Tennessee Data Privacy Law (TIPA) for Healthcare: Compliance Requirements and HIPAA Exemptions

TIPA Overview

The Tennessee Information Protection Act (TIPA) is a comprehensive state privacy law that sets baseline rights for Tennessee consumers and duties for organizations that determine the purposes and means of processing personal data. For healthcare, it draws a bright line around Protected Health Information while still regulating non‑PHI consumer data such as marketing, web, and app analytics. TIPA took effect on July 1, 2025.

Under TIPA, consumers have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, the sale of personal data, and certain automated profiling. Controllers must observe data minimization, purpose limitation, and reasonable security safeguards, and they may need to conduct documented data protection assessments for high‑risk processing.

TIPA uniquely offers an affirmative defense if you maintain a privacy program that reasonably conforms to a recognized framework (for example, mapping controls to the NIST Privacy Framework) and that program was in place at the time of an alleged violation. This feature is particularly valuable for healthcare entities already aligning operations with the HIPAA Privacy and Security Rules.

Applicability of TIPA

TIPA generally applies to for‑profit entities that do business in Tennessee or target products or services to Tennessee residents and that meet processing thresholds. Typical thresholds include controlling or processing personal data of 100,000 or more consumers in a calendar year, or 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data. “Consumers” are individuals acting in a personal or household capacity, not employees or B2B contacts.

Many nonprofit organizations and government entities are exempt, which means a nonprofit hospital may be outside TIPA’s scope, while its for‑profit affiliates and vendors could be in scope. Hybrid health systems should confirm which legal entities act as “controllers” and which serve as “processors,” then assign obligations accordingly.

Healthcare scoping examples

• In scope: a for‑profit clinic’s website tracking, lead‑gen campaigns, connected device apps, and patient financing platform customer data (non‑PHI).
• Partly in scope: a health plan’s marketing data about prospective members that is not Protected Health Information.
• Out of scope: de‑identified datasets and public information; many nonprofit hospital entities; PHI handled under HIPAA as described below.

Exemptions from TIPA

TIPA contains entity‑level and data‑level exemptions that matter for healthcare compliance planning. Key categories include:

• Protected Health Information processed by covered entities or business associates under the HIPAA Privacy and Security Rules.
• Patient Safety Work Product assembled for or by a Patient Safety Organization under the Patient Safety and Quality Improvement Act.
• Data and institutions subject to sectoral federal laws such as the Gramm‑Leach‑Bliley Act (financial institutions and certain patient financing operations), the Fair Credit Reporting Act (credit reporting/eligibility data), and the Family Educational Rights and Privacy Act (student records handled by university health clinics).
• Nonprofit organizations and government bodies (including many public health authorities), plus de‑identified and publicly available information.

Peer review materials and privileges under the Health Care Quality Improvement Act remain governed by that statute. While HCQIA is not a consumer privacy regime, its protected peer‑review records typically are not processed as consumer marketing or advertising data and should be segregated accordingly.

HIPAA Exemptions under TIPA

For healthcare, the most important carve‑outs are HIPAA‑based:

• Protected Health Information collected, used, or disclosed by a HIPAA covered entity or business associate is exempt when handled in accordance with HIPAA.
• De‑identified data as defined by HIPAA (expert determination or safe harbor) is outside TIPA’s scope.
• Patient Safety Work Product created for patient safety activities is separately protected and excluded from TIPA obligations.

However, HIPAA does not exempt everything you do. TIPA can still apply to non‑PHI consumer data, such as website cookies, advertising technology identifiers, prospective patient leads, event RSVPs, or connected fitness/health apps that fall outside HIPAA’s definitions. Hybrid entities should use clear designations and technical/administrative boundaries so PHI, Patient Safety Work Product, and non‑PHI consumer data remain distinct.

Practical guidance

• Map data flows to separate PHI and Patient Safety Work Product from non‑PHI marketing and analytics data.
• Avoid commingling HIPAA‑regulated data with TIPA‑regulated consumer data in advertising or look‑alike audience tools.
• Document why specific datasets qualify for HIPAA or PSQIA exemptions and keep those justifications current.

Compliance Requirements for Healthcare Entities

If your healthcare organization falls within TIPA’s scope for any non‑PHI consumer data, build a focused compliance program that complements your HIPAA controls.

1) Data inventory and classification

• Catalog personal data across websites, mobile apps, call centers, events, and connected devices.
• Classify data as PHI, Patient Safety Work Product, de‑identified, or non‑PHI consumer data regulated by TIPA.
• Identify “sensitive data” (for example, precise geolocation, biometric identifiers, and health data not regulated by HIPAA) and require opt‑in consent before processing.

2) Consumer privacy notices

• Publish a clear, stand‑alone notice for non‑PHI consumer data describing categories of personal data, purposes, sharing, retention, consumer rights, and how to exercise those rights.
• Explain opt‑out choices for targeted advertising, the sale of personal data, and automated profiling with significant effects.

3) Rights request operations

• Offer at least two submission methods (for example, web form and toll‑free number) and verify identity proportionally to the request.
• Respond within 45 days (with a possible 45‑day extension when reasonably necessary) and provide an internal appeals process if you deny a request.

4) Opt‑out and consent management

• Provide an easy opt‑out for targeted advertising and sale of personal data; maintain suppression lists to honor future choices.
• Obtain opt‑in consent before processing sensitive data; record consent receipts and withdrawal logs.

5) Contracts with processors and vendors

• Execute data processing agreements that specify instructions, confidentiality, subprocessor controls, assistance with consumer rights, deletion/return of data, and audit mechanisms.
• Scrutinize third‑party trackers, CDPs, and advertising platforms to determine if any “sale” occurs or if targeted advertising is involved.

6) Data protection assessments

• Conduct written assessments for targeted advertising, selling personal data, sensitive data processing, and high‑risk profiling.
• Reference both HIPAA risk analysis outputs and the NIST Privacy Framework to streamline documentation.

7) Security and governance

• Apply reasonable administrative, technical, and physical safeguards, leveraging your HIPAA Security Rule program for non‑PHI where appropriate.
• Adopt a privacy program aligned to a recognized standard (for example, the NIST Privacy Framework) to position for TIPA’s affirmative defense.
• Train marketing, digital, and patient engagement teams on permissible uses of consumer data versus PHI.

Enforcement and Penalties

The Tennessee Attorney General enforces TIPA. There is no private right of action. Before filing an action, the AG provides a cure period; organizations that cure alleged violations and provide written assurances can mitigate risk. Violations may result in civil penalties per violation and injunctive relief, with heightened exposure for repeated or willful noncompliance.

Maintaining and following a documented privacy program that conforms to a recognized framework can serve as an affirmative defense. For healthcare, aligning TIPA controls with existing HIPAA Privacy and Security Rules, and keeping clear boundaries between PHI, Patient Safety Work Product, and non‑PHI consumer data, is the most efficient way to reduce enforcement risk.

Conclusion

TIPA narrows obligations around HIPAA‑regulated data but squarely regulates non‑PHI consumer information common in healthcare marketing and digital engagement. If you determine TIPA applies, build on your HIPAA foundation: inventory non‑PHI data, honor consumer rights, manage opt‑outs and sensitive‑data consent, tighten vendor contracts, and document assessments. Doing so positions you to meet Tennessee’s requirements and to leverage TIPA’s affirmative defense if issues arise.

FAQs.

What healthcare entities are exempt from Tennessee’s data privacy law?

Many nonprofit organizations and government entities are exempt. In addition, HIPAA covered entities and business associates are exempt when handling Protected Health Information under the HIPAA Privacy and Security Rules, and Patient Safety Work Product under the Patient Safety and Quality Improvement Act is also excluded. For‑profit affiliates and vendors processing non‑PHI consumer data may still be in scope.

How does TIPA interact with HIPAA compliance?

TIPA defers to HIPAA for PHI, but it regulates non‑PHI consumer data that healthcare organizations commonly process—web and app analytics, advertising technology identifiers, event sign‑ups, and prospective patient leads. The most efficient approach is to extend your HIPAA program to these datasets, add TIPA‑specific rights handling and opt‑out mechanisms, and keep strong boundaries between PHI and consumer data.

What are the key HIPAA exemptions under TIPA?

PHI handled in accordance with HIPAA is exempt, as is HIPAA‑de‑identified data. Patient Safety Work Product is separately protected and outside TIPA’s scope. These exemptions do not cover non‑PHI consumer data (for example, marketing cookies or ad IDs), which must meet TIPA’s requirements.

Who enforces Tennessee’s data privacy law in healthcare?

The Tennessee Attorney General enforces TIPA across sectors, including healthcare. There is no private right of action; however, organizations can face civil penalties and injunctive relief if they fail to cure violations and maintain compliant privacy practices.