Indiana Data Privacy Law for Healthcare: ICDPA Compliance Guide and HIPAA Implications

Overview of Indiana Consumer Data Protection Act

Indiana’s Consumer Data Protection Act (ICDPA) establishes consumer data protection standards governing how organizations collect, use, disclose, and secure personal data of Indiana residents. The law is now in effect as of January 1, 2026, and follows a controller/processor model similar to other state privacy frameworks.

Under the ICDPA, “personal data” is any information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information. “Sensitive data” includes precise geolocation, genetic or biometric data for identification, children’s data, and certain health information, and generally requires opt-in consent for processing.

Consumers have rights to confirm and access data, correct inaccuracies, delete personal data, and obtain portable copies. You must also offer opt-out rights for targeted advertising, the sale of personal data, and profiling with legal or similarly significant effects, and maintain an internal appeal process for denied requests.

Controllers must provide clear privacy notices, limit collection to what is necessary for disclosed purposes, implement reasonable security safeguards, and conduct data protection assessments for higher-risk processing such as targeted advertising, selling personal data, or processing sensitive data. Contracts with processors must define instructions, confidentiality, and audit rights.

Applicability of ICDPA in Healthcare

In healthcare, ICDPA applies primarily to organizations that handle consumer personal data outside HIPAA’s traditional covered-entity/business-associate ecosystem or to lines of business that fall outside HIPAA. Think direct-to-consumer health apps, telehealth platforms that are not HIPAA-covered, wellness programs, medical device manufacturers offering consumer portals, and retail health services engaging in targeted advertising or data sales.

If your organization meets the law’s processing thresholds (for example, handling personal data of large numbers of Indiana consumers or deriving substantial revenue from selling personal data), you may be a “controller” under ICDPA. Patient-facing websites, marketing databases, and analytics environments often involve consumer data that is not electronic protected health information and therefore can be in scope.

By contrast, traditional clinical operations that involve protected health information under HIPAA are often outside ICDPA due to statutory exclusions. Still, mixed-model systems must segregate PHI from consumer datasets, apply role-appropriate controls, and ensure that opt-out mechanisms for advertising and sale do not inadvertently affect clinical communications or required disclosures.

Exemptions Relevant to Healthcare Providers

Key ICDPA exemptions (ICDPA exemptions) that matter in healthcare include:

• HIPAA: Protected health information and processing by HIPAA covered entities and business associates are generally exempt.
• 42 CFR Part 2: Substance use disorder patient records subject to federal confidentiality rules are exempt.
• Research and public health: Data processed under certain research protocols or public health reporting obligations can be out of scope.
• Financial and educational data: Information regulated by GLBA or FERPA is typically excluded.
• De-identified and publicly available information: Properly de-identified datasets are not personal data under ICDPA.
• Government entities and many nonprofits: These organizations are often outside the law’s entity scope.

Exemptions are not blanket permissions to reuse consumer data. You should document the legal basis for each exemption, maintain de-identification controls to prevent reidentification, and apply ethical data-use standards to preserve patient and consumer trust.

HIPAA Privacy Rule Requirements

The HIPAA Privacy Rule governs how covered entities and business associates use and disclose protected health information, including electronic protected health information. Core requirements include permitted uses and disclosures, the minimum necessary standard, a Notice of Privacy Practices, individual rights (access, amendment, and restrictions), and business associate agreements.

HIPAA Privacy Rule safeguards require administrative, technical, and physical measures reasonably designed to protect PHI from impermissible uses and disclosures. You must implement policies and procedures, workforce training, sanctions for violations, and ongoing monitoring. These obligations complement ICDPA’s consumer data protection standards by reinforcing transparency, purpose limitation, and robust security practices.

For mixed datasets, separate PHI workflows from consumer data subject to ICDPA, and align request-handling so that HIPAA access and amendment rights coexist smoothly with ICDPA access, correction, deletion, and opt-out rights. Clear routing rules prevent misapplication of one regime’s rights to the other’s datasets.

Enforcement Mechanisms for ICDPA and HIPAA

ICDPA is enforced by the Indiana Attorney General. The AG may investigate, require remediation, and seek civil monetary penalties for violations, with a statutory cure period available in many cases. Penalties can accrue on a per-violation basis and may include injunctive relief and recovery of costs.

HIPAA is enforced by the U.S. Department of Health and Human Services Office for Civil Rights, with civil monetary penalties tiered by culpability, and by state attorneys general under HITECH. The Department of Justice handles criminal HIPAA violations. Resolution agreements often require multi-year corrective action plans, independent assessments, and ongoing reporting.

If your organization operates both HIPAA-regulated and consumer-facing programs, you should expect distinct oversight paths: Indiana Attorney General enforcement for ICDPA-governed consumer data and federal OCR enforcement for PHI. Shared governance, unified risk registers, and executive-level reporting promote consistent remediation across regimes.

Data Breach Notification Obligations

Indiana’s data breach notification law generally requires notifying affected residents without unreasonable delay and within a defined statutory window after discovering unauthorized acquisition of personal information. Depending on the event, you may also need to notify the Indiana Attorney General and, if the breach affects a large number of residents, the nationwide consumer reporting agencies. Notices must describe what happened, the types of data involved, and steps consumers can take.

HIPAA/HITECH imposes separate breach notification rules for PHI. You must notify affected individuals without unreasonable delay and no later than 60 days after discovery, notify HHS (immediately for large breaches or annually for smaller ones), and notify prominent media outlets when a breach affects more than 500 residents in a state or jurisdiction. A documented risk assessment determines whether an impermissible use or disclosure rises to the level of a reportable breach.

Create an integrated incident response plan that distinguishes consumer personal data from PHI, preserves forensic evidence, coordinates counsel review, and triggers the right notification tracks. Tabletop exercises with both HIPAA and ICDPA scenarios ensure your team can meet strict timelines for data breach notification.

Compliance Strategies for Healthcare Entities

1) Confirm scope and apply exemptions carefully

• Identify whether you are a HIPAA covered entity or business associate and where ICDPA exemptions apply.
• Map all lines of business to determine which process PHI, which process consumer personal data, and which are hybrid.

2) Build a unified data inventory

• Catalogue systems holding PHI, electronic protected health information, and consumer data (web, mobile, CRM, analytics, adtech).
• Classify sensitive data and document legal bases (consent, required disclosures, or legitimate processing purposes).

3) Upgrade notices and individual rights operations

• Publish clear privacy notices for consumer-facing services and maintain HIPAA Notices of Privacy Practices for clinical care.
• Stand up a request workflow that supports ICDPA access, correction, deletion, portability, and opt-out rights alongside HIPAA access/amendment rights.

4) Strengthen contracts and vendor governance

• Use business associate agreements for PHI and data processing agreements for ICDPA-covered consumer data.
• Require downstream processors to meet security, breach notification, and data minimization obligations; audit high-risk vendors.

5) Implement safeguards that satisfy both regimes

• Apply HIPAA Privacy Rule safeguards and extend comparable controls to consumer datasets: access controls, minimum necessary, encryption at rest/in transit, and audit logging.
• Adopt privacy by design, minimize retention, and restrict targeted advertising and sale of personal data unless clearly disclosed with opt-out or consent.

6) Conduct data protection assessments

• Assess targeted advertising, sale of personal data, profiling with significant effects, and sensitive data processing.
• Document risks, mitigations, and decisions to demonstrate accountability under consumer data protection standards.

7) Prepare for incidents and enforcement

• Maintain an incident response plan that aligns HIPAA and ICDPA data breach notification timelines and content requirements.
• Track inquiries from the Indiana Attorney General enforcement team and HHS OCR, and centralize corrective actions.

Conclusion

ICDPA brings modern consumer data rights and controller obligations to Indiana, while HIPAA continues to govern PHI. By scoping datasets precisely, honoring exemptions, and aligning notices, rights operations, contracts, and safeguards, you can reduce risk and meet both ICDPA and HIPAA expectations with one integrated privacy program.

FAQs.

What entities in healthcare are subject to the ICDPA?

Healthcare organizations that process Indiana consumers’ personal data outside HIPAA—such as direct-to-consumer health apps, certain telehealth or wellness platforms, device makers with consumer portals, and retail health services—may be subject to ICDPA if they meet processing or revenue thresholds. Traditional HIPAA-covered clinical operations are generally exempt, but mixed environments should separate PHI from consumer datasets and apply ICDPA to the latter.

How does ICDPA interact with HIPAA regulations?

HIPAA governs protected health information, and many HIPAA covered entities and business associates benefit from exemptions under ICDPA. Where you process non-PHI consumer data (for example, website analytics or targeted advertising), ICDPA’s rights and opt-outs can apply alongside your HIPAA obligations. The safest approach is to route requests based on dataset type and maintain distinct notices and workflows for PHI vs. consumer personal data.

What are the penalties for noncompliance with Indiana data privacy laws?

The Indiana Attorney General can investigate violations, require remediation, and seek civil monetary penalties on a per-violation basis, along with injunctive relief and recovery of costs. HIPAA noncompliance can result in tiered civil penalties from HHS OCR and, in egregious cases, criminal enforcement, often coupled with corrective action plans and multi-year monitoring.

What are the data breach notification requirements under Indiana law?

After discovering unauthorized acquisition of personal information, you must notify affected Indiana residents without unreasonable delay and within the statutory deadline, subject to law enforcement delay. Depending on the size and nature of the event, you may also need to notify the Indiana Attorney General and the nationwide consumer reporting agencies. Maintain a playbook that coordinates these state obligations with HIPAA/HITECH’s 60-day breach notification requirements for PHI.