPA’s core requirements. De-identified data that meets HIPAA’s de-identification standard is also generally exempt, provided it is not re-identified.

What the PHI exemption usually covers

• Clinical records and diagnostic results within an EHR.
• Claims, eligibility, and payment information handled as PHI.
• Operations data treated as PHI (for example, quality improvement files tied to individuals).

However, data that a HIPAA Covered Entity maintains outside HIPAA’s framework—such as marketing pixels on public pages, non-patient newsletters, or consumer-facing wellness content not tied to treatment or payment—typically is not PHI and can be in scope for MODPA.

Obligations of HIPAA Covered Entities Under MODPA

When MODPA applies to your non-PHI personal data processing, you must meet consumer privacy and data security requirements distinct from HIPAA. Key duties generally include:

Transparency and consumer rights

• Provide a clear privacy notice describing personal data processing, purposes, and consumer rights.
• Enable rights to access, correction, deletion, and data portability for covered personal data.
• Offer opt-outs for targeted advertising, sale of personal data, and certain forms of profiling.

Governance and risk controls

• Apply data minimization: collect only what is reasonably necessary for specified purposes.
• Obtain opt-in consent before processing sensitive data (for example, precise geolocation, certain biometric identifiers, or known minor data).
• Conduct data protection assessments for higher-risk processing like targeted advertising, sale, profiling, and sensitive data processing.
• Implement appropriate data security requirements commensurate with the sensitivity and volume of personal data.
• Use processor contracts that define instructions, confidentiality, security, and assistance with consumer requests.

Differences Between MODPA and HIPAA

HIPAA is a sectoral health privacy law that protects PHI and is enforced primarily by HHS OCR. MODPA is a comprehensive state privacy law protecting consumer personal data across industries and is enforced by state authorities. As a result, the two frameworks apply to different data sets and activities.

Key contrasts

• Scope of data: HIPAA focuses on PHI; MODPA covers consumer personal data more broadly, including digital identifiers unrelated to care delivery.
• Individual rights: HIPAA emphasizes access and amendment of PHI; MODPA adds deletion, portability, and opt-outs for targeted advertising, sale, and certain profiling.
• Legal standards: HIPAA’s “minimum necessary” standard governs PHI; MODPA adds explicit data minimization and consent requirements for sensitive personal data.
• Commercial uses: MODPA directly regulates marketing, adtech, and cross-context behavioral advertising that HIPAA does not specifically address.

Compliance Strategies for HIPAA Covered Entities

1) Separate PHI from consumer data

Maintain a data inventory that clearly distinguishes PHI from other personal data. Isolate PHI systems and ensure non-PHI stores (marketing tools, web analytics, CRM) are governed under MODPA-ready policies.

2) Update notices, choices, and consent

Refresh privacy notices to describe personal data processing beyond PHI. Implement opt-out mechanisms for targeted advertising and sale, and collect opt-in consent before processing sensitive personal data where required.

3) Strengthen contracts and vendor due diligence

Execute processor agreements covering instructions, security, subprocessor controls, and assistance with consumer requests. Verify adtech, analytics, and SaaS vendors can support MODPA obligations and data subject rights.

4) Embed minimization, retention, and security

Limit collection to defined purposes, set defensible retention schedules, and apply risk-based safeguards such as encryption, access controls, logging, and secure deletion for non-PHI personal data.

5) Build rights-response and assessment workflows

Stand up processes for verifying identity and fulfilling access, correction, deletion, and portability requests on time. Run data protection assessments for higher-risk processing, record decisions, and revisit periodically.

Impact on Healthcare Data Management

MODPA pushes healthcare organizations to expand privacy-by-design beyond HIPAA. Data teams must catalog non-PHI personal data, reconfigure marketing and analytics stacks, and tighten governance so that only necessary personal data is collected and retained for legitimate purposes.

Practically, you should expect increased coordination among compliance, security, marketing, and IT to harmonize HIPAA and MODPA controls. The bottom line: MODPA generally does not cover PHI processed in compliance with HIPAA, but it can apply to a HIPAA Covered Entity’s non-PHI personal data—particularly online identifiers and marketing data—requiring clear notices, consumer choices, strong contracts, and demonstrable security.

FAQs

What types of data does MODPA exempt under HIPAA?

MODPA typically exempts Protected Health Information processed in compliance with HIPAA and HIPAA-de-identified data, so long as it is not re-identified. Clinical records, claims, and operations data handled as PHI are covered by this exemption, whereas non-PHI consumer data (like public-site analytics) generally is not.

How does MODPA affect HIPAA-covered entities' data processing?

MODPA can apply to a HIPAA Covered Entity’s non-PHI personal data processing—such as marketing, web analytics, and certain mobile app data. When in scope, you must provide transparent notices, honor consumer rights (access, deletion, portability), offer opt-outs for targeted advertising and sale, obtain consent for sensitive data, and implement appropriate security and assessment practices.

Are there any entity-level exemptions for HIPAA-covered entities under MODPA?

MODPA does not provide a blanket entity-level exemption for HIPAA Covered Entities. The law’s key relief is data-level: PHI and HIPAA-de-identified data are exempt. If a covered entity processes non-PHI personal data of Maryland residents, those activities can fall under MODPA.

How can HIPAA-covered entities ensure compliance with both HIPAA and MODPA?

Map data to distinguish PHI from non-PHI personal data, segregate systems, and align policies. Update privacy notices, consent and opt-out mechanisms, and processor contracts for MODPA. Implement data minimization, retention, and risk-based security controls, and establish workflows for consumer rights and data protection assessments while continuing to meet HIPAA’s privacy and security requirements.