Minnesota Privacy Law for HIPAA Entities: Exemption Rules, Examples, Action Steps

Overview of Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MCDPA) is the state’s comprehensive privacy law that took effect on July 31, 2025. It grants Minnesota residents rights to access, correct, delete, and opt out of certain uses of their personal data, and it imposes transparency, minimization, and security duties on covered businesses. For HIPAA entities, the key takeaway is that the MCDPA overlays HIPAA: it governs non‑HIPAA data you handle while largely exempting specific categories of regulated health information.

Residents can exercise opt-out rights through a universal opt-out mechanism, and businesses must provide clear notices and honor requests within defined timelines. Enforcement is handled exclusively by the Minnesota Attorney General. ([ag.state.mn.us](https://www.ag.state.mn.us/Office/Communications/2025/07/28_MCDPA.asp?utm_source=openai))

Criteria for MCDPA Applicability

The MCDPA applies to legal entities that conduct business in Minnesota or target Minnesota residents and meet either of the following thresholds during a calendar year:

• Control or process personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction), or
• Derive over 25% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.

These thresholds determine whether you must implement MCDPA duties for in-scope data, regardless of whether you are also a HIPAA covered entity or business associate. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

HIPAA Covered Entity Exemptions

The MCDPA does not grant a blanket, entity-level exemption for HIPAA covered entities or business associates. Instead, it carves out specific categories of health information from the law, meaning your PHI and certain related records are excluded, but non‑HIPAA data you collect (for example, marketing or website analytics about Minnesota residents) can still be subject to MCDPA. ([ag.state.mn.us](https://www.ag.state.mn.us/Data-Privacy/Exemptions/))

Examples: what’s typically out of scope vs. in scope

• Generally out of scope: Protected Health Information (PHI) in your EHR; Minnesota Health Records Act “health records”; 42 CFR Part 2 substance use disorder records; HIPAA‑deidentified data and limited data sets when handled as HIPAA requires; and public‑health activity data. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))
• Potentially in scope: Website cookies/analytics unrelated to patient care; consumer marketing lists and newsletter sign-ups; community event RSVPs; and other consumer data that are not PHI or otherwise exempt under the statute.

Exemptions for Health and Financial Data

Health-related exclusions most relevant to HIPAA entities

• PHI as defined by the Health Insurance Portability and Accountability Act (HIPAA).
• “Health records” under the Minnesota Health Records Act (Minn. Stat. 144.291 et seq.).
• 42 CFR Part 2 patient-identifying information for substance use disorder treatment.
• Data derived from these health data that are deidentified under HIPAA’s Data Deidentification Standards (45 CFR Part 164) and limited data sets when used and maintained as HIPAA requires.
• Information “intermingled” with exempt health data maintained by a covered entity/business associate or a health care provider to the extent it’s indistinguishable from the exempt data.
• Data used solely for HIPAA‑authorized public health activities. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Financial and other notable exclusions

• Data collected, processed, or disclosed pursuant to the Gramm‑Leach‑Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA).
• Entity‑level exclusions for state or federally chartered banks or credit unions, and certain insurance companies/producers/administrators.
• Employee/applicant/contractor data used solely within that employment or applicant context; payment‑only transactions where no consumer data are retained; and certain airline, education, and farm credit data. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Compliance Requirements for HIPAA Entities

If you meet the MCDPA thresholds, you must comply for in-scope, non‑exempt data. Focus on practical controls that complement HIPAA without duplicating it.

Privacy notices and consumer rights

• Publish a clear privacy notice that discloses data categories, purposes, retention, contact information, third‑party sharing/sales, and the date last updated.
• Provide an easy, conspicuous method to opt out of targeted advertising, data sales, and certain profiling decisions; honor universal opt-out preference signals.
• Authenticate and fulfill access, correction, deletion, and portability requests within 45 days (one 45‑day extension permitted for complexity). Maintain records of appeals for at least 24 months. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Data governance and security

• Limit collection to what’s adequate, relevant, and reasonably necessary; avoid retaining personal data longer than needed for disclosed purposes.
• Implement reasonable administrative, technical, and physical safeguards appropriate to the volume and sensitivity of data.
• Obtain opt-in consent before processing “sensitive data” (which includes health condition/diagnosis when not otherwise HIPAA‑exempt) and for targeted advertising/sales for minors ages 13–16. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Assessments, roles, and contracts

• Document a data privacy and protection assessment for targeted advertising, sales, sensitive data processing, profiling with significant effects, and other high‑risk processing.
• Designate a chief privacy officer or privacy lead and maintain written policies describing how you meet MCDPA obligations (including a data inventory).
• Ensure processor contracts cover required terms. For HIPAA business associates, align your Business Associate Agreement and your MCDPA data processing addendum so both HIPAA and MCDPA obligations are covered for non‑exempt data. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Enforcement and Penalties Under MCDPA

The Minnesota Attorney General has exclusive enforcement authority. Until January 31, 2026, the AG must issue a warning letter and provide 30 days to cure before bringing an action; after that date, there is no cure requirement. Penalties can reach up to $7,500 per violation, along with injunctive relief and recovery of litigation expenses; there is no private right of action. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

Practical Action Steps for HIPAA Entities

• Map your data: separate PHI and Minnesota Health Records Act data from non‑exempt consumer data (web, marketing, events, and other non‑clinical touchpoints).
• Confirm applicability: evaluate Minnesota contacts and count Minnesota consumers to determine if you meet MCDPA thresholds.
• Update your privacy notice and build an opt‑out center that also recognizes universal opt‑out signals.
• Stand up rights-response workflows (access/correct/delete/portability/appeals) with 45‑day SLAs and 24‑month appeal record retention.
• Implement minimization, retention limits, and security controls aligned to the sensitivity and volume of data.
• Obtain opt‑in consent for sensitive data when HIPAA exemptions don’t apply, and for targeted advertising/sales involving teens ages 13–16.
• Complete data privacy and protection assessments for targeted ads, sales, sensitive data, and profiling.
• Align contracts: update BAAs and add processor terms that satisfy MCDPA for non‑exempt data.
• Designate a privacy lead/CPO and maintain written, up‑to‑date MCDPA policies and a data inventory.

Bottom line: HIPAA shields PHI and certain related records, but the Minnesota Consumer Data Privacy Act still reaches your non‑HIPAA consumer data. Treat MCDPA as a complementary layer: scope correctly, tune your notices and rights handling, and document governance to reduce enforcement risk.

FAQs

What entities are exempt from the Minnesota Consumer Data Privacy Act?

Entity-level exemptions include government entities, federally recognized tribes, state or federally chartered banks or credit unions, certain insurance companies and related entities, qualifying small businesses (with limits), and air carriers to the extent preempted. Note that HIPAA covered entities are not categorically exempt as entities; rather, specific types of health data are excluded from the law. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

How does HIPAA impact MCDPA compliance?

HIPAA significantly narrows your MCDPA exposure by excluding PHI, Minnesota Health Records Act “health records,” 42 CFR Part 2 records, HIPAA‑deidentified data and limited data sets, certain intermingled data, and public‑health activity data. But MCDPA still applies to non‑exempt consumer data you process (for example, website analytics or marketing)—so you must provide notices, honor universal opt‑out signals, and fulfill access/correction/deletion requests for that data. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

What data is excluded under the HIPAA exemption?

Excluded data include PHI (as defined by HIPAA), Minnesota Health Records Act “health records,” 42 CFR Part 2 substance use disorder records, HIPAA‑deidentified data and limited data sets (when used/maintained per HIPAA), intermingled data that are indistinguishable from exempt health data and maintained by a covered entity/provider, and data used solely for HIPAA‑authorized public health activities. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))

What are the penalties for violating the MCDPA?

Only the Minnesota Attorney General may enforce the law. Civil penalties can reach up to $7,500 per violation, and courts may grant injunctions and award the state its litigation expenses. Through January 31, 2026, the AG must first issue a warning letter and allow 30 days to cure; after that, cures are not required before suit. There is no private right of action. ([revisor.mn.gov](https://www.revisor.mn.gov/statutes/2024/cite/325M/2024-11-08%2012%3A06%3A38%2B00%3A00/full))