Virginia Data Privacy Law for Healthcare Providers: VCDPA vs. HIPAA and How to Comply

Overview of Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. It governs “controllers” and “processors” that conduct business in Virginia or target Virginia residents and meet volume thresholds for personal data. The law centers on Consumer Data Protection by defining duties for organizations and rights for individuals.

VCDPA applies if you control or process personal data of at least 100,000 Virginia consumers in a calendar year, or 25,000 consumers and derive 50% or more of gross revenue from the sale of personal data. “Consumer” means a resident acting in an individual or household context; employee and B2B interactions are excluded.

Core consumer rights include the ability to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. Controllers must provide clear notices, limit use to stated purposes, minimize collection, and maintain reasonable administrative, technical, and physical safeguards to support Healthcare Data Security where relevant.

Sensitive data—such as precise geolocation, genetic and biometric identifiers, and health diagnosis information—requires opt-in consent. Controllers must perform data protection assessments for activities like targeted advertising, selling personal data, processing sensitive data, or high-risk profiling. The Virginia Attorney General enforces VCDPA, with civil penalties up to $7,500 per violation and a right to cure within a set period.

HIPAA Requirements for Healthcare Providers

HIPAA establishes a comprehensive framework for Health Information Privacy across three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. It applies to covered entities (health plans, clearinghouses, and most healthcare providers) and their business associates when they handle Protected Health Information (PHI), including electronic PHI (ePHI).

Key Privacy Rule duties include issuing a Notice of Privacy Practices; using and disclosing PHI for treatment, payment, and healthcare operations without authorization; applying the minimum necessary standard; and honoring patient rights to access and obtain copies, request amendments, request restrictions, and receive an accounting of certain disclosures.

The Security Rule requires risk analysis and risk management, role-based access, audit controls, integrity and transmission security, and workforce training—foundational elements of Data Privacy Compliance and Healthcare Data Security. Business Associate Agreements are mandatory to ensure downstream safeguards and proper use of PHI.

Under the Breach Notification Rule, you must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach. For incidents impacting 500 or more individuals in a state or jurisdiction, you must also notify HHS and prominent media. HIPAA preempts contrary State and Federal Privacy Laws but allows states to impose more stringent protections.

HIPAA also recognizes de-identification via expert determination or the Safe Harbor method that removes specified identifiers, enabling broader data use while protecting individuals.

Exemptions of Healthcare under VCDPA

VCDPA contains Regulatory Exemptions highly relevant to healthcare. The law generally exempts covered entities and business associates governed by HIPAA, PHI processed pursuant to HIPAA, and patient-identifying information under 42 CFR Part 2. It also excludes de-identified and publicly available information, and data processed solely in an employment or B2B context.

What this means for you: most core provider operations involving PHI fall outside VCDPA. However, entities or offerings that are not governed by HIPAA—such as independent consumer wellness apps, patient communities, or health-related e-commerce that are not operated as part of your HIPAA-covered activities—may be subject to VCDPA if volume thresholds are met. Vendors that are not your business associates may also face VCDPA obligations for their own processing.

Comparison of VCDPA and HIPAA Privacy Protections

Scope and Trigger

HIPAA attaches to PHI handled by covered entities and business associates, regardless of organization size. VCDPA attaches to personal data of Virginia consumers when activity and volume thresholds are met. VCDPA is a consumer privacy law; HIPAA is a sectoral health privacy law.

Data and Rights

VCDPA covers “personal data” broadly and grants rights to access, correct, delete, and portability, plus opt-outs for targeted advertising, sale, and certain profiling. HIPAA centers on PHI and grants access and amendment rights but does not require deletion on request; it instead controls use and disclosure through defined permissions and authorizations.

Legal Basis and Consent

VCDPA requires opt-in consent for sensitive data and transparent disclosures for other processing. HIPAA allows many uses and disclosures for treatment, payment, and operations without patient authorization, while requiring authorization for most marketing and other non-routine purposes.

Security and Breach Duties

Both frameworks demand reasonable security, but HIPAA provides more prescriptive standards for administrative, physical, and technical safeguards. HIPAA contains its own breach-notification regime; VCDPA relies on Virginia’s general breach-notification obligations outside of HIPAA contexts.

Enforcement and Remedies

VCDPA is enforced by the Virginia Attorney General with civil penalties; there is no private right of action. HIPAA is enforced by HHS OCR and state attorneys general, with civil monetary penalties and corrective action plans. Together, these State and Federal Privacy Laws form a layered compliance landscape.

Compliance Strategies for Healthcare Providers

1) Map Applicability and Data Flows

Inventory where you collect, use, disclose, and store data. Classify each flow as PHI (HIPAA) or non-PHI consumer data (potentially VCDPA). Note high-risk uses like targeted advertising, cross-site analytics, identity resolution, and data sharing with non-BA vendors.

2) Strengthen HIPAA Foundations

Refresh risk analyses, policies, and workforce training; verify minimum necessary access; validate encryption in transit and at rest; and review Business Associate Agreements. Update your Notice of Privacy Practices and verify procedures for 30-day Right of Access responses.

3) Stand Up VCDPA Capabilities Where Needed

If any non-HIPAA lines of business meet VCDPA thresholds, implement a consumer rights intake and verification process, a 45-day response timeline with documented extensions, and an appeals channel. Build a consent model for sensitive data and a preference center for opt-outs of sale, targeted advertising, and profiling.

4) Perform Data Protection Assessments

Document assessments for sensitive data processing, targeted advertising, selling personal data, and automated profiling with legal or similarly significant effects. Record purposes, benefits, necessity, risks, and mitigations, and retain assessments for regulatory inquiries.

5) Optimize Contracts and Vendors

Distinguish Business Associate Agreements (HIPAA) from data processing addenda (VCDPA). For ad tech, analytics, and consumer apps, define controller/processor roles, ban re-use of data for secondary purposes, and require security, incident notice, and deletion on request.

6) Tune Web and Mobile Practices

Minimize trackers on patient-facing properties; prefer first-party, contextual, or aggregated analytics where feasible. Provide just-in-time notices for sensitive data collection and avoid embedding third-party code on authenticated patient portals unless governed by a BAA or equivalent safeguards.

7) Build Evidence of Compliance

Maintain records of processing, DSAR logs, training rosters, risk analyses, vendor due diligence, and assessment reports. Evidence shortens investigations and demonstrates mature Data Privacy Compliance.

Impact of VCDPA on Healthcare Data Practices

Marketing, analytics, and community engagement are the most affected. If you run non-HIPAA programs targeting Virginia consumers, you must enable opt-outs for targeted advertising and potential “sale” scenarios, and obtain opt-in for sensitive data. Preference centers and lightweight identity resolution can reconcile choices across channels.

Research and quality improvement benefit from de-identification and aggregation. Where PHI is involved, rely on HIPAA de-identification pathways; where consumer data is involved, apply VCDPA’s de-identification standards and ensure no re-identification without a documented, limited-purpose plan.

Third-party risk increases as ad tech and analytics providers act as controllers for their own purposes. Tighten contracts, reduce data shared, and prefer on-premise or privacy-preserving analytics to protect Health Information Privacy and manage enforcement exposure.

Best Practices for Managing Patient Data Privacy

• Data minimization and purpose limitation: collect only what you need, retain only as long as necessary, and document lawful purposes.
• Defense-in-depth security: encryption, MFA, network segmentation, endpoint hardening, and continuous monitoring to uphold Healthcare Data Security.
• Role-based access and auditing: restrict PHI and sensitive consumer data to least privilege and log access for investigation and accountability.
• Privacy by design: embed consent, notices, and opt-out mechanisms in product flows; avoid dark patterns.
• Third-party governance: vet vendors, assign controller/processor or BAA roles, ban secondary uses, and require timely breach alerts.
• De-identification and safe sharing: use HIPAA Safe Harbor or expert determination for PHI and robust anonymization for consumer data.
• Training and drills: conduct scenario-based training and tabletop exercises for DSAR handling and incident response.

Conclusion

For most providers, HIPAA remains the primary framework, and VCDPA largely exempts HIPAA-governed activity. Still, non-HIPAA consumer offerings and certain vendors can trigger VCDPA. By mapping data, tightening contracts, enabling consumer rights where applicable, and reinforcing security, you can meet both regimes confidently and maintain patient trust.

FAQs

What is the Virginia Consumer Data Protection Act?

The VCDPA is Virginia’s comprehensive privacy law effective January 1, 2023. It grants consumers rights over their personal data and imposes duties on organizations that control or process that data, including transparency, security, purpose limits, and opt-in consent for sensitive data.

How does HIPAA protect patient information?

HIPAA protects PHI by regulating how covered entities and business associates use and disclose it, requiring safeguards for ePHI, and mandating breach notifications. It also gives patients rights to access and request amendments, and it preempts contrary state rules while allowing stronger state protections.

Are healthcare providers subject to VCDPA?

Most HIPAA-covered providers and their business associates are exempt, and PHI is excluded. However, separate non-HIPAA consumer offerings or vendors not acting as business associates can be subject to VCDPA if they meet applicability thresholds.

What steps should healthcare providers take to comply with privacy laws?

Confirm which activities are governed by HIPAA versus VCDPA, refresh HIPAA security and privacy programs, and—where VCDPA applies—enable consumer rights workflows, obtain opt-in for sensitive data, conduct data protection assessments, and strengthen vendor agreements and web/mobile practices.