Exempt but Not Immune: MODPA Requirements for HIPAA Covered Entities

MODPA Applicability Criteria

Who must comply

MODPA applies to organizations that conduct business in Maryland or target Maryland residents and meet specified processing thresholds. “Consumer” means a Maryland resident acting in an individual or household context; individuals in employment or commercial contexts are excluded. Processors that handle personal data on behalf of controllers are also in scope. ([oag.maryland.gov](https://oag.maryland.gov/resources-info/Pages/data-privacy.aspx?utm_source=openai))

Thresholds and scope

You fall under MODPA if, in the prior calendar year, you controlled or processed personal data of at least 35,000 Maryland consumers, or at least 10,000 consumers and derived over 20% of gross revenue from selling personal data. Data processed solely to complete a payment transaction does not count toward the 35,000 threshold. ([oag.maryland.gov](https://oag.maryland.gov/resources-info/Pages/data-privacy.aspx?utm_source=openai))

Exemptions to MODPA

Health-related data-level exemptions

PHI regulated by the HIPAA Privacy Rule is exempt from MODPA. Additional exemptions relevant to health care include 42 U.S.C. § 290dd-2 substance use disorder records, certain human‑subjects research data (Common Rule and ICH-GCP/21 C.F.R. Parts 50 and 56), Patient Safety Work Product, and specified public health, community health, or population health activities when provided by or to a HIPAA covered entity or business associate. De‑identified data and publicly available information are also outside MODPA’s “personal data” definition. ([codes.findlaw.com](https://codes.findlaw.com/md/commercial-law/md-code-coml-sect-14-4703/?utm_source=openai))

Entity-level limits do not extend to HIPAA organizations

MODPA takes a narrow approach to entity exemptions: nonprofits and HIPAA covered entities are not categorically exempt. Instead, the exemption is data-level—PHI is exempt, but non‑PHI collected by a covered entity (e.g., website analytics, marketing leads, app telemetry) can trigger MODPA duties if applicability thresholds are met. ([hoganlovells.com](https://www.hoganlovells.com/en/publications/maryland-legislature-passes-comprehensive-data-privacy-bill?utm_source=openai))

HIPAA Covered Entity Compliance

Exempt but not immune

Because MODPA exempts PHI but not HIPAA organizations wholesale, HIPAA covered entities and business associates must treat non‑PHI as “personal data” for MODPA purposes. Expect MODPA to reach patient‑adjacent consumer interactions—think appointment reminder portals, retail clinic sites, or wellness newsletters—where the information is not PHI under HIPAA. ([hoganlovells.com](https://www.hoganlovells.com/en/publications/maryland-legislature-passes-comprehensive-data-privacy-bill?utm_source=openai))

Data Controller Obligations that apply to non‑PHI

• Publish a clear privacy notice disclosing categories, purposes, and opt‑out methods for targeted advertising, sale, and significant profiling. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/05/21/maryland-enacts-comprehensive-data-privacy-act?utm_source=openai))
• Honor Data Subject Rights requests (access, correction, deletion, portability, third‑party disclosure lists) and appeals within statutory timeframes; support universal opt‑out mechanisms. ([whitecase.com](https://www.whitecase.com/insight-alert/maryland-enacts-comprehensive-data-privacy-law?utm_source=openai))
• Execute data processing agreements with processors and maintain appropriate security controls. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/05/21/maryland-enacts-comprehensive-data-privacy-act?utm_source=openai))
• Conduct documented data protection assessments for processing that presents a heightened risk of harm, including an assessment for each algorithm used. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/05/21/maryland-enacts-comprehensive-data-privacy-act?utm_source=openai))

Federal Preemption

HIPAA sets a federal floor. If a state law is contrary to HIPAA, HIPAA generally preempts it, except where the state law is “more stringent” regarding privacy of IIHI—then the state law prevails. In practice, you must comply with HIPAA for PHI and with MODPA for non‑PHI; where both can be followed, you follow both. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/399/does-hipaa-preempt-state-laws/index.html?utm_source=openai))

Data Minimization Obligations

Baseline rule for personal data

Controllers must limit collection to what is reasonably necessary and proportionate to provide or maintain a specific product or service the consumer requested. This is a tighter, purpose‑bound standard than many other state laws and functions as a practical set of Data Processing Limitations. ([hoganlovells.com](https://www.hoganlovells.com/en/publications/maryland-legislature-passes-comprehensive-data-privacy-bill?utm_source=openai))

Sensitive data: a stricter bar

For sensitive data—including Consumer Health Data, biometrics, precise geolocation, and certain protected characteristics—MODPA allows collection, processing, or sharing only when strictly necessary to provide or maintain the specific requested product or service; sale of sensitive data is categorically prohibited. ([wp.nyu.edu](https://wp.nyu.edu/compliance_enforcement/2024/05/07/maryland-legislature-passes-state-privacy-bill-with-robust-requirements-and-broad-threshold-for-application/?utm_source=openai))

Implementation tips for HIPAA entities

• Map non‑PHI data flows and tie each field to a concrete, user‑requested service; remove “nice‑to‑have” fields. ([hoganlovells.com](https://www.hoganlovells.com/en/publications/maryland-legislature-passes-comprehensive-data-privacy-bill?utm_source=openai))
• Gate any sensitive data collection behind necessity reviews and DPAs; avoid any “sale” of sensitive data. ([mondaq.com](https://www.mondaq.com/unitedstates/privacy-protection/1598944/march-privacy-forecast-marylands-strict-new-privacy-law-takes-effect-october-1?utm_source=openai))
• Document assessments for targeted advertising, profiling, sensitive data, and algorithms. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/05/21/maryland-enacts-comprehensive-data-privacy-act?utm_source=openai))

Consumer Rights under MODPA

Core Data Subject Rights

• Confirm and access personal data processed about the consumer.
• Correct inaccuracies.
• Delete personal data provided by or obtained about the consumer.
• Obtain a portable copy of personal data.
• Receive a list of third parties (or categories) to whom data was disclosed.
• Opt out of targeted advertising, sale of personal data, and certain profiling with legal or similarly significant effects; support universal opt‑out signals. ([koleyjessen.com](https://www.koleyjessen.com/insights/publications/maryland-online-data-privacy-act?utm_source=openai))

Controllers must respond within 45 days (with a limited extension) and offer an appeal process if requests are denied. Employees and B2B contacts are not “consumers” under MODPA. ([whitecase.com](https://www.whitecase.com/insight-alert/maryland-enacts-comprehensive-data-privacy-law?utm_source=openai))

MODPA Enforcement Timeline

Key dates

• October 1, 2025: Law takes effect. ([koleyjessen.com](https://www.koleyjessen.com/insights/publications/maryland-online-data-privacy-act?utm_source=openai))
• April 1, 2026: MODPA does not apply to processing activities before this date; enforcement targets post‑April 1, 2026 processing. ([msba.org](https://www.msba.org/site/site/content/News-and-Publications/News/General-News/What-to-Know-About-Marylands-Consumer-Data-Privacy-Act.aspx?utm_source=openai))
• Through April 1, 2027: Discretionary 60‑day cure period available from the Enforcement by Maryland Attorney General. ([bassberry.com](https://www.bassberry.com/news/maryland-lands-on-novel-data-privacy-scheme/?utm_source=openai))

Enforcement mechanics and penalties

There is no private right of action. MODPA violations are enforced exclusively by the Maryland Attorney General under the Maryland Consumer Protection Act, with penalties up to $10,000 per violation and up to $25,000 for subsequent violations. ([cliclaw.com](https://www.cliclaw.com/library/maryland-online-data-privacy-act-2024-modpa-md-commercial-law-code/?utm_source=openai))

Conclusion

For HIPAA organizations, MODPA’s message is clear: PHI may be exempt, but non‑PHI is firmly in scope. Align your non‑PHI programs to MODPA’s data minimization standard, stand up MODPA‑ready Data Subject Rights operations, and document assessments—especially for algorithms and sensitive data—to be ready for Maryland’s enforcement cadence.

FAQs

What data is exempt from MODPA for HIPAA covered entities?

Protected Health Information (PHI) governed by the HIPAA Privacy Rule is exempt. MODPA also exempts certain research data, Patient Safety Work Product, specified public health activities involving HIPAA entities, and other categories outlined in statute. De‑identified data and publicly available information fall outside MODPA’s “personal data.” ([codes.findlaw.com](https://codes.findlaw.com/md/commercial-law/md-code-coml-sect-14-4703/?utm_source=openai))

How does MODPA affect non-PHI data handling?

Non‑PHI collected by HIPAA entities—such as website analytics, marketing lists, or app telemetry—can be subject to MODPA’s Data Controller Obligations, including data minimization, transparency, honoring opt‑outs (including universal signals), contracts with processors, and data protection assessments. ([hoganlovells.com](https://www.hoganlovells.com/en/publications/maryland-legislature-passes-comprehensive-data-privacy-bill?utm_source=openai))

When does MODPA enforcement begin in Maryland?

MODPA is effective October 1, 2025, but it does not apply to any personal data processing activities before April 1, 2026. A discretionary 60‑day cure period applies until April 1, 2027. ([koleyjessen.com](https://www.koleyjessen.com/insights/publications/maryland-online-data-privacy-act?utm_source=openai))

What consumer rights does MODPA guarantee?

Consumers can access, correct, delete, and port their data; obtain third‑party disclosure lists; and opt out of targeted advertising, sale, and certain profiling. Controllers must respond within 45 days and support an appeal process and universal opt‑out mechanisms. ([whitecase.com](https://www.whitecase.com/insight-alert/maryland-enacts-comprehensive-data-privacy-law?utm_source=openai))