ICDPA HIPAA Exemption Guide: What Covered Entities Must Still Comply With

The Iowa Consumer Data Protection Act (ICDPA) exempts certain health-sector activities to avoid duplicating federal rules. If you are a HIPAA covered entity or business associate, you still have meaningful obligations—both under HIPAA and, in some cases, under the ICDPA.

This guide clarifies what the ICDPA excludes, when it still applies, and how to align your program with the HIPAA Privacy Rule and HIPAA Security Rule while managing non-PHI consumer data. It is general information, not legal advice.

Overview of ICDPA Exemptions

ICDPA exemptions operate on two levels: entity/actor and data. The law generally removes activities already governed by federal health privacy frameworks so organizations do not face conflicting requirements.

• Entity/actor focus: HIPAA covered entities and their business associates receive broad relief for HIPAA-governed processing.
• Data focus: specific categories—like Protected Health Information (PHI) and de-identified data—are carved out, even when handled by otherwise in-scope organizations.
• Residual scope: when you process non-PHI consumer data (for example, marketing analytics or website tracking) and meet the law’s thresholds, portions of the ICDPA can still apply.

HIPAA Covered Entities and ICDPA

Being a HIPAA covered entity or business associate does not create a blanket exemption for everything you do. The ICDPA generally exempts processing that is subject to HIPAA, but leaves non-HIPAA activities within reach.

How to scope your obligations

• Identify systems and workflows where data is PHI or ePHI and processed for treatment, payment, or healthcare operations. These activities fall under HIPAA and are typically outside ICDPA’s requirements.
• Separate non-PHI consumer data—such as web cookies, app telemetry, or marketing contact lists. If you meet ICDPA thresholds, you may need to honor consumer rights and provide appropriate disclosures for this data.
• Beware of mixed datasets. If PHI is commingled with non-PHI, treat the PHI portion under HIPAA and minimize downstream exposure by segregating or de-identifying where possible.
• Map vendors by role. Business associates processing PHI remain under HIPAA; ad-tech and analytics vendors handling non-PHI consumer data may trigger ICDPA controller/processor duties.

Exempt Data Categories under ICDPA

ICDPA Data Exemptions are designed to avoid conflict with existing sectoral laws and to reduce compliance friction. For covered entities, the most relevant include:

• Protected Health Information (PHI) processed by a HIPAA covered entity or business associate in accordance with HIPAA.
• De-identified data (including HIPAA de-identified data) and aggregated data that cannot reasonably re-identify a person.
• Publicly available information, including content lawfully made available from government records.
• Data subject to other federal privacy regimes (for example, GLBA financial data or FCRA-regulated data) when processed in compliance with those laws.
• Human subjects research data processed in compliance with the Common Rule or HIPAA research provisions.
• Personal data in an employment context (e.g., employees and job applicants) to the extent specified by the ICDPA.

These exemptions do not extend to unrelated consumer-facing activities where data is not PHI and not otherwise exempt.

HIPAA Compliance Requirements

ICDPA exemptions never dilute your federal duties. You must continue to meet HIPAA’s baseline: the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule.

HIPAA Privacy Rule

• Limit uses and disclosures to permitted purposes, apply the minimum necessary standard, and maintain accurate Notices of Privacy Practices.
• Honor patient rights (access and copies of PHI, accounting of disclosures, restrictions, and confidential communications).
• Execute and manage Business Associate Agreements that bind downstream partners to HIPAA requirements.

HIPAA Security Rule

Implement a risk-based security program for ePHI across Administrative Safeguards, Technical Safeguards, and Physical Safeguards.

• Administrative Safeguards: risk analysis and risk management, workforce training, sanction policies, contingency planning, and ongoing evaluation.
• Technical Safeguards: unique user IDs and access control, multi-factor authentication where feasible, encryption in transit and at rest, audit logging and monitoring, integrity controls, and secure transmission.
• Physical Safeguards: facility access controls, workstation security, and device/media controls (e.g., secure disposal and media re-use procedures).

Breach Notification Rule

• Assess incidents involving PHI or ePHI and, when a breach occurs, notify affected individuals and regulators as required.
• Document risk assessments, decisions, and remediation; coordinate with business associates on notification responsibilities.

Consumer Rights under ICDPA

For non-exempt consumer data, the ICDPA grants Iowa residents specific privacy rights that you may need to honor when you meet applicability thresholds.

• Transparency: provide clear, accessible disclosures about categories of personal data, purposes of processing, and how consumers can exercise their rights.
• Individual rights: enable authenticated requests for access, deletion, and data portability, and offer opt-outs of targeted advertising, the sale of personal data, and certain automated profiling.
• Verification and response: authenticate requesters, track deadlines, and maintain an internal appeals process for denied requests.
• Children’s data: apply heightened protections when processing data about known children consistent with applicable laws.

Enforcement and Penalties

ICDPA enforcement resides with the state’s chief legal office. Expect Iowa Attorney General Enforcement focused on clear notice-and-choice failures, unhonored consumer rights, and inadequate governance around sensitive processing.

• Cure period: the law provides an opportunity to cure alleged violations within a defined window after receiving notice.
• Penalties: civil penalties can reach up to $7,500 per violation, along with injunctive relief and mandated corrective actions.
• No private right of action: consumers cannot directly sue under the ICDPA; complaints are routed through the Attorney General.
• Mitigation: documented policies, training records, DPIAs for high-risk processing, and consistent logs of request handling help reduce enforcement exposure.

Data Protection Best Practices for Covered Entities

Unify governance across HIPAA and ICDPA

• Maintain a single data map that distinguishes PHI/ePHI, de-identified data, and non-PHI consumer data subject to the ICDPA.
• Use labeling or tagging in your data catalog so teams instantly know which rule set governs each dataset.

Strengthen privacy management

• Update privacy notices to explain both HIPAA and ICDPA scopes and to provide easy paths to exercise consumer rights where applicable.
• Stand up a consumer request workflow with intake, identity verification, fulfillment, and appeals tracking.
• Configure consent and opt-out mechanisms for targeted advertising and the sale of personal data where relevant.

Harden security controls

• Revisit HIPAA risk analysis annually and on major changes; tie remediation to Administrative Safeguards and Technical Safeguards.
• Adopt encryption by default, least-privilege access, zero-trust network principles, and continuous monitoring with audit-ready logs.
• Run tabletop exercises for incident response and breach notification that include business associates and key vendors.

Manage third parties

• Differentiate Business Associate Agreements from ICDPA data processing agreements; ensure each vendor has the correct contract and security schedule.
• Assess processors for data minimization, retention limits, and opt-out signal handling when they touch non-PHI consumer data.

Conclusion

ICDPA largely exempts HIPAA-governed processing but does not eliminate privacy obligations for non-PHI consumer data. Maintain strong HIPAA programs, scope your ICDPA exposure, and implement clear notices, rights handling, and security controls to stay compliant and trustworthy.

FAQs.

Which entities are exempt from the ICDPA due to HIPAA?

HIPAA covered entities and their business associates are generally exempt when they process PHI in compliance with HIPAA. The exemption does not automatically cover unrelated activities involving non-PHI consumer data, which may still trigger ICDPA duties.

What types of data does the ICDPA exempt for covered entities?

The ICDPA exempts Protected Health Information (PHI) processed under HIPAA, HIPAA de-identified or aggregated data, publicly available information, and certain federally regulated datasets. These carve-outs limit overlap while keeping non-PHI consumer data in scope where applicable.

How must covered entities comply with HIPAA despite ICDPA exemptions?

You must continue to follow the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule—maintaining policies, access controls, risk analysis, and Business Associate Agreements, and implementing Administrative Safeguards and Technical Safeguards for ePHI.

Who enforces the ICDPA in Iowa?

The Iowa Attorney General enforces the ICDPA. Expect notice-and-cure opportunities and potential civil penalties—commonly up to $7,500 per violation—alongside injunctive relief for noncompliance.