Iowa Data Privacy Law (ICDPA) for Healthcare: 2025 Compliance Guide

ICDPA Overview and Scope

The Iowa Consumer Data Protection Act (ICDPA), codified at Iowa Code Chapter 715D, took effect on January 1, 2025. It establishes baseline rules for personal data processing, consumer data rights, and controller/processor duties for organizations doing business in Iowa. For healthcare, it sits alongside HIPAA and other health privacy regimes and applies only where statutory exemptions do not remove an organization or dataset from scope. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

Scope hinges on thresholds: the law covers entities that in a calendar year either control or process personal data of at least 100,000 consumers, or 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. “Consumer” means an Iowa resident acting in an individual or household context (not in employment or B2B roles), narrowing the covered population for many providers and vendors. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

Key definitions that matter in healthcare include “sensitive data” (e.g., mental or physical health diagnosis, genetic/biometric data, children’s data, precise geolocation) and “sale of personal data,” which in Iowa is limited to exchanges for monetary consideration. ICDPA also defines “targeted advertising” distinctly from contextual ads, which affects notice and opt-out design. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.1.pdf))

Applicability to Healthcare Entities

ICDPA is sector-agnostic and applies to any controller or processor meeting the thresholds—unless an exemption applies. Many traditional healthcare organizations are outside ICDPA because the statute provides entity-level exemptions for persons subject to and complying with HIPAA/HITECH, and separate exemptions for nonprofit organizations and institutions of higher education. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

Practical implications: if you are a HIPAA covered entity or business associate in compliance, your organization is generally exempt; however, affiliates that are not themselves covered (or separate corporate vehicles for direct-to-consumer offerings) must independently assess ICDPA applicability. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

Healthcare Exemptions and HIPAA

Beyond entity-level relief, ICDPA carves out extensive data-level exemptions highly relevant to care delivery and research. Exempt data include protected health information (PHI) under HIPAA, health records, 42 U.S.C. § 290dd‑2 (substance use disorder) data, identifiable private information used in federally governed human-subjects research, patient safety work product, and de-identified data per HIPAA. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

ICDPA also exempts information “originating from, and intermingled to be indistinguishable with” exempt health data when maintained by a HIPAA covered entity or business associate, as well as information used solely for public health activities authorized by HIPAA—important protections for quality improvement, registries, and surveillance. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

Consumer Data Rights under ICDPA

Where ICDPA applies, Iowa consumers (not acting in employment/B2B contexts) may exercise data subject rights to: (1) confirm and access personal data; (2) delete personal data provided by the consumer; (3) obtain a portable copy of personal data the consumer previously provided; and (4) opt out of the sale of personal data. Controllers must respond within 90 days (with a single 45‑day extension when reasonably necessary) and offer an appeals process with a written decision within 60 days, including a mechanism to contact the Attorney General if the appeal is denied. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-3/))

Targeted advertising is treated unusually: the consumer-rights section does not list a targeted‑ad opt‑out, yet controllers that engage in targeted advertising must clearly disclose it and provide the manner for consumers to exercise “the right to opt out of such activity.” Many organizations therefore present a targeted‑ad opt‑out alongside the sale opt‑out for clarity. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

Two notable omissions versus other states: ICDPA does not grant a right to correct inaccuracies and does not require honoring universal opt‑out signals (e.g., Global Privacy Control). Design your request flows and choice architecture accordingly. ([bakerdonelson.com](https://www.bakerdonelson.com/webfiles/Privacy_Guide/Iowa-Privacy-Law-Guide.pdf?utm_source=openai))

Compliance Requirements for Healthcare Providers

1) Confirm scope and data flows

Validate whether you are exempt (e.g., HIPAA/HITECH entities, nonprofits) and inventory personal data processing across patient-facing sites, mobile apps, call centers, and third-party tools. Map which processing is HIPAA-regulated (PHI) versus non‑PHI consumer data potentially subject to ICDPA. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

2) Privacy notice and transparency

Publish a clear, meaningful privacy notice detailing categories of personal data processed, purposes, how consumers exercise ICDPA rights and appeal, categories of data shared, and categories of third parties. If you sell data or engage in targeted advertising, clearly and conspicuously disclose that activity and how to opt out. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

3) DSAR intake, authentication, and appeals

Offer secure, reliable methods for requests; authenticate using commercially reasonable efforts; respond within 90 days (one 45‑day extension permitted); and allow two free responses per consumer annually. Provide a conspicuous appeals process and, upon denial, an online mechanism to contact the Attorney General. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-3/))

4) Processor management

Execute data processing agreements that set processing instructions, purpose, data types, duration, confidentiality, return/deletion at end of services, cooperation to demonstrate compliance, and flow‑down requirements for subcontractors. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-5/))

5) Security and discrimination controls

Implement reasonable administrative, technical, and physical safeguards proportionate to the volume and nature of personal data; do not process data in ways that unlawfully discriminate or penalize consumers for exercising their rights (subject to permitted loyalty programs and price differences). ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

6) Choice design and signals

Provide sale opt‑outs and, if engaging in targeted ads, a clear method to opt out of that activity. Iowa does not mandate recognition of universal opt‑out signals (e.g., GPC), but many teams still support them for multi‑state harmonization. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

7) What’s not required

ICDPA does not require data protection impact assessments, reducing documentation overhead compared to some states—though risk reviews remain a good practice, especially for high‑risk analytics or advertising use cases. ([omm.com](https://www.omm.com/insights/alerts-publications/six-and-counting-iowa-enacts-consumer-privacy-law/?utm_source=openai))

Enforcement and Penalties for Violations

Attorney General enforcement is exclusive. Before filing, the AG must provide a 90‑day cure notice. If a violation continues (or a written cure assurance is breached), the AG may seek injunctions and civil penalties up to $7,500 per violation, with amounts deposited into the Consumer Education and Litigation Fund. ICDPA creates no private right of action. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-8/))

Managing Sensitive Healthcare Data

For non‑exempt processing of health‑related “sensitive data,” ICDPA requires you to present clear notice and give consumers an opportunity to opt out; for children’s data, you must follow COPPA. Separate from ICDPA, PHI and most care‑related records are already exempt or HIPAA‑governed, but non‑PHI consumer touchpoints (e.g., marketing sites, wellness content, lead capture) may trigger ICDPA duties. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

When feasible, de‑identify or pseudonymize analytics data and keep reidentification keys separate with strong controls, as certain rights and duties do not attach when additional identifying information is kept apart and safeguarded. This reduces risk exposure while preserving insight value. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-7/))

Bottom line: confirm exemptions, publish a compliant privacy notice, operationalize consumer request handling, manage processors diligently, and implement clear sale/targeted‑ad choices. Doing so aligns your HIPAA compliance posture with Iowa’s ICDPA and limits enforcement risk. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-4/))

FAQs

What healthcare entities are exempt from ICDPA?

Persons subject to and complying with HIPAA/HITECH are exempt at the entity level; nonprofits and institutions of higher education are also exempt. In addition, numerous health data categories (PHI, health records, research, patient safety work product, certain public‑health uses, and de‑identified data) are out of scope. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

How does ICDPA affect non-HIPAA covered healthcare providers?

Direct‑to‑consumer health apps, telehealth startups, and wellness platforms that are not HIPAA covered may be in scope if they meet ICDPA thresholds. They must provide required notices, honor consumer requests, secure data, and offer sale (and practically, targeted‑ad) opt‑outs. Affiliates not themselves HIPAA‑covered must assess independently. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/2025/715D.2.pdf))

What are the consumer rights under ICDPA?

Consumers can confirm/access personal data, delete data they provided, receive a portable copy of data they provided, and opt out of the sale of personal data. Controllers must respond within 90 days (one 45‑day extension allowed) and support an appeals process that can route denials to the Attorney General. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-3/))

What penalties apply for healthcare data violations under ICDPA?

The Attorney General has exclusive authority. After a 90‑day cure period, unresolved violations may draw injunctions and civil penalties up to $7,500 per violation; the law does not permit private lawsuits under ICDPA. ([law.justia.com](https://law.justia.com/codes/iowa/title-xvi/chapter-715d/section-715d-8/))