Oregon Consumer Privacy Act for HIPAA Entities: Exemption, Examples, Compliance Tips

Exempt Data Types Under OCPA

Under the Oregon Consumer Privacy Act (OCPA), Protected Health Information processed by a HIPAA covered entity or business associate is generally exempt. De-identified information under HIPAA, and medical records handled in accordance with applicable health privacy rules, also fall outside OCPA’s scope.

Employment-related personal data is typically exempt when used in an employer-employee context. Data processed to comply with other laws—such as Gramm-Leach-Bliley Act Compliance or Fair Credit Reporting Act Compliance—can also be excluded when handled strictly for those purposes.

Practical examples

• PHI in an electronic health record used for treatment or billing is exempt.
• De-identified datasets used for quality improvement are exempt.
• Website analytics capturing visitor behavior on a clinic’s marketing site are not PHI and may be subject to OCPA.
• Patient satisfaction surveys stored outside the EHR may be in scope if they include identifiable personal data and are not PHI.

Exempt Activities for HIPAA Entities

Activities conducted for treatment, payment, and health care operations that already meet HIPAA standards are generally outside OCPA’s reach. Public health reporting to authorities, peer review, quality assurance, and clinical research performed under HIPAA or the Common Rule are frequently exempt as well.

Activities likely exempt

• Claims processing and revenue cycle work using PHI.
• Care coordination and utilization management.
• Mandatory reporting of diseases or adverse events.
• IRB-approved research using PHI or properly de-identified data.

Activities likely in scope

• Digital marketing on public websites and apps.
• Consumer-facing portals that collect data not classified as PHI (e.g., event registrations, newsletter sign-ups).
• Use of cookies, pixels, or SDKs for targeted advertising unrelated to treatment or operations.

Specific Exempt Entities

Certain organizations or contexts are excluded from OCPA for the data they process within their regulated activities. Government bodies, consumer reporting agencies handling data under FCRA, and financial institutions subject to Gramm-Leach-Bliley Act Compliance are typical examples.

Exemptions are purpose-based. If an exempt entity processes personal data outside its regulated activity, that data may fall under OCPA. The same applies to a HIPAA Covered Entity handling non-PHI for marketing or other consumer interactions.

Compliance Best Practices

Build a clear boundary between PHI and non-PHI

• Map data flows to distinguish PHI from consumer personal data.
• Segment systems so consumer data used for marketing or analytics is isolated from PHI.

Strengthen data privacy obligations

• Publish a clear, accurate privacy notice covering OCPA rights for non-PHI processing.
• Implement lawful bases and minimization for consumer data collected outside HIPAA.
• Adopt role-based access, retention limits, and audit logging for consumer data.

Operationalize consumer rights mechanisms

• Stand up request intake for access, correction, portability, and data deletion requests.
• Offer opt-outs for targeted advertising, sale of personal data, and high-risk profiling.
• Maintain an appeals channel when requests are denied.

Vendor and technology controls

• Evaluate pixels, tags, and SDKs to prevent unintended disclosure of health-related data.
• Use contracts and due diligence to ensure processors honor OCPA requirements.

Consumer Rights Under OCPA

For non-PHI personal data, individuals can typically exercise rights to access, correct inaccuracies, delete certain data, and receive a portable copy. You must provide clear Consumer Rights Mechanisms, verify requestors, and respond within statutory timeframes, documenting decisions and any denials.

Consumers also have the right to opt out of targeted advertising, sale of personal data, and certain profiling with legal or similarly significant effects. Your notices and preference centers should explain these options plainly and honor signals where required.

Handling data deletion requests

• Confirm whether the data is PHI (exempt) or non-PHI (potentially in scope).
• Delete or de-identify non-PHI unless a legal exception applies (e.g., record retention obligations).
• Notify processors to take corresponding actions and log completion.

Data Protection Impact Assessments

Conduct a DPIA before high-risk processing of consumer data, such as targeted ads, sale of data, sensitive data use, or automated profiling. Align the DPIA with your HIPAA risk analysis by assessing purposes, necessity, proportionality, risks to individuals, and safeguards.

What a strong DPIA includes

• Processing description and business purpose.
• Data elements, sources, retention, and recipients.
• Risk evaluation for confidentiality, integrity, availability, and fairness.
• Controls: minimization, access, encryption, governance, and testing.
• Decision record and review cadence.

Staff Training on OCPA Compliance

Train frontline and back-office teams to recognize when data is PHI versus consumer personal data. Emphasize consent, collection limits, and the distinct handling of Data Deletion Requests and opt-outs for non-PHI.

Role-specific focus areas

• Contact center: intake, verify, and route consumer rights requests.
• Marketing and digital: tag governance, preference management, and avoiding inadvertent PHI capture.
• IT/security: data mapping, DPIAs, and processor oversight.
• Legal/compliance: exceptions analysis and recordkeeping.

Conclusion

OCPA largely exempts PHI and certain regulated activities, but it still reaches non-PHI consumer data that HIPAA entities handle. By cleanly separating datasets, honoring consumer rights, and embedding DPIAs and training, you can meet OCPA’s data privacy obligations without disrupting care or operations.

FAQs

What data is exempt from the OCPA for HIPAA-covered entities?

Protected Health Information processed under HIPAA, HIPAA-compliant de-identified information, and data handled solely for regulated activities (such as public health reporting or clinical research under applicable rules) are typically exempt. Employment-context data is also generally excluded.

How does the OCPA interact with HIPAA compliance?

OCPA defers to HIPAA for PHI and related activities, but it applies to non-PHI consumer data that a HIPAA covered entity collects—such as website analytics, event registrations, or marketing lists. You must therefore run parallel programs: HIPAA for PHI, and OCPA controls for non-PHI.

What are the key compliance steps for HIPAA entities under the OCPA?

Map and segregate PHI versus non-PHI, update privacy notices, implement Consumer Rights Mechanisms, process opt-outs, manage Data Deletion Requests, run DPIAs for high-risk activities, and tighten vendor oversight—especially for advertising and analytics technologies.

How should consumer rights be managed under the OCPA?

Offer simple intake channels, verify identity, determine whether the data is exempt, and respond within required timelines. Provide access, correction, deletion, and portability for eligible data, plus opt-outs from targeted advertising, sale, and certain profiling, with a clear appeals process when requests are denied.