HIPAA Covered Entities under Minnesota CDPA: Scope, Exceptions, Best Practices

Definition of HIPAA Covered Entities

HIPAA covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with standardized transactions. If you fit any of these categories, HIPAA governs your handling of Protected Health Information (PHI).

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on your behalf. You must execute a Business Associate Agreement that sets permitted uses, safeguards, breach duties, and flow-down obligations. The Minimum Necessary Standard applies across your workforce and vendors, limiting PHI access to what is reasonably needed.

Your Notice of Privacy Practices explains how you use and disclose PHI, individual rights, and how to exercise them. Keep this notice clear and accessible, and ensure your practices match the notice across clinical, operational, and digital touchpoints.

Overview of Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (Minnesota CDPA) establishes rights for Minnesota residents and duties for organizations that control or process personal data. It focuses on transparency, data minimization, purpose limitation, security, and accountability for personal data outside sector-specific federal regimes.

Key obligations include providing a concise privacy notice, honoring consumer rights (access, correction, deletion, portability, and opt-outs for targeted advertising, sale, and certain profiling), and maintaining Data Security Procedures appropriate to risk. For high-risk activities—such as processing sensitive data or profiling with significant effects—you should perform and retain documented data protection assessments.

Exemptions under Minnesota CDPA

Exemptions are primarily data-based. PHI processed by a HIPAA covered entity or business associate is generally exempt. Patient-identifying information governed by 42 CFR Part 2 is also excluded, reflecting heightened confidentiality for substance use disorder records.

Additional common exemptions include de-identified data, research data meeting applicable standards, and information subject to other federal regimes (for example, GLBA, FCRA, FERPA, and DPPA). The Minnesota Health Records Act continues to apply to health records and may impose stricter consent or disclosure limits than HIPAA in certain cases.

Importantly, the entity itself is not universally exempt. When you process non-PHI personal data—for instance, website analytics, marketing leads, or employee and B2B data outside HIPAA—those activities can fall under the Minnesota CDPA.

Relationship between HIPAA and Minnesota CDPA

Think “data silos.” PHI stays in the HIPAA silo; non-PHI consumer data sits in the Minnesota CDPA silo. HIPAA governs uses and disclosures of PHI, while Minnesota CDPA imposes consumer privacy duties for personal data not covered by HIPAA. You must determine which rules apply to each dataset and apply the stricter standard when both could be relevant.

Where HIPAA and the Minnesota Health Records Act impose more stringent protections, those controls remain. Meanwhile, Minnesota CDPA adds rights and obligations for non-PHI: clear privacy notices, opt-out mechanisms, and timely request handling. Aligning HIPAA’s Minimum Necessary Standard with Minnesota CDPA’s data minimization and purpose limitation helps unify both regimes.

Protection of Protected Health Information

For PHI, continue to apply HIPAA’s Administrative, Physical, and Technical Safeguards. Maintain role-based access, robust authentication, audit logging, encryption in transit and at rest, and workforce training. Periodically test and update your Data Security Procedures to reflect changes in systems, vendors, and threat landscape.

Use Business Associate Agreements to extend safeguards to vendors and require incident reporting and cooperation. Your Notice of Privacy Practices should accurately reflect disclosures, including patient portals, telehealth tools, and integrated workflows that might interface with non-PHI systems.

Compliance Best Practices for Covered Entities

1) Map data and classify it correctly

Inventory where personal data is collected, stored, and shared. Label datasets as PHI, Part 2 information, Minnesota Health Records Act data, or non-PHI consumer data. This classification drives which law applies and which rights you must honor.

2) Separate PHI from marketing and analytics data

Architect systems so PHI does not commingle with marketing pixels, cookies, or third-party tools. For non-PHI, implement Minnesota CDPA opt-outs and clear notices; for PHI, apply HIPAA’s Minimum Necessary Standard and strict vendor controls.

3) Update vendor contracts

Use Business Associate Agreements for PHI and privacy addenda or DPAs for non-PHI. Require security controls, breach notice timelines, data-subject request cooperation, and deletion/return of data at contract end.

4) Build a consumer rights program

Establish intake, verification, and fulfillment workflows for access, correction, deletion, portability, and opt-out requests related to non-PHI. Offer an internal appeal process and track outcomes to improve consistency.

5) Conduct assessments for high-risk processing

Document data protection assessments for targeted advertising, sale of personal data, sensitive data processing, and profiling with significant effects. Record purposes, benefits, risks, and mitigations, and revisit assessments as processing changes.

6) Strengthen security and incident response

Align security with both HIPAA and Minnesota CDPA by using risk-based safeguards, continuous monitoring, encryption, and timely patching. Maintain a tested incident response plan that covers both PHI and non-PHI scenarios.

7) Train teams and measure performance

Train clinical, marketing, and IT teams on the differences between PHI and consumer data obligations. Track metrics such as request timelines, opt-out rates, and vendor remediation to drive sustained compliance.

Recordkeeping and Privacy Policy Updates

Maintain records of consumer data requests and your responses for at least 24 months. Keep logs of verification steps, response dates, decisions, and any appeals. Retain data protection assessments, risk findings, and remediation evidence to demonstrate accountability.

Refresh your privacy policy to describe categories of personal data processed, purposes, sharing practices, consumer rights and how to exercise them, opt-out mechanisms, and your appeal process. For PHI, ensure your Notice of Privacy Practices remains accurate and distinct from your general privacy policy to avoid confusing patients.

FAQs

What entities are considered HIPAA covered entities under Minnesota CDPA?

HIPAA covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. They remain covered entities under HIPAA regardless of Minnesota CDPA; the latter may still apply to their non-PHI consumer data.

How does the Minnesota CDPA exempt HIPAA-covered health data?

The Minnesota CDPA generally exempts PHI processed under HIPAA and patient-identifying information under 42 CFR Part 2. That exemption is data-based, so HIPAA-governed records are outside Minnesota CDPA, while other personal data the organization handles can still be in scope.

What are best practices for HIPAA covered entities to comply with Minnesota CDPA?

Classify data by regime (HIPAA, Part 2, Minnesota Health Records Act, or non-PHI), segregate PHI from marketing and analytics, update BAAs and vendor DPAs, operationalize consumer rights and appeals, perform high-risk processing assessments, harden security, and keep comprehensive records.

How long must data requests be retained under Minnesota CDPA requirements?

You should retain records of consumer data requests and your responses for at least 24 months, including verification steps, timing, decisions, and any appeals.