Maryland Data Privacy Law for Healthcare: What Providers Need to Know

Overview of MODPA Requirements

Scope and applicability

The Maryland Online Data Privacy Act (MODPA) sets comprehensive obligations for organizations that meet the law’s personal data processing thresholds. It applies to “controllers” that determine the purposes and means of processing personal data about Maryland consumers, and to “processors” that act on a controller’s behalf. Covered entities must assess whether their consumer-facing sites, apps, and marketing tools place them within scope.

MODPA exempts certain data and activities already governed by sectoral laws, yet it still reaches health-related information outside HIPAA—such as website interactions, patient acquisition campaigns, and wellness program data. Even if your electronic health record (EHR) system is largely out of scope, adjacent consumer touchpoints can still trigger compliance duties.

Core controller obligations

Controllers must provide clear, accessible privacy notices, assign a lawful purpose for each processing activity, and implement data minimization obligations to limit collection and retention. Sensitive data restrictions require explicit consent or other strict conditions before processing. Consumers must also receive easy mechanisms for a targeted advertising opt-out and limits on automated profiling that has significant effects.

Processor duties and contracts

Processors must follow documented controller instructions, implement security controls, and support responses to Consumer Data Access Rights requests. Data processing agreements should define processing purposes, security standards, subcontractor approvals, and deletion/return protocols at the end of services—key building blocks for demonstrating accountability under MODPA’s regulatory enforcement measures.

Impact on Healthcare Data

Where MODPA reaches beyond HIPAA

HIPAA governs protected health information within covered entities and business associates. MODPA reaches consumer data that sits outside those boundaries—think online appointment requests, website analytics, ad pixels, call-center recordings, patient satisfaction surveys, and community wellness portals. If you track visitors for conversion or retargeting, you are likely processing personal data subject to MODPA.

Real-world healthcare scenarios

• Marketing and patient acquisition: pixels, cookies, and device IDs tied to clinic pages may require a targeted advertising opt-out and consent flows for sensitive inferences.
• Telehealth intake and symptom checkers: information consumers enter before a formal provider-patient relationship can be personal data subject to Consumer Data Access Rights.
• Wellness programs and wearables: combining step counts, sleep patterns, or location with profiles can raise sensitive data restrictions and automated profiling limitations.

The practical takeaway: inventory all non-PHI consumer data streams alongside PHI. MODPA can cover the former even when HIPAA does not.

Consumer Data Rights

What consumers can do

MODPA grants Consumer Data Access Rights, including the ability to know and access personal data, correct inaccuracies, delete information, and obtain a portable copy. Consumers can opt out of the sale of personal data, targeted advertising, and certain automated profiling. You must provide straightforward, frictionless methods to exercise these choices without dark patterns.

Provider responsibilities

You must verify requesters, search all relevant systems (including websites, CRM tools, marketing platforms, and contact centers), and respond within statutory timelines. Build an appeals process when you decline a request. Keep clear records to demonstrate why a request was granted or limited, and ensure responses do not expose PHI or other individuals’ data.

Data Minimization and Prohibited Practices

Data minimization obligations

Collect only the personal data that is adequate, relevant, and reasonably necessary for the stated purpose. Map purposes to fields on forms, disable optional trackers by default, and implement role-based access controls. Apply purpose limitation: do not repurpose consumer data for unrelated objectives without meeting MODPA’s requirements.

Retention and deletion

Define retention periods aligned to the original purpose and legal requirements, then delete or deidentify data on schedule. Automate deletion workflows for marketing platforms and cloud storage to reduce exposure and support compliance with Consumer Data Access Rights.

Prohibited or restricted practices

• Sensitive data restrictions: obtain explicit consent or satisfy strict conditions before processing health, biometric, genetic, precise geolocation, or other sensitive categories.
• Targeted advertising opt-out: honor consumer choices quickly across all channels, including remarketing and lookalike audiences.
• Automated profiling limitations: provide notice and an opt-out where profiling could produce legal or similarly significant effects, such as eligibility or cost determinations.
• Avoid dark patterns: do not nudge users into consent; keep choices balanced and clear.

Compliance Strategies for Providers

1) Confirm applicability and thresholds

Assess whether your organization meets MODPA’s personal data processing thresholds. Consider patient volume on consumer properties, marketing reach, and revenue models. Even if you fall below thresholds, your vendors or affiliates might be in scope—update contracts accordingly.

2) Map data and classify

Create a single inventory of consumer data across websites, apps, call centers, CRM tools, and marketing tech. Separate PHI from consumer data to apply the correct rule set. Flag flows involving sensitive data and automated decisioning for deeper review.

3) Update notices, consent, and choice

Simplify privacy notices with purpose-based explanations and layered detail. Deploy granular controls for cookies and SDKs, default to least-intrusive settings, and make the targeted advertising opt-out highly visible. Record consent and preference signals and propagate them to all ad and analytics partners.

4) Operationalize Consumer Data Access Rights

Stand up a DSAR playbook: intake (web form, toll-free number, or email), identity verification, system-of-record searches, redaction, and secure delivery. Train staff to distinguish consumer data from PHI and to route requests appropriately. Track metrics to prove timely, consistent responses.

5) Strengthen security and governance

Implement encryption, access governance, monitoring, and incident response. Run data protection assessments for targeted advertising, profiling, sensitive data, and high-risk processing. Maintain processor contracts that specify instructions, safeguards, and deletion requirements—core regulatory enforcement measures that reduce penalty risk.

Enforcement and Penalties

What enforcement looks like

MODPA enforcement is led by state authorities and emphasizes regulatory enforcement measures such as investigations, compliance monitoring, injunctive relief, and civil penalties. Expect scrutiny of sensitive data restrictions, children and teen protections, and whether opt-outs are easy to find and honored globally.

Penalty exposure and risk factors

Penalty calculations typically consider the nature and persistence of violations, categories of data affected, number of consumers impacted, and your remediation efforts. Documentation—data maps, assessments, processor contracts, and DSAR logs—can materially mitigate outcomes.

Preparing for MODPA Implementation

Phased roadmap

• First, confirm scope against personal data processing thresholds and identify systems that touch Maryland consumers.
• Next, deploy a consent and preference platform to manage targeted advertising opt-out choices across web, mobile, and adtech.
• Build DSAR operations: verification, search, redaction, and delivery; integrate workflows with CRM, analytics, and marketing platforms.
• Execute data protection assessments for sensitive data, profiling, and high-risk initiatives; document decisions and mitigations.
• Refresh processor agreements to codify instructions, security, subprocessor approvals, and deletion on termination.
• Finalize retention schedules, deletion automations, and access controls aligned to data minimization obligations.

Team enablement and monitoring

Train marketing, IT, patient engagement, and compliance teams on Consumer Data Access Rights, sensitive data restrictions, and automated profiling limitations. Establish KPIs for request timelines, opt-out fulfillment, and tracker governance. Review high-risk campaigns before launch and re-assess regularly.

Conclusion

For healthcare providers, the Maryland Data Privacy Law for Healthcare context means going beyond HIPAA: tighten data minimization, honor consumer choices like the targeted advertising opt-out, and place guardrails around sensitive data and profiling. With clear inventories, updated notices, strong vendor contracts, and disciplined DSAR operations, you can meet MODPA requirements while preserving patient trust.

FAQs.

How does MODPA differ from HIPAA in healthcare data protection?

HIPAA protects PHI within covered entities and business associates. MODPA covers consumer personal data outside HIPAA—such as website analytics, marketing identifiers, and pre-visit intake data. MODPA adds Consumer Data Access Rights, a targeted advertising opt-out, automated profiling limitations, and strict data minimization obligations that apply to these non-PHI contexts.

What are the penalties for non-compliance with MODPA?

Enforcement can include investigations, orders to cure, injunctive relief, and civil penalties. Authorities weigh factors like the scope and duration of violations, categories of data involved (especially sensitive data), and your remediation steps. Robust documentation and timely corrective action can reduce penalty exposure.

How can healthcare providers comply with consumer data access requests?

Create a standardized DSAR workflow: provide simple intake channels, verify identity, search all relevant consumer systems, redact third-party data, and deliver responses securely within required timeframes. Maintain logs, route PHI-related requests through HIPAA processes, and honor opt-outs for sale, targeted advertising, and certain profiling activities.