Maryland MODPA HIPAA Covered Entity Exemption: Scope, Limits, Compliance Guide

Overview of Maryland Online Data Privacy Act

Maryland’s Online Data Privacy Act (MODPA) establishes baseline obligations for how you handle personal data about Maryland residents online. It centers on data minimization, purpose limitation, transparency, and giving people practical control over their information.

For healthcare organizations, MODPA does not replace sectoral rules. Instead, it layers onto your existing obligations, creating a dual regulatory framework in which you must distinguish between data governed by HIPAA and personal data governed by MODPA.

MODPA’s requirements generally apply when you determine the purposes and means of processing personal data in a commercial or organizational context. The statute’s consumer-focused scope means you should examine your web, mobile, and off-portal data flows—especially where they intersect with marketing, analytics, and third-party technologies.

HIPAA Covered Entity Standards

HIPAA sets rigorous standards for Protected Health Information (PHI) handled by covered entities and their business associates. Core rules include the Privacy Rule (uses/disclosures and minimum necessary), the Security Rule (administrative, physical, and technical safeguards), and the Breach Notification Rule.

Business Associate Agreements (BAAs) require partners to protect PHI and restrict its use. De-identification under HIPAA (safe harbor or expert determination) removes data from PHI status when executed correctly. These foundations remain intact under MODPA; you must keep them fully implemented and documented.

Key HIPAA concepts you should anchor

• Protected Health Information: individually identifiable health information linked to care, payment, or operations.
• Minimum necessary: restrict PHI use and access to what is needed for a defined purpose.
• BAA governance: vet, contract, and monitor vendors that create, receive, maintain, or transmit PHI.
• De-identification: ensure irreversible de-identification before treating data as non-PHI for broader use.

MODPA Data-Level Exemptions

MODPA provides a data-level exemption—not an entity-level exemption—for HIPAA-regulated information. In practice, that means PHI handled in compliance with HIPAA is exempt from MODPA’s substantive requirements, but your non-PHI personal data remains subject to MODPA.

What the Data-Level Exemption covers

• PHI created, received, maintained, or transmitted by a covered entity or business associate in accordance with HIPAA.
• Data properly de-identified under HIPAA, when you can demonstrate the method and retain supporting documentation.

What it does not cover

• Personal data collected outside HIPAA contexts (e.g., website analytics, cookies, device identifiers, and advertising pixels).
• Consumer Health Data gathered for marketing, community outreach, or patient acquisition when it is not PHI.
• CRM, event, newsletter, or donor lists that include Maryland residents’ personal data but are not PHI.

The takeaway: the exemption follows the data. You must classify and tag records so you can confidently apply HIPAA to PHI and MODPA to all other personal data.

Dual Compliance Strategies

Because you operate under a dual regulatory framework, your privacy compliance protocols should segment PHI from non-PHI at every step of personal data handling. Build durable controls that determine which rule set applies before data moves or is shared.

Practical playbook

• Data mapping and tagging: inventory systems, fields, and flows; label each data set as PHI, HIPAA de-identified, or MODPA personal data.
• Purpose controls: document allowed uses for each category (treatment/operations vs. analytics/marketing) and enforce them in tooling.
• Vendor governance: maintain BAAs for PHI and separate commercial contracts for MODPA data with strict restrictions on use and sharing.
• Rights-request routing: triage consumer requests; send PHI-related requests to HIPAA processes and non-PHI requests to MODPA workflows.
• Cross-policy alignment: keep the HIPAA Notice of Privacy Practices distinct from your consumer privacy notice; scope each clearly.

Data Collection Practice Reviews

Start at the perimeter—your websites, apps, and campaigns. Many compliance gaps arise from trackers and tags that quietly collect personal data outside HIPAA workflows.

Steps that reduce risk fast

• Tag governance: implement a server-side tag manager; restrict pixels from firing on authenticated patient pages and forms.
• Form hygiene: collect only necessary fields; avoid free-text boxes for symptoms on non-portal forms; use clear purpose statements.
• Sensitive data checks: block collection of precise geolocation and health-related interest signals unless you have a lawful, disclosed purpose and controls.
• Retention and deletion: define retention for MODPA data separately from HIPAA records; automate deletion queues for marketing systems.
• Testing and attestation: run privacy QA before launches; record approvals for new collection points.

Privacy Policy Updates

Maintain both a HIPAA Notice of Privacy Practices for PHI and a consumer-facing privacy policy for MODPA-covered personal data. Use clear scoping language so people understand which policy applies to which data and context.

What your MODPA-facing policy should include

• Categories of personal data you collect outside HIPAA contexts, with specific purposes for each category.
• Disclosures about targeted advertising, sale/sharing restrictions, and your opt-out mechanisms where applicable.
• Instructions for submitting access, correction, deletion, and appeal requests under MODPA.
• Contact channels, verification methods, and expected timeframes to respond.

Access Control Enhancements

Technical safeguards keep the boundary between PHI and MODPA data strong. Build least-privilege access that mirrors your data classification and enforce it consistently across systems.

Controls that make the separation real

• Role-based access: separate roles for clinical, marketing, analytics, and IT; prohibit role creep into PHI unless authorized.
• Segmentation and encryption: isolate PHI environments; encrypt data in transit and at rest in both HIPAA and MODPA systems.
• Break-glass and logging: require just-in-time elevation for exceptional access; audit and alert on cross-boundary data pulls.
• Third-party oversight: review vendor access footprints; ensure BAAs for PHI and strict contractual limits for MODPA personal data.
• Training and drills: teach staff how the data-level exemption works and how to route requests; run tabletop exercises.

Conclusion

MODPA’s data-level exemption preserves HIPAA’s control over PHI while extending consumer protections to non-PHI personal data. By classifying data, separating workflows, and tightening policies and access controls, you can honor both regimes without slowing care or innovation.

FAQs.

What types of data are exempt under MODPA for HIPAA-covered entities?

PHI handled in compliance with HIPAA is generally exempt, as is information properly de-identified under HIPAA’s methods. The exemption is data-level, so only those specific data sets are excluded; other personal data you process remains subject to MODPA.

How should healthcare organizations handle non-PHI personal data under MODPA?

Treat it as MODPA-covered personal data: disclose purposes, minimize collection, set retention limits, manage vendor use, and offer rights workflows (access, correction, deletion, and opt-outs where applicable). Keep this data technically and operationally separate from PHI and document decisions.

Does MODPA override HIPAA regulations?

No. HIPAA continues to govern PHI, while MODPA governs personal data outside HIPAA. When both could touch the same workflow, apply the strictest requirement and route the data through the correct policy, contract, and access controls.

What are the penalties for non-compliance with MODPA?

MODPA is subject to state enforcement, which can include investigations, injunctive relief, and civil penalties assessed per violation. Exposure increases with willful or repeated conduct and with inadequate remediation. Strong documentation, responsive rights handling, and timely corrections reduce risk.