Maryland Online Data Privacy Act HIPAA Covered Entity Exemption Explained

Overview of Maryland Online Data Privacy Act

The Maryland Online Data Privacy Act (MODPA) establishes baseline obligations for organizations that determine the purposes and means of processing personal data about Maryland residents. It emphasizes strict data minimization requirements, purpose limitation, and transparency across the personal data lifecycle.

Under MODPA, controllers must explain what they collect, why they collect it, and how long they keep it. They must limit processing to what is reasonably necessary and proportionate for disclosed purposes, implement appropriate security safeguards, and govern processors through binding contracts. Consumers gain actionable privacy controls and remedies, while the Attorney General oversees compliance and enforcement penalties.

HIPAA and Protected Health Information Exemption

MODPA contains a targeted carve‑out for Protected Health Information (PHI) as defined under HIPAA. When HIPAA-covered entities or their business associates process PHI in compliance with HIPAA, that PHI is exempt from MODPA’s requirements. The intent is to avoid conflicting obligations and duplicative regulation for clinical and payment operations governed by HIPAA.

What the exemption typically covers

• Clinical records, claims, and payment data used for treatment, payment, or health care operations.
• PHI handled by business associates under a HIPAA business associate agreement and used for HIPAA‑permitted purposes.
• HIPAA‑de‑identified information when it meets HIPAA’s de‑identification standard.

What the exemption does not cover

• Personal data a HIPAA entity processes outside HIPAA (for example, website analytics, ad tech identifiers, retail loyalty programs, or wellness apps not operated as part of a HIPAA‑regulated offering).
• Consumer data about non‑patients, such as site visitors, prospects, or donors, when that data is not PHI.
• Activities by a business associate acting on its own as a controller for non‑PHI.

Bottom line: MODPA’s HIPAA and PHI exemption is scoped to the data and context—not a blanket carve‑out for everything a health system, plan, or vendor touches.

Data-Level vs Entity-Level Exemptions

Data-level exemptions remove specific categories of information (like PHI) from a law’s scope regardless of who holds it, so long as the data fits the definition and is processed within the regulated context. Entity-level exemptions remove entire organizations from coverage, regardless of the data type.

MODPA uses a data-level approach for PHI: PHI processed in compliance with HIPAA is exempt. A limited, context‑based entity concept is also recognized—HIPAA-covered entities and business associates are exempt when they handle information in the same manner as PHI. However, neither group receives an across‑the‑board entity‑level exemption for all processing.

Practical implications

• If the information is PHI and treated under HIPAA, MODPA steps back.
• If the same organization runs a consumer health portal, marketing site, or wearable program outside HIPAA, MODPA likely applies to that non‑PHI data.

Impact on Covered Entities and Business Associates

HIPAA-covered entities must separate HIPAA‑regulated operations from consumer‑facing activities that fall outside HIPAA. Expect MODPA duties for non‑PHI activities such as digital marketing, interest‑based advertising, consumer analytics, or community health initiatives that do not create or use PHI.

Covered entities

• Map data systems to identify PHI vs non‑PHI. Treat PHI under HIPAA; apply MODPA to non‑PHI consumer data.
• For hybrid entities, ensure clear designation of HIPAA health care components and apply MODPA to data processed by non‑health components where thresholds and scope are met.
• Revisit tracking technologies on websites and apps. Cookie IDs, IP addresses, and precise location linked to consumers can trigger MODPA duties even when not PHI.

Business associates

• Work performed strictly under a business associate agreement for PHI remains exempt as PHI.
• When acting independently as a controller for non‑PHI (for example, product telemetry, prospecting, or cross‑client analytics), MODPA obligations apply.
• Contracting must reflect dual regimes: BAAs for PHI; MODPA‑compliant data processing agreements for non‑PHI personal data.

Compliance Obligations under MODPA

For non‑exempt personal data, controllers should build a MODPA program that complements HIPAA without conflating the two. Core elements include:

Data minimization and purpose limitation

• Collect only what is reasonably necessary for disclosed purposes. Avoid open‑ended collection “just in case.”
• Define retention periods aligned to the purpose and legal obligations; delete or de‑identify when no longer needed.

Sensitive data controls

• Obtain explicit consent before processing sensitive data categories (for example, precise geolocation, certain health‑related inferences, or biometric identifiers) when not governed by HIPAA.
• Prohibit secondary uses inconsistent with the original purpose absent new consent.

Transparency and consumer choice

• Publish a clear privacy notice describing categories of personal data, purposes, retention, sharing, and whether you engage in targeted advertising, sale of personal data, or high‑impact profiling.
• Provide accessible opt‑out mechanisms for targeted advertising, sale, and certain profiling; honor recognized universal opt‑out signals where applicable.

Governance, security, and assessments

• Execute processor contracts that specify instructions, confidentiality, security measures, and subprocessor controls.
• Implement reasonable administrative, technical, and physical safeguards proportionate to risk.
• Conduct data protection assessments for high‑risk processing, documenting benefits, risks, and mitigations.

Consumer Rights under MODPA

Consumers have robust consumer data rights for non‑exempt information. You must provide and honor mechanisms to:

• Access and obtain a copy of personal data, with explanations of processing activities.
• Correct inaccuracies considering the nature and purposes of processing.
• Delete personal data, subject to narrow exceptions.
• Port data in a usable format where technically feasible.
• Opt out of targeted advertising, sale of personal data, and certain automated profiling.
• Appeal refusals within a defined timeline and inform consumers how to escalate unresolved complaints.

For PHI, HIPAA—not MODPA—governs access, amendment, and disclosure accounting. Direct individuals to the HIPAA process for those requests, and to your MODPA process for non‑PHI consumer data rights.

Enforcement and Penalties

MODPA is enforced by the Maryland Attorney General. There is no private right of action. The Attorney General may pursue injunctive relief, restitution, and civil enforcement penalties assessed per violation, with higher amounts for repeat offenses. Noncompliance can also trigger mandated remediation, monitoring, and reporting obligations.

Key takeaways

• MODPA’s HIPAA carve‑out is a data‑level exemption for PHI—not a blanket entity‑level exemption.
• Expect MODPA duties for non‑PHI activities run by HIPAA-covered entities and business associates.
• Build a dual‑track program: apply HIPAA to PHI, and MODPA to consumer data outside HIPAA, anchored in data minimization requirements and clear consumer choices.
• Document decisions, controls, and assessments to mitigate enforcement penalties and demonstrate accountability.

FAQs.

What data does the HIPAA exemption cover under MODPA?

The exemption covers Protected Health Information processed by HIPAA‑covered entities and business associates in compliance with HIPAA, including treatment, payment, and health care operations, as well as HIPAA‑de‑identified data. It does not extend to consumer data outside the HIPAA context, such as marketing analytics or app telemetry unrelated to PHI.

Does MODPA exempt HIPAA-covered entities entirely?

No. MODPA provides a data‑level exemption for PHI, not a blanket entity‑level exemption. HIPAA‑covered entities remain subject to MODPA for non‑PHI personal data they process, such as website tracking, advertising, loyalty programs, or community outreach data that falls outside HIPAA.

How does MODPA affect business associates of HIPAA entities?

Business associates are exempt when they process PHI on behalf of a covered entity under HIPAA. When they act as independent controllers for non‑PHI—such as marketing their own products, analyzing product usage, or building audience segments—they must comply with MODPA’s requirements, including data minimization, transparency, opt‑outs, and consumer data rights.

What are the penalties for MODPA violations?

MODPA is enforced by the Maryland Attorney General, who may seek injunctive relief, restitution, and civil enforcement penalties assessed per violation, with increased penalties for repeat violations. There is no private right of action, but organizations can face significant remediation and monitoring obligations following violations.