Does the Minnesota Consumer Data Privacy Act Exempt HIPAA Covered Entities?

Overview of the Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MCDPA) is Minnesota’s comprehensive privacy law governing how certain businesses collect, use, and disclose personal data about Minnesota residents. It applies to entities that, during a calendar year, process personal data of 100,000 or more consumers (payment-only data excluded), or derive over 25% of gross revenue from the sale of personal data and process at least 25,000 consumers’ data. The law takes effect on July 31, 2025, with a later start for postsecondary institutions. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

MCDPA includes targeted entity and data exclusions (for example, small businesses, certain financial institutions, and credit data), but it is not a blanket exemption regime. Instead, it pairs consumer rights with controller and processor obligations, aligning Minnesota with broader U.S. privacy trends while adding state-specific requirements. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Scope of HIPAA Covered Entities

Under HIPAA, a “covered entity” is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with specified transactions. HIPAA also defines “business associates” and requires Business Associate Agreements (BAAs) for PHI handling. These federal definitions frame how health-sector organizations evaluate whether data is PHI and when HIPAA controls apply. ([federal.elaws.us](https://federal.elaws.us/cfr/title-45/section-160.103?utm_source=openai))

MCDPA Exemptions for HIPAA

Answering the core question: the MCDPA does not provide a blanket, entity-level exemption for HIPAA covered entities or business associates. Instead, the statute exempts specific categories of health-related data, including protected health information (PHI) under HIPAA, certain Minnesota Health Records Act data, 42 CFR Part 2 substance use disorder records, deidentified data, and some intermingled data maintained by covered entities or business associates. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Practically, this means the exemption follows the data, not the organization. Clinical records that constitute PHI are excluded from the MCDPA, but non-PHI consumer data a hospital, clinic, plan, or vendor collects (for example, website analytics, marketing leads, or event registrations) may still fall under the MCDPA if statutory thresholds are met. The Minnesota Attorney General’s guidance similarly distinguishes entity exclusions from data-based exemptions. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Definition of Protected Health Information

Protected Health Information is HIPAA’s term for individually identifiable health information that is transmitted or maintained in any medium by a covered entity or its business associate. PHI excludes education records covered by FERPA and employment records held by a covered entity in its role as employer. This definition determines whether your data qualifies for MCDPA’s health-data exclusions. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Compliance Requirements for Non-Exempt Entities

Core consumer rights and notices

If your data or processing activities are not exempt, you must provide consumers with a clear privacy notice that discloses categories of personal data, purposes, consumer rights and appeals, data sharing/sales, retention practices, contact information, and the last update date. You must also offer opt-out mechanisms for targeted advertising, sale of personal data, and certain profiling. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Data minimization, retention, and sensitive data

MCDPA requires you to limit collection to what is adequate, relevant, and reasonably necessary; restrict retention to what remains necessary for stated purposes; and obtain consent before processing sensitive data. Special rules apply for consumers aged 13–16 for targeted advertising and sales. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Governance and assessments

You must document privacy policies and procedures and designate a chief privacy officer or comparable privacy lead responsible for compliance. In addition, you must conduct and retain data privacy and protection assessments for activities like targeted advertising, sale of personal data, processing sensitive data, and higher-risk profiling. These assessments must be produced to the Minnesota Attorney General upon request. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Processor contracts

When acting as or engaging a processor, MCDPA requires a written processing contract that sets out instructions, scope, duration, security, deletion/return of data, and audit/assessment rights. This is separate from HIPAA’s BAA requirement and should be aligned with it. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Impact of Exemption on Business Associates

HIPAA business associates are not categorically exempt. PHI they create, receive, maintain, or transmit under a BAA falls within MCDPA’s health-data exclusions. However, non-PHI consumer data a business associate handles—such as marketing lists, product analytics, or support-site telemetry—may be covered if MCDPA thresholds are met. Ensure BAAs and privacy addenda collectively address both HIPAA and MCDPA duties (for example, controller–processor contract terms and consumer rights workflows). ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Enforcement and Regulatory Considerations

The Minnesota Attorney General enforces the MCDPA. There is a 30‑day warning-and-cure period that expires on January 31, 2026; after that, violations may lead directly to enforcement. Penalties can reach up to $7,500 per violation, and the law does not create a private right of action. Minnesota also preempts local privacy ordinances. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Conclusion

In Minnesota, HIPAA status alone does not take your organization out of MCDPA’s scope. The law exempts PHI and specified health-related datasets, but it regulates non‑PHI consumer data and requires clear notices, data minimization, rights handling, governance, and processor contracts. Map your data, separate PHI from non‑PHI, and align your HIPAA program with MCDPA’s consumer privacy obligations.

FAQs.

What entities are exempt under the MCDPA?

Entity exclusions include governmental entities, federally recognized tribes, certain self‑regulatory organizations, state‑ or federally chartered banks and credit unions (and some affiliates), certain insurance entities, small businesses (subject to a consent rule for selling sensitive data), and air carriers to the extent preempted. Nonprofits are narrowly exempt only if established to detect and prevent insurance fraud. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Does MCDPA regulate protected health information?

Generally no. PHI under HIPAA, along with certain related health datasets (for example, Minnesota Health Records Act data, 42 CFR Part 2 records, HIPAA‑deidentified and limited data sets, and some intermingled data), is excluded. The exemption is data‑based, so non‑PHI consumer data your organization processes can still be covered. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

How does the MCDPA define a covered entity?

MCDPA does not use HIPAA’s “covered entity” construct. Instead, it regulates “controllers” and “processors,” and applies when statutory processing thresholds are met. “Covered entity” appears in MCDPA only to reference HIPAA for the health‑data exclusions. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))

Are business associates under HIPAA exempt from the MCDPA?

No blanket exemption exists. Business associates benefit from the same data‑level exclusions (for example, PHI and specified intermingled data maintained by a covered entity or business associate), but their non‑PHI consumer data processing may be subject to MCDPA, including controller–processor contract obligations and consumer rights workflows. ([revisor.mn.gov](https://www.revisor.mn.gov/laws/2024/0/121/laws.5.1.0))