Montana Data Privacy Law in Healthcare: MCDPA vs HIPAA and What Providers Need to Know

MCDPA Overview and Key Provisions

What the MCDPA does

The Montana Consumer Data Privacy Act (MCDPA) establishes baseline duties for organizations that process personal data about Montana residents. For healthcare stakeholders, it reaches beyond traditional medical records to govern consumer-facing data, such as website analytics, patient acquisition tools, and telehealth platforms that are not handling Protected Health Information under HIPAA.

Core Consumer Data Rights

• Right to know: individuals can learn what personal data is collected, from whom, and for what purposes.
• Right to access and portability: individuals can obtain copies of their data in a usable format.
• Right to correct and delete: inaccurate data can be rectified and certain data can be erased.
• Right to opt out: individuals can opt out of targeted advertising, the sale of personal data, and certain forms of automated profiling.

These Consumer Data Rights apply to personal data within MCDPA’s scope and exist alongside, not in place of, HIPAA rights such as access to a designated record set.

Controller and processor obligations

• Transparency: clear privacy notices describing processing purposes, categories of data, and opt-out mechanisms.
• Purpose limitation and data minimization: collect only what is necessary and use it for stated purposes.
• Security safeguards: implement reasonable administrative, technical, and physical measures appropriate to risk.
• Consent for sensitive data: obtain affirmative consent before processing sensitive categories, which commonly include data about health, genetics, and biometrics.
• Processor contracts: require written instructions and protections when vendors process data on your behalf.

Applicability Criteria for MCDPA

Who is covered

MCDPA applies to organizations that conduct business in Montana or offer products or services to Montana residents and meet defined Data Processing Thresholds. In practice, this typically captures larger providers, digital health platforms, and vendors with measurable volumes of Montana consumer data or meaningful revenue tied to data sales.

Data Processing Thresholds

Coverage turns on quantitative thresholds tied to the number of consumers whose personal data is processed and, in some cases, revenue derived from selling personal data. If you are a small clinic or specialty practice with limited marketing data, you may fall below these thresholds; large health systems, multi-state telehealth providers, and ad-supported health apps are more likely to be in scope.

Controller vs. processor in healthcare

• Controller: the entity deciding “why” and “how” personal data is processed (for example, a hospital operating a public-facing website that tracks visitor behavior for targeted ads).
• Processor: the vendor acting on a controller’s documented instructions (for example, a marketing technology platform or cloud analytics provider).

Correctly classifying roles is essential because controllers have direct obligations to honor Consumer Data Rights, while processors must implement safeguards and assist controllers with compliance.

Exemptions Under MCDPA Related to Healthcare

Healthcare Data Exemptions likely to apply

• Protected Health Information processed by HIPAA covered entities or business associates is generally exempt when handled in accordance with HIPAA.
• De-identified health information meeting HIPAA de-identification standards is typically excluded.
• Clinical research and human subjects research compliant with applicable research rules may be out of scope.
• Patient safety and certain public health activities often qualify for carve-outs under state consumer privacy frameworks.

These Healthcare Data Exemptions focus the MCDPA on non-PHI consumer contexts. That means data from a consumer wellness app not acting as a HIPAA business associate, or tracking on a provider’s marketing site, may be in scope even when EHR data is not.

Examples of in-scope vs. out-of-scope data

• In scope: cookie IDs, mobile ad IDs, site forms completed by prospective patients, geolocation used for targeted outreach, or data from wearables routed to a non-HIPAA platform.
• Out of scope: PHI in an EHR handled under HIPAA, disclosures allowed by the Privacy Rule, or de-identified data that meets HIPAA standards.

HIPAA Regulations and Scope

Covered entities, business associates, and PHI

HIPAA applies to covered entities (health plans, most healthcare providers that conduct standard transactions, and healthcare clearinghouses) and their business associates. It regulates Protected Health Information in any form, whether electronic, paper, or oral, when created or received by these entities.

Privacy Rule

The Privacy Rule governs permissible uses and disclosures, minimum necessary standards, patient notices, and rights such as access and amendment. It requires policies, workforce training, and safeguards that reflect the sensitivity of PHI and the context of care.

Security Rule

The Security Rule requires risk-based administrative, physical, and technical controls to protect electronic PHI, including access management, encryption standards appropriate to risk, incident response, and ongoing risk analysis.

Business Associate Agreements

When vendors handle PHI on behalf of a covered entity, HIPAA mandates Business Associate Agreements that define permitted uses, safeguards, breach responsibilities, and subcontractor flow-down terms. BAAs coexist with MCDPA processor contracts when a vendor also handles non-PHI consumer data.

Comparative Analysis of MCDPA and HIPAA

Scope and data covered

• MCDPA: personal data of consumers, including identifiers and online activity; health-related data becomes “sensitive” but is not limited to clinical contexts.
• HIPAA: PHI tied to care delivery, payment, and operations by covered entities and business associates.

Individual rights

• MCDPA: Consumer Data Rights—access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling.
• HIPAA: patient rights under the Privacy Rule—access to and amendment of PHI, accounting of disclosures, and restrictions/communications preferences.

Legal bases and consent

• MCDPA: opt-in consent for sensitive data and clear opt-out choices for advertising and sales; transparency is central.
• HIPAA: permissible uses/disclosures framework; authorizations required for marketing, sale of PHI, and uses outside treatment, payment, or operations.

Contracts and vendors

• MCDPA: controller–processor contracts specifying instructions, confidentiality, security, and subprocessor oversight.
• HIPAA: Business Associate Agreements with required clauses on PHI uses, safeguards, and breach duties.

When both regimes matter

Many providers operate dual data environments. PHI in the EHR follows HIPAA, while non-PHI consumer data from websites, apps, or outreach programs can trigger MCDPA duties. Effective compliance separates these environments, applies correct notices and choices, and ensures vendors are contracted appropriately under both laws.

Compliance Strategies for Healthcare Providers

1) Map and segregate data

Inventory all data flows. Label systems that handle PHI versus consumer data subject to MCDPA. Segregate tracking technologies from patient portals and avoid mixing identifiers that could transform consumer data into PHI.

2) Assess applicability and thresholds

Estimate volumes of Montana consumer records processed across websites, apps, and marketing platforms. If you approach the MCDPA’s Data Processing Thresholds or sell personal data, escalate to legal review and plan for full compliance.

3) Update privacy notices and choice mechanisms

Publish clear disclosures for consumer data, including purposes, categories, and retention practices. Offer opt-out controls for targeted advertising and data sales, and respect browser-based or platform-level opt-out signals where required.

4) Build Consumer Data Rights operations

Stand up request workflows to authenticate requesters, locate data across systems, apply Healthcare Data Exemptions where appropriate, and respond within statutory timelines. Document denials with precise justifications when medical record retention or other legal obligations prevent deletion.

5) Strengthen vendor governance

Use Business Associate Agreements for PHI and complementary processor agreements for non-PHI consumer data. Ensure contracts cover instructions, confidentiality, security controls, subprocessor approval, audit support, and breach notification coordination.

6) Manage consent and sensitive data

Obtain explicit consent before processing sensitive data categories, including health data outside HIPAA. Avoid targeted advertising on authenticated patient portals and configure tags to prevent collection of sensitive signals without consent.

7) Align security with both laws

Leverage your HIPAA Security Rule program—risk analysis, access control, encryption, logging, and incident response—as the baseline. Extend controls to consumer-data systems, including cookie/SDK risk reviews, vendor penetration testing attestations, and data minimization.

8) Train, test, and document

Train marketing, communications, IT, and clinical teams on dual-regime obligations. Run tabletop exercises for data subject requests and potential tracking technology incidents. Maintain records of decisions, approvals, assessments, and responses.

Implications for Patient Data Management

Lifecycle governance

MCDPA encourages disciplined lifecycle management: collect less, keep data only as long as needed, and tie retention to a written schedule. For medical records, follow clinical and legal retention; for consumer data, apply shorter horizons and robust deletion routines.

Data quality and patient trust

Correction rights and transparency requirements incentivize better metadata and audit trails. Clear boundaries between PHI and consumer data, coupled with forthright notices, strengthen trust and reduce the risk of misclassification or over-collection.

Technology and vendor selection

Choose platforms that support consent management, opt-out signals, secure event collection, and granular data exports for access and portability. Prioritize vendors willing to sign both Business Associate Agreements and processor terms when their services span PHI and consumer data.

FAQs

How does MCDPA affect healthcare providers in Montana?

MCDPA primarily affects the consumer-data side of your operations—websites, apps, and outreach programs—by imposing transparency, opt-out, and data rights obligations. Your HIPAA-governed PHI workflows continue under the Privacy Rule and Security Rule, but you must ensure non-PHI consumer data is handled in line with MCDPA.

What are the exemptions for HIPAA under MCDPA?

Data that is Protected Health Information processed in compliance with HIPAA is generally exempt, as is de-identified information meeting HIPAA standards. Certain clinical research and public health activities are also commonly carved out, keeping the focus on consumer data outside HIPAA.

Can healthcare providers be subject to both MCDPA and HIPAA?

Yes. Most providers operate HIPAA environments for PHI and separate consumer-data environments for marketing or digital engagement. HIPAA governs PHI with BAAs and the Privacy and Security Rules, while MCDPA governs personal data outside HIPAA, requiring consumer rights handling, opt-outs, and processor contracts.

What compliance steps are required for Montana healthcare providers under the new law?

Map data, confirm applicability against Data Processing Thresholds, refresh privacy notices and opt-out controls, operationalize Consumer Data Rights, shore up vendor agreements (BAAs and processor terms), obtain consent for sensitive data, extend security controls to consumer systems, and train teams on dual obligations.