HIPAA Exemptions in State Privacy Laws: Entity-Level vs. Data-Level, All 19 States Compared

The Question Every Healthcare Business Is Asking

You are a HIPAA-covered entity — a hospital, clinic, health insurer, pharmacy, or one of their business associates. Your state just passed a comprehensive privacy law. Now you need to know: does this new law apply to you?

The answer depends entirely on whether your state's law uses an entity-level or data-level HIPAA exemption.

Entity-Level vs. Data-Level: What's the Difference?

This is the core distinction, and it matters enormously for compliance planning.

Entity-level exemption means the entire HIPAA-covered entity (or business associate) is exempt from the state privacy law. If your organization qualifies as a HIPAA covered entity or business associate, the state law does not apply to you — for any data, including data that has nothing to do with healthcare.

Data-level exemption means only protected health information (PHI) and related HIPAA-regulated data is exempt. The covered entity itself remains subject to the state privacy law for all non-PHI personal data it processes — website analytics, marketing data, employee records unrelated to treatment, customer loyalty programs, and anything else that is not PHI.

Why This Matters in Practice

Consider a hospital system that operates a public-facing website with analytics tracking, runs a gift shop with a customer loyalty program, sends marketing emails to community members, and of course provides healthcare services governed by HIPAA.

In an entity-level state, that hospital is exempt from the state privacy law entirely. None of those activities trigger compliance obligations under the state law.

In a data-level state, only the hospital's PHI is exempt. The website analytics, gift shop loyalty program, marketing emails, and any other non-PHI personal data processing must comply with the state privacy law. The hospital needs two compliance programs: HIPAA for health data, and the state privacy law for everything else.

All 19 States Compared

Twelve states exempt HIPAA-covered entities entirely. Seven exempt only the data.

Entity-Level States: Full Exemption

In these 12 states, if you are a HIPAA-covered entity or business associate, the state privacy law does not apply to you. All 12 also include separate data-level exemptions for PHI as a belt-and-suspenders measure.

Virginia (VCDPA)

Virginia established the model that many subsequent states followed. Section 59.1-576(B) exempts any "covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164." Section 59.1-576(C) separately exempts PHI, de-identified data per HIPAA, and intermingled data.

Connecticut (CTDPA)

Section 42-517(a) provides that the law "does not apply to" covered entities or business associates as defined in 45 C.F.R. § 160.103. The exemption attaches to the legal entity itself. Important nuance: separate affiliates that are not themselves covered entities or business associates must independently assess whether the CTDPA applies to them.

Utah (UCPA)

Utah's statute explicitly states that the exemption applies at the entity level, not just the data level. Section 13-61-102(2)(e)-(g) exempts covered entities and business associates, plus PHI and HIPAA de-identified information. Processing under a valid Business Associate Agreement in accordance with HIPAA is generally exempt.

Iowa (ICDPA)

Iowa extends entity-level exemptions for covered entities and business associates subject to HIPAA and HITECH. The law also exempts PHI, intermingled data, and data treated in the same manner as exempt health information by a covered entity or business associate. This is one of the most business-friendly HIPAA exemption frameworks among the 19 states.

Indiana (INCDPA)

Section 24-15-1-1 exempts any covered entity or business associate governed by the privacy, security, and breach notification rules under 45 C.F.R. Parts 160 and 164 from the entire act. PHI is also separately exempted at the data level under Section 24-15-1-2.

Tennessee (TIPA)

Covered entities and business associates under HIPAA and HITECH are exempt from TIPA entirely under Section 47-18-3303. Information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA is excluded from TIPA's definition of personal information. The law uses HIPAA's definitions for both "covered entity" and "business associate."

Montana (MTCDPA)

Montana exempts covered entities at the entity level but has a notable narrowing for business associates. Under Section 30-14-2803, business associates are exempt "only as to the scope of" a valid Business Associate Agreement required by HIPAA. Activities of a business associate that fall outside the scope of a BAA remain subject to the MTCDPA. This is the only entity-level state that limits business associate coverage in this way.

Texas (TDPSA)

Section 541.002(b)(3) provides that the TDPSA does not apply to a covered entity or business associate governed by 45 C.F.R. Parts 160 and 164 pursuant to HIPAA and HITECH. However, there is a gray area: activities that fall outside HIPAA (such as consumer marketing data unrelated to patient care) may still be within scope. The AG has not yet issued guidance clarifying this boundary.

Nebraska (NDPA)

Nebraska has been described by legal analysts as having one of the broadest sets of entity-level and data-level exemptions among current state data privacy laws. Section 87-1103 exempts covered entities and business associates governed by HIPAA and HITECH. PHI is also separately exempt at the data level.

New Hampshire (NHPA)

Section 507-H:3(I)(f) exempts a "covered entity or business associate, as defined in 45 C.F.R. § 160.103." Section 507-H:3(II) separately exempts PHI, de-identified data, intermingled data maintained by covered entities or business associates, data used for public health activities authorized by HIPAA, and limited data sets under 45 C.F.R. § 164.514(e).

Kentucky (KCDPA)

The original KCDPA exempted covered entities and business associates at the entity level. HB 473, signed March 15, 2025, expanded the exemptions to also cover information collected by health care providers acting as HIPAA covered entities and information maintained in limited data sets. This amendment responded to healthcare stakeholder concerns about scope. Effective January 1, 2026.

Rhode Island (RIDTPPA)

Section 6-48.1-3(d) exempts covered entities and business associates as defined in 45 C.F.R. § 160.103. The law also contains data-level exemptions for PHI, health records, and patient data collected for clinical trials. Effective January 1, 2026.

Data-Level States: PHI Only

In these 7 states, being a HIPAA-covered entity does not exempt you from the state privacy law. Only your HIPAA-regulated data (PHI) is exempt. Everything else — website analytics, marketing data, loyalty programs, non-clinical employee data — must comply with the state law.

California (CCPA/CPRA)

California's HIPAA exemption is data-level only. Section 1798.145(c)(1)(A) exempts medical information governed by the Confidentiality of Medical Information Act and PHI collected by a covered entity or business associate governed by HIPAA. Section 1798.145(c)(1)(B) extends this to information "maintained in the same manner as" PHI — which is broader than a strict PHI-only exemption but still fundamentally data-level. Non-health data held by a HIPAA entity (website tracking, marketing, consumer data) is not exempt. HIPAA-covered entities in California must comply with CCPA for all non-health personal data.

Colorado (CPA)

Section 6-1-1304(2)(a) exempts PHI "collected, stored and processed by a covered entity or its business associates." There is no entity-level exemption. Colorado is also notable for not exempting nonprofits, meaning nonprofit healthcare organizations face a dual compliance burden: HIPAA for health data, and the CPA for everything else. Health-tech companies must carefully evaluate whether their data processing qualifies for the PHI exemption.

Oregon (OCPA)

Oregon is the most restrictive state for healthcare organizations. The OCPA exempts only "protected health information processed in accordance with HIPAA" and documents created to comply with HIPAA. It provides neither an entity-level HIPAA exemption nor an entity-level exemption for GLBA-regulated financial institutions. Non-PHI personal data — consumer marketing lists, website analytics, app telemetry unrelated to treatment, payment, or operations — remains fully subject to the OCPA. Oregon also does not exempt nonprofits.

Delaware (DPDPA)

Delaware provides data-level exemptions for PHI under HIPAA, patient-identifying information under 42 U.S.C. § 290dd-2, human subject research data, patient safety work product under PSQIA, and information used for HIPAA-authorized public health purposes. But covered entities and business associates are not exempt at the entity level. Employee data, marketing data, and other non-PHI personal data held by healthcare organizations remains subject to the DPDPA. Delaware does not exempt nonprofits. Effective January 1, 2025.

New Jersey (NJDPA)

Section 56:8-166.13 exempts "protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services." The NJDPA does not provide an entity-level exemption. HIPAA-covered entities must comply with the NJDPA for non-PHI personal data. Effective January 15, 2025.

Minnesota (MCDPA)

Minnesota is one of the most significant data-level-only states given the search volume around its HIPAA exemption. Section 325O.03, subdivision 2 exempts PHI, Minnesota Health Records Act data, 42 C.F.R. Part 2 substance use disorder records, de-identified data, and "intermingled data maintained by covered entities or business associates." It does not exempt HIPAA covered entities or business associates at the entity level. Non-PHI consumer data — website analytics, marketing leads, event registrations — processed by HIPAA entities remains subject to the MCDPA. Effective July 31, 2025.

Maryland (MODPA)

Section 14-4603 exempts PHI covered by HIPAA and medical records data governed by Maryland's medical records law when held by a covered entity or business associate. De-identified data derived from HIPAA-covered individually identifiable health information is also exempt. But there is no entity-level exemption. Maryland is further notable for its strong "consumer health data" provisions under Section 14-4604, which apply even to HIPAA entities — including prohibitions on geofencing mental health and reproductive health facilities. Effective October 1, 2025.

What About Business Associates?

Every entity-level state that exempts covered entities also exempts business associates. However, there is one important exception:

Montana limits the business associate exemption to the scope of a valid Business Associate Agreement. If a business associate performs activities outside the BAA — marketing, analytics, or other non-HIPAA processing — those activities remain subject to the MTCDPA. This is unique among entity-level states.

In data-level states, the entity-level question does not apply to either covered entities or business associates. Both must comply with the state law for non-PHI data regardless of their HIPAA status.

What "Data-Level" Actually Means Day to Day

If you are a HIPAA-covered entity operating in a data-level exemption state, here is what changes:

Your PHI is still exempt. Patient records, treatment data, billing information, and anything else that qualifies as PHI under 45 C.F.R. § 160.103 continues to be governed exclusively by HIPAA. No state privacy law touches this.

Everything else is not. This includes:

• Website data: Analytics, cookies, tracking pixels, form submissions from non-patients
• Marketing data: Email lists, advertising audiences, community outreach contacts
• Employee data: HR records, payroll data, benefits administration (to the extent it is not PHI)
• Vendor and procurement data: Business contact information from non-healthcare vendors
• Gift shop or retail data: Customer purchase history, loyalty programs
• Event data: Registration information for community health fairs, fundraisers, educational seminars
• Facility data: Visitor logs, parking systems, building access records

For each of these data categories, you must comply with the state privacy law's requirements for consumer rights (access, deletion, opt-out), data processing disclosures, and security obligations.

Practical Compliance Guidance

If You Operate in Only Entity-Level States

Your HIPAA compliance program covers you. The state privacy laws do not apply to your organization. Continue monitoring for legislative changes — states can and do amend exemption provisions.

If You Operate in Only Data-Level States

You need a dual compliance approach:

1. Map your data to identify which processing activities involve PHI (exempt) and which involve non-PHI personal data (subject to state law)
2. Implement consumer rights for non-PHI data — access requests, deletion requests, and opt-out mechanisms as required by each state
3. Update your privacy notice to address both HIPAA requirements (Notice of Privacy Practices) and state law requirements (privacy policy disclosures)
4. Train staff on the distinction, particularly front-desk and administrative staff who may receive requests that could fall under either HIPAA or the state law

If You Operate Across Both Types of States

This is the most common scenario for larger healthcare organizations. The safest approach is to build to the most restrictive standard: treat all non-PHI personal data as subject to state privacy law requirements everywhere, even in entity-level states. This avoids the complexity of maintaining different practices in different states and positions you well as more states pass privacy laws.

The Trend

The split is not moving in a single direction. Earlier state privacy laws went both ways — Virginia (2021) chose entity-level while California (2018) and Colorado (2021) chose data-level. The 2023-2024 wave of laws leaned entity-level (Iowa, Indiana, Tennessee, Montana, Texas, Nebraska, New Hampshire, Kentucky, Rhode Island). But the most recent major enactments — Minnesota and Maryland, both effective in 2025 — went with data-level only.

Both Minnesota and Maryland are considered more consumer-protective laws overall, which suggests that states prioritizing stronger privacy protections may continue choosing data-level exemptions. Healthcare organizations should plan for a mixed landscape rather than assuming the entity-level trend will continue.

Key Takeaways

1. Twelve states exempt HIPAA-covered entities entirely (entity-level). Seven states exempt only PHI (data-level).
2. The distinction determines your compliance burden. Entity-level means the state law does not apply to you. Data-level means you need a second compliance program for non-PHI data.
3. All 19 states exempt PHI at the data level. Your patient health data is never subject to these state privacy laws.
4. Business associates are covered by the entity-level exemption in all entity-level states, though Montana limits this to the scope of a valid BAA.
5. California and Minnesota — two of the most significant state privacy laws — use data-level exemptions. HIPAA-covered entities in these states cannot rely on their HIPAA status alone.
6. Oregon is the most restrictive state for healthcare organizations, with data-level-only exemptions for both HIPAA and GLBA.
7. Build to the most restrictive standard if you operate across multiple states. Treating all non-PHI data as subject to state law everywhere is simpler than maintaining different practices per state.

References

• Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-575 through 59.1-585
• Connecticut Data Privacy Act, Conn. Gen. Stat. §§ 42-515 to 42-525
• Utah Consumer Privacy Act, Utah Code Ann. §§ 13-61-101 et seq.
• Iowa Consumer Data Protection Act, Iowa Code ch. 715D
• Indiana Consumer Data Protection Act, Ind. Code ch. 24-15
• Tennessee Information Protection Act, Tenn. Code Ann. §§ 47-18-3301 et seq.
• Montana Consumer Data Privacy Act, Mont. Code Ann. § 30-14-2801 et seq.
• Texas Data Privacy and Security Act, Tex. Bus. & Com. Code ch. 541
• Nebraska Data Privacy Act, Neb. Rev. Stat. § 87-1101 et seq.
• New Hampshire Privacy Act, N.H. Rev. Stat. Ann. ch. 507-H
• Kentucky Consumer Data Protection Act, KRS ch. 367 (HB 15, 2024; amended by HB 473, 2025)
• Rhode Island Data Transparency and Privacy Protection Act, R.I. Gen. Laws ch. 6-48.1
• California Consumer Privacy Act / California Privacy Rights Act, Cal. Civ. Code §§ 1798.100-1798.199.100
• Colorado Privacy Act, C.R.S. §§ 6-1-1301 to 6-1-1313
• Oregon Consumer Privacy Act, ORS § 646A.570 et seq.
• Delaware Personal Data Privacy Act, Del. Code tit. 6, ch. 12D
• New Jersey Data Privacy Act, N.J. Stat. Ann. § 56:8-166 et seq.
• Minnesota Consumer Data Privacy Act, Minn. Stat. ch. 325O
• Maryland Online Data Privacy Act, Md. Code, Com. Law § 14-4601 et seq.
• HIPAA Privacy Rule, 45 C.F.R. Part 164, Subpart E
• HIPAA Security Rule, 45 C.F.R. Part 164, Subpart C
• HIPAA definitions (covered entity, business associate), 45 C.F.R. § 160.103