Iowa Health Data Protection Requirements: HIPAA, ICDPA, and a Compliance Checklist

Overview of HIPAA Compliance in Iowa

HIPAA applies uniformly across all states, including Iowa. If you create, receive, maintain, or transmit electronic protected health information (ePHI), you must implement administrative, physical, and technical safeguards, maintain a HIPAA-compliant risk analysis, and follow the Privacy and Breach Notification Rules.

In Iowa, HIPAA obligations often operate alongside state-level privacy and security requirements. Understanding where HIPAA governs PHI and where state laws apply to non-PHI (for example, consumer marketing data) is the foundation for a sound, risk-based compliance program.

Key Provisions of the Iowa Consumer Data Protection Act

Applicability and personal data processing thresholds

The Iowa Consumer Data Protection Act (ICDPA) applies to businesses operating in or targeting Iowa that, in a calendar year, either process personal data of at least 100,000 Iowa consumers, or process personal data of at least 25,000 Iowa consumers and derive over 50% of gross revenue from the sale of personal data. The law took effect on January 1, 2025. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Consumer rights and targeted advertising

Consumers have rights to confirm whether you process their data and access it, delete personal data provided by the consumer, obtain a portable copy of personal data they provided (with certain exceptions), and opt out of the sale of personal data. The statute does not include a right to correct inaccuracies. Iowa’s text is unusual regarding targeted advertising: while 715D.3 does not list a targeted-ad opt-out, 715D.4 requires controllers that engage in targeted advertising to disclose the activity and the manner by which consumers may opt out—leading many organizations to offer a targeted-ad opt-out as a best practice. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Core controller obligations and privacy policy requirements

Controllers must adopt reasonable security practices, publish a clear privacy notice, and provide secure, reliable methods for consumers to exercise rights. Your privacy notice must describe categories of personal data processed, purposes, how to exercise rights (including appeals), categories of personal data shared, categories of third parties, and—if applicable—clear and conspicuous disclosure of sales and targeted advertising with instructions to opt out. Controllers must respond to data subject access requests within 90 days (one 45‑day extension allowed) and provide an appeals process with a 60‑day decision window. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Exemptions for HIPAA-Compliant Entities

ICDPA has both entity- and data-level exemptions for health information. The law does not apply to persons subject to and in compliance with HIPAA/HITECH regulations (entity-level), and it exempts protected health information, health records, certain research data, and PHI de-identified under HIPAA (data-level). However, consumer data that is not PHI (for example, website analytics or marketing leads) may still be in scope if your organization meets processing thresholds. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Sensitive Data Categories under ICDPA

ICDPA designates “sensitive data” to include the following categories. Processing for non‑exempt purposes requires, at minimum, clear notice and the opportunity to opt out (and COPPA compliance for known child data). ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

• Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizenship or immigration status.
• Genetic or biometric data used to uniquely identify an individual.
• Personal data collected from a known child.
• Precise geolocation data.

For sensitive data, provide prominent notice and an opt‑out before processing; for children’s data, comply with COPPA. ([casemine.com](https://www.casemine.com/act/us/654e1481aaffc33ff4b93fb4?utm_source=openai))

Data Subject Rights and Business Obligations

Consumer rights

• Confirm and access: Verify whether you process a consumer’s data and provide access.
• Delete: Erase personal data the consumer provided to you (subject to statutory exceptions).
• Portability: Provide a portable copy of personal data the consumer provided.
• Opt out of sale: Permit consumers to opt out of the sale of personal data.

Respond to data subject access requests within 90 days (one 45‑day extension allowed), offer two free responses per consumer per year, and provide a conspicuous appeals process that resolves within 60 days and links to the Attorney General if the appeal is denied. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Targeted advertising considerations

Although a targeted‑advertising opt‑out is not expressly listed among consumer rights, Iowa requires disclosure if you engage in targeted advertising and disclosure of the manner to opt out of such activity. Many organizations implement an opt‑out mechanism to align with the notice requirement and consumer expectations. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Compliance Checklist for ICDPA

Use this sequence to operationalize compliance while minimizing disruption.

• Scope and thresholds: Confirm whether you meet ICDPA’s personal data processing thresholds; document your analysis (100,000 consumers; or 25,000 plus 50% revenue from data sales).
• Data inventory: Map systems and data flows, tagging sensitive data and distinguishing PHI from non‑PHI.
• Privacy policy requirements: Update your notice to cover categories, purposes, rights (and appeals), sharing, third parties, and clear disclosure of sales and targeted advertising with opt‑out instructions.
• DSAR program: Stand up authenticated intake channels, verification workflows, and response SLAs to meet the 90‑day timeline (with one 45‑day extension) and 60‑day appeal decisions for data subject access requests.
• Opt‑out mechanisms: Implement opt‑outs for the sale of personal data, and—given statutory disclosures—strongly consider a targeted‑advertising opt‑out.
• Processor contracts: Execute data processing agreements that include confidentiality, deletion/return at end of services, cooperation duties, and downstream subcontractor flow‑downs.
• Sensitive data handling: Provide prominent notice and an opportunity to opt out before processing sensitive data; follow COPPA for known children.
• Security baseline: Maintain reasonable administrative, technical, and physical safeguards aligned to the volume and nature of personal data.
• Training and recordkeeping: Train staff on ICDPA procedures, track request metrics, and maintain appeal records.
• Enforcement readiness: Note Attorney General enforcement, a permanent 90‑day cure period, and penalties up to $7,500 per violation; monitor guidance for updates.

Key sources for these steps include ICDPA sections on scope (715D.2), controller duties and privacy notices (715D.4), processor duties (715D.5), and consumer rights (715D.3), plus enforcement details (effective date, cure period, and penalties). ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

Iowa Insurance Data Security Act Standards

The Iowa Insurance Data Security Act (Iowa Code chapter 507F) establishes exclusive insurance data security standards for licensees under the Iowa Insurance Division. It requires a risk‑based information security program, governance (including board reporting where applicable), vendor management, and a written incident response plan. ([law.justia.com](https://law.justia.com/codes/iowa/title-xiii/chapter-507f/section-507f-4/))

• Program design: Conduct periodic risk assessments; implement proportional safeguards such as access controls, encryption of data in transit and on portable devices, audit trails, testing/monitoring, MFA where appropriate, and secure disposal/retention schedules.
• Governance: Designate responsible personnel and provide at least annual reporting to the board or executive management.
• Incident response: Maintain a written plan covering roles, communications, remediation, documentation, and post‑incident review.

Insurers domiciled in Iowa must submit an annual certification of compliance to the commissioner on or before April 15 and retain supporting documentation for five years. ([law.justia.com](https://law.justia.com/codes/iowa/title-xiii/chapter-507f/section-507f-4/))

Data breach investigation protocols include notifying the Iowa Insurance Division as promptly as possible—but no later than three business days—after confirming a qualifying cybersecurity event under 507F.7, and updating the Division as material facts change. The Division provides forms and clarifies exemptions and filing expectations. ([law.justia.com](https://law.justia.com/codes/iowa/2022/title-xiii/chapter-507f/section-507f-7/))

Some licensees may be exempt (for example, smaller entities meeting workforce/revenue/asset thresholds or those subject to and in compliance with HIPAA); HIPAA‑compliant licensees must provide an annual exception certification to the Division by April 15. ([iid.iowa.gov](https://iid.iowa.gov/regulated-entities/insurance-related/data-cybersecurity))

Bottom line: pair HIPAA controls for ePHI with ICDPA requirements for non‑PHI consumer data, and—if you are a licensee—implement Iowa’s insurance data security standards and time‑sensitive notifications to the Division.

FAQs.

What entities are exempt from ICDPA due to HIPAA compliance?

ICDPA does not apply to entities that are subject to and comply with HIPAA/HITECH regulations. In addition, PHI, health records, certain research data, HIPAA‑deidentified data, and related health information are exempt at the data level. If you process non‑PHI consumer data (like marketing leads), ICDPA may still apply if you meet personal data processing thresholds. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

What rights do consumers have under the ICDPA?

Consumers can confirm and access their data, delete data they provided, obtain a portable copy, and opt out of the sale of personal data. The law does not provide a right to correct inaccuracies. Controllers must respond within 90 days (with one 45‑day extension if needed) and offer a 60‑day appeals process. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))

How does the Iowa Insurance Data Security Act affect healthcare providers?

If you hold an insurance license regulated by the Iowa Insurance Division, you must implement insurance data security standards, maintain a written incident response plan, and—if domiciled in Iowa—file an annual certification to the Division by April 15. You must also notify the Division within three business days after confirming qualifying cybersecurity events. Some HIPAA‑compliant licensees may be exempt but must file an annual exception certification. ([law.justia.com](https://law.justia.com/codes/iowa/title-xiii/chapter-507f/section-507f-4/))

What are the key steps in the ICDPA compliance checklist?

Verify applicability against personal data processing thresholds; map data; update privacy policy requirements; operationalize data subject access requests; implement sale (and, pragmatically, targeted‑ad) opt‑outs; memorialize processor obligations; manage sensitive data with notice and opt‑out; strengthen security controls; train staff; and prepare for Attorney General enforcement, including the 90‑day cure period. ([legis.iowa.gov](https://www.legis.iowa.gov/docs/code/715d.pdf))