Maryland Online Data Privacy Act vs HIPAA: Covered Entity Exemption Checklist

Maryland Online Data Privacy Act Applicability

The Maryland Online Data Privacy Act (MODPA) applies to organizations that determine the purposes and means of processing Consumer Personal Data about Maryland residents. You are in scope when your activities meet the law’s Data Processing Thresholds and your processing is not otherwise exempt.

Who is a controller or processor

You are a controller if you decide why and how to process Consumer Personal Data. You are a processor if you handle data on behalf of a controller under documented instructions. Many health sector organizations act in both roles, depending on the data flow and contract terms.

Data Processing Thresholds

MODPA uses quantitative thresholds tied to the volume of Consumer Personal Data processed and, for some organizations, revenue derived from data sales. Start by counting unique Maryland consumers whose data you control and confirming whether any revenue is linked to data disclosures.

Consumer Personal Data in scope

Consumer Personal Data covers information that identifies or is reasonably linkable to a Maryland resident acting in a personal, household, or similar context. Data collected in employment or business-to-business contexts may be treated differently, but you should validate each use case against MODPA’s definitions.

MODPA Exemptions Overview

MODPA includes both entity-level and data-level carve-outs. Your first task is to determine whether your organization qualifies for an entity exemption, and then confirm whether particular datasets qualify for a data-level exemption.

Common exemption patterns

• Entity-level coverage for organizations regulated under certain sectoral laws, subject to scope limits.
• Data-level exemptions for specific categories such as Protected Health Information (PHI), de-identified data, public records, research data meeting defined safeguards, security and incident response data, and data processed to comply with law.
• Purpose-based exemptions, including activities like Insurance Fraud Investigation or public safety support that align with statutory public-interest exceptions.

Definition of HIPAA Covered Entities

Under HIPAA, covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. Business associates are service providers that create, receive, maintain, or transmit PHI for a covered entity under a Business Associate Agreement.

Protected Health Information and scope

Protected Health Information is individually identifiable health information held or transmitted by a covered entity or business associate, in any form or medium, excluding de-identified information. PHI status depends on both content and custodian—who holds the data and in what capacity.

Business Associate Agreement (BAA)

A valid Business Associate Agreement defines the permitted uses, disclosures, safeguards, and breach reporting for PHI handled by vendors. The BAA is central to determining when a vendor’s processing is governed by HIPAA and when other laws like MODPA may apply to non-PHI services.

HIPAA Exemptions Scope

MODPA generally defers to HIPAA for PHI processed by covered entities or business associates acting in a HIPAA capacity. That said, HIPAA does not blanket every dataset you hold, and MODPA’s protections can still apply to non-PHI Consumer Personal Data you control.

What is typically outside the HIPAA carve-out

• Consumer Personal Data collected on public-facing websites and apps (e.g., advertising identifiers, analytics, cookies) when not tied to PHI or processed in a HIPAA role.
• Marketing lists and prospecting data unrelated to treatment, payment, or health care operations.
• Certain employment, contractor, or B2B records that fall outside HIPAA’s definition of PHI and outside MODPA’s employment/B2B limitations.

De-identified and limited data

Data that meets HIPAA de-identification standards can qualify for MODPA’s data-level exemption for de-identified information. However, re-identification or combining de-identified data with other sources can bring it back into scope, so you should maintain technical and contractual controls.

Interaction Between MODPA and HIPAA

Use this Covered Entity Exemption Checklist to determine whether MODPA applies to your organization and to specific datasets you handle alongside HIPAA obligations.

Covered Entity Exemption Checklist

• Confirm your role: Are you a HIPAA covered entity or a business associate under a current Business Associate Agreement for the processing in question?
• Classify the data: Is the dataset PHI, de-identified data, or Consumer Personal Data collected outside a HIPAA context (e.g., web analytics, app telemetry)?
• Map the purpose: Is the processing for treatment, payment, or health care operations, or for unrelated purposes like advertising, audience measurement, or profiling?
• Apply Data Processing Thresholds: Do you meet MODPA’s thresholds based on the number of Maryland consumers and revenue tied to data sales or disclosures?
• Segment systems and vendors: Separate PHI systems from consumer-facing systems; ensure non-PHI vendors support MODPA Data Privacy Compliance Requirements (e.g., data minimization, rights responses).
• Assess sensitive data: Identify sensitive data elements (e.g., precise geolocation, health-related inferences) and determine whether opt-in or prohibition rules apply under MODPA.
• Document your rationale: Record which exemptions you rely on (entity-level, data-level, or purpose-based) and retain evidence for audits or regulator inquiries.

Illustrative scenarios

• Hospital website analytics: Tracking technologies collecting Consumer Personal Data on a public site are typically not PHI. If thresholds are met, MODPA obligations can apply even though the hospital is HIPAA-covered.
• Patient portal data: PHI within a portal and handled under HIPAA is usually outside MODPA’s consumer rights framework, but mixed-use tags or cross-site tracking can reintroduce MODPA scope.
• Marketing campaigns: Email prospecting and adtech using non-PHI identifiers may be squarely within MODPA, requiring opt-out mechanisms and data minimization.

Nonprofit Organization Exemptions Under MODPA

MODPA does not treat all nonprofits the same. Some nonprofit activities may be excluded by statute, while others remain fully subject to the law if Data Processing Thresholds are met and no specific exemption applies.

How nonprofits should evaluate scope

• Identify whether your nonprofit engages in functions expressly carved out (for example, certain public safety support or research with safeguards).
• If you are a nonprofit health system or clinic, determine when you act as a HIPAA covered entity handling PHI versus when you collect non-PHI Consumer Personal Data (events, donations, marketing).
• For mixed operations, apply the exemption only “to the extent” it fits; do not assume a blanket nonprofit exclusion.

Data-Level Exemptions in MODPA

Even if your organization is in scope, specific data categories can be exempt. Confirm eligibility on a dataset-by-dataset basis and align technical controls accordingly.

Key categories to validate

• Protected Health Information processed under HIPAA by a covered entity or business associate.
• De-identified data that meets accepted de-identification standards with no reasonable means of re-identification.
• Publicly available information and records lawfully made public by government entities.
• Data processed for security, fraud prevention, or Insurance Fraud Investigation, when limited to that purpose.
• Research data processed with governance safeguards that meet applicable requirements.
• Emergency and public safety purposes, including First Responder Data Handling necessary to provide or coordinate emergency services.
• Processing strictly necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

Operationalizing exemptions

• Tag datasets with exemption metadata and apply access controls so exempt data is not repurposed.
• Maintain separate retention schedules for PHI, de-identified data, and Consumer Personal Data to support data minimization.
• Flow down obligations in vendor contracts, distinguishing BAA-governed services from non-PHI services that must meet MODPA Data Privacy Compliance Requirements.

Bottom line: MODPA and HIPAA can both apply within the same organization. Your exemption analysis should be purpose- and dataset-specific, supported by contracts (such as a Business Associate Agreement), and documented against MODPA’s Data Processing Thresholds and sensitive data rules.

FAQs

What entities are exempt from MODPA due to HIPAA coverage?

Entities acting in a HIPAA capacity—covered entities and business associates processing PHI under a Business Associate Agreement—generally fall outside MODPA for that PHI processing. The exemption is not universal; it applies “to the extent” of HIPAA-governed activities and does not automatically cover all operations of the organization.

How does MODPA treat non-PHI data held by HIPAA-covered entities?

Non-PHI Consumer Personal Data—like website analytics, advertising identifiers, or event marketing lists—can be in scope if you meet MODPA’s Data Processing Thresholds and no other exemption applies. You should implement MODPA controls (notices, rights handling, opt-outs, data minimization) for those datasets.

What qualifies a nonprofit for exemption under MODPA?

There is no guaranteed blanket nonprofit exclusion. A nonprofit may rely on specific statutory carve-outs tied to its functions (for example, defined public safety or research activities) or on data-level exemptions such as PHI under HIPAA. Otherwise, nonprofits that meet thresholds and process Consumer Personal Data are generally expected to comply.

Are there data categories exempt from both MODPA and HIPAA?

Yes. Properly de-identified data is outside HIPAA’s PHI definition and typically benefits from MODPA’s de-identified data exemption. Other overlapping carve-outs may include publicly available information and narrowly tailored processing for security or Insurance Fraud Investigation, provided you do not repurpose the data beyond those purposes.