Oregon Data Privacy Law for Healthcare: 2024 OCPA Compliance Guide

OCPA Effective Dates for Healthcare Providers

The Oregon Consumer Privacy Act (OCPA) took effect for most for-profit entities on July 1, 2024. Nonprofit healthcare organizations became subject to the law on July 1, 2025. Beginning January 1, 2026, covered organizations must honor a universal opt-out mechanism (UOOM) signal for targeted advertising and the sale of personal data.

Two child-and-location safeguards also activated on January 1, 2026: (1) a statewide ban on selling precise geolocation data, and (2) a prohibition on selling, using for targeted advertising, or profiling the personal data of consumers under 16. As of January 1, 2026, the Attorney General’s 30‑day cure period also expired, meaning enforcement may proceed without advance opportunity to cure.

Scope and Applicability in Healthcare

OCPA applies to organizations that conduct business in Oregon or offer products or services to Oregon residents and meet either of these thresholds in a calendar year: (1) control or process personal data of 100,000+ consumers (excluding data processed solely to complete a payment transaction), or (2) control or process personal data of 25,000+ consumers and derive 25% or more of annual gross revenue from selling personal data.

“Consumer” means an Oregon resident acting in an individual or household context. Employee, job applicant, and other employment-context data are out of scope. For healthcare, this means protected health information processed under HIPAA may be exempt (see below), yet non-PHI consumer data—such as website analytics, marketing lists, patient acquisition campaigns, loyalty or wellness programs, event RSVPs, and connected device telemetry—can fall squarely within OCPA.

Exemptions Relevant to Healthcare Data

OCPA contains targeted exemptions that often apply to healthcare. These are data-level (not blanket entity) exemptions, so you must separate exempt from non-exempt processing.

• Protected health information (PHI) processed in accordance with HIPAA, and HIPAA compliance documents.
• Public health activities under 45 C.F.R. 164.512 (for example, disease surveillance and reporting).
• Human-subjects research under the Common Rule (45 C.F.R. part 46) and certain FDA-regulated research activities.
• 42 C.F.R. part 2 substance use disorder records (patient identifying information).
• Patient safety work product under 42 C.F.R. part 3 (PSWP/PSO).
• Information originating from, or intermingled with, the above categories when handled under the same requirements.
• Employment-context data (HR, benefits, emergency contacts) and certain financial, educational, and FCRA-regulated data.
• Public bodies are excluded; notably, Oregon Health & Science University is a public corporation and thus out of scope.

Important nuance: the HIPAA exemption is a HIPAA exemption—not a “healthcare entity” exemption. If you process non-PHI consumer data (e.g., marketing pixels on a public site), OCPA can still apply.

Consumer Rights under OCPA

OCPA creates robust data subject rights that intersect with healthcare operations whenever non-PHI consumer data is involved. You must provide at least one method for consumers to submit requests and respond within 45 days (one 45‑day extension is allowed where reasonably necessary).

• Access and portability: consumers can confirm processing and obtain a copy of their personal data in a portable, readily usable format.
• Correction: consumers can require you to correct inaccuracies, considering data nature and processing purpose.
• Deletion: consumers can require you to delete personal data you collected, obtained from other sources, and even derived data.
• Opt-out: consumers can opt out of targeted advertising, the sale of personal data, and profiling in decisions with legal or similarly significant effects (including healthcare services decisions).
• Appeal: if you deny a request, you must offer an appeal process and issue a reasoned decision within 45 days, including how to contact the Oregon Attorney General.
• Authorized agents and signals: consumers may use authorized agents for opt-outs and, from January 1, 2026, a UOOM signal must be honored.

Costs: you must fulfill one request per consumer per 12-month period free of charge; reasonable fees may apply to repetitive or excessive requests.

Definition and Handling of Sensitive Healthcare Data

OCPA designates “sensitive data” that demands heightened protection and, in most cases, opt-in consent. Sensitive data categories include information revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, status as transgender or nonbinary, status as a crime victim, genetic or biometric identifiers for identification, and precise geolocation.

Operational requirements for sensitive data

• Consent standard: obtain clear, specific, informed, and unambiguous consent; “dark patterns” invalidate consent.
• Children’s data: comply with COPPA for under-13 data. As of January 1, 2026, it is unlawful to sell, target ads to, or profile consumers under 16 using their personal data.
• Data protection assessments (DPAs): conduct and retain assessments (for at least five years) before processing sensitive data, profiling that poses risk, targeted advertising, or selling personal data.
• Healthcare data transparency: disclose sensitive data uses in your privacy notice, covering purposes, sharing, and opt-out/consent choices.

Enforcement Procedures and Business Obligations

Oregon Department of Justice enforcement is exclusive under OCPA. The Attorney General may seek civil penalties of up to $7,500 per violation and injunctive relief. As of January 1, 2026, there is generally no mandatory cure period before enforcement.

Core controller duties that affect healthcare

• Purpose limitation and data minimization: collect only what is adequate, relevant, and reasonably necessary for stated purposes.
• Security safeguards: implement reasonable administrative, technical, and physical protections proportionate to the sensitivity and volume of data processed.
• Consent management: obtain opt-in for sensitive data; do not rely on pre-checked boxes or interfaces that subvert choice.
• Privacy notice: clearly state processing purposes; categories of personal and sensitive data processed and shared; opt-out methods (including UOOM recognition); data subject rights and appeal instructions.
• Processor contracts: define instructions, confidentiality, subprocessor controls, security, and assistance with consumer requests and assessments.
• Assessments on request: maintain and provide DPAs to the Attorney General upon request; retain assessment records for five years.

Compliance Strategies for Healthcare Entities

1) Map your data domains

• Inventory PHI versus non-PHI. Tag marketing sites, mobile apps, chatbots, call centers, IoT/connected devices, and third-party tools (analytics, ads, A/B testing) that touch consumer data.
• Record sensitive data categories you collect (e.g., mental health indicators, biometrics, precise geolocation) and who receives them.

2) Update privacy notices for healthcare data transparency

• Explain purposes, categories collected/shared (including sensitive data), retention, and consumer rights. Provide simple opt-out and appeal paths and state that UOOM signals are honored.
• Coordinate your OCPA notice with your HIPAA Notice of Privacy Practices so consumers understand what is PHI (HIPAA) versus non-PHI (OCPA).

3) Strengthen consent and opt-out operations

• Implement consent records for sensitive data. Remove dark patterns and ensure choices are as easy to withdraw as to give.
• Honor universal signals (e.g., browser-based UOOM/GPC) and configure systems to block targeted ads and sale flows when a signal is present.

4) Build a cross-functional DSAR program

• Verify identity, triage HIPAA versus OCPA requests, and respond within 45 days (with a single allowable 45‑day extension).
• Automate retrieval and deletion across CRMs, marketing clouds, data lakes, and vendor systems. Track appeals and outcomes.

5) Run Data Protection Assessments

• Complete DPAs for sensitive data, targeted advertising, selling personal data, and profiling with potential significant effects (including access to healthcare services decisions). Retain for five years.

6) Tighten vendor and tracker governance

• Amend processor contracts to meet OCPA. Validate that website pixels, SDKs, and data clean rooms don’t leak sensitive data or teen data.
• Turn off precise geolocation sale and under‑16 targeted advertising/profiling controls by default.

7) Embed security, minimization, and retention controls

• Adopt least-privilege access, encryption at rest/in transit, and routine access reviews. Set short, purpose-tied retention schedules.

Conclusion

For healthcare organizations, OCPA adds a comprehensive consumer-privacy layer alongside HIPAA. Treat PHI under HIPAA as exempt, but rigorously govern non-PHI consumer data. If you calibrate notices, consent, UOOM handling, DSAR workflows, assessments, and vendor controls, you will satisfy Oregon Department of Justice enforcement expectations and deliver real healthcare data transparency without disrupting care.

FAQs.

What healthcare entities are exempt from the Oregon data privacy law?

OCPA exempts public bodies (including Oregon Health & Science University) and specific data categories such as protected health information processed in accordance with HIPAA, public health activities, Common Rule/FDA research, 42 C.F.R. part 2 records, and patient safety work product. Employment-context data is also excluded. Remember: the HIPAA exemption is data-based—non-PHI consumer data processed by healthcare entities can still be in scope.

How does OCPA define sensitive healthcare data?

Sensitive data includes information revealing a person’s mental or physical health condition or diagnosis, genetic or biometric identifiers used for identification, precise geolocation, as well as categories like race/ethnicity, religion, sexual orientation, citizenship or immigration status, transgender or nonbinary status, and crime victim status. Processing sensitive data typically requires opt-in consent and a documented Data Protection Assessment.

What are the consumer rights regarding healthcare data under OCPA?

Consumers have rights to access, portability, correction, and deletion of their personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling that has legal or similarly significant effects (including healthcare services decisions). They can appeal denials and, from January 1, 2026, use a universal opt-out signal that covered entities must honor.

How must healthcare providers comply with OCPA data access and deletion requests?

Offer at least one submission method, authenticate the requester, and respond within 45 days (with a possible 45‑day extension). Provide data in a portable, readily usable format when fulfilling access requests, and delete personal, sourced, and derived data when a valid deletion request applies. Provide one free response per 12 months, offer a clear appeal process for denials, and ensure HIPAA-governed PHI requests are handled under HIPAA while non-PHI consumer data requests are handled under OCPA.