MODPA introduces stricter standards and broader definitions that will impact how businesses and healthcare organizations collect, process, and protect personal data. So, healthcare organizations operating in Maryland must comply with both MODPA and HIPAA standards for data privacy and security.
What is MODPA?
The Maryland Online Data Privacy Act (MODPA) is a data privacy law that regulates how businesses collect, process, and protect personal data in Maryland. The Act was signed on May 9, 2024, making Maryland the seventeenth state to enact a comprehensive data privacy law.
MODPA will be effective from October 1, 2025, implementing stricter standards for businesses that handle personal data.
Specifically, MODPA regulates how businesses, including healthcare organizations, collect, process, and protect personal data. It enhances protections for sensitive information, like consumer health and children's data, and prohibits discriminatory data practices.
Go deeper: Maryland enacts new data privacy law affecting multiple industries
What changes will MODPA bring?
Broader definition of biometric data
Usually, biometric data refers to biological characteristics for identifying an individual, like fingerprints, facial recognition data, or iris scans. However, MODPA extends the definition to include any biological characteristic that could be used to authenticate a consumer’s identity.
For example, under MODPA, voice recognition data, like “a voice print”, used for authentication purposes would be considered biometric data.
Ultimately, the broader definition requires businesses to protect more data, impacting how they collect, store, and use this information.
Stricter data minimization requirements
Some states allow broader consumer data collection if its purposes are disclosed. However, MODPA mandates that businesses, including healthcare organizations, limit data collection to what is necessary and directly related to the product or service requested by the consumer.
These requirements also extend to sensitive personal data, including “race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.” Consequently, businesses can only collect this data to provide or maintain a consumer-requested service, preventing misuse of personal information.
Improved protections for consumer health data
MODPA now defines health data as “personal data that a [business] uses to identify a consumer’s physical or mental health status, [including] gender-affirming treatment, reproductive or sexual healthcare.”
The new law requires employees, contractors, and data processors to sign confidentiality agreements before accessing health data. Furthermore, it prohibits geofencing near mental health or reproductive health facilities.
Stronger protections for children’s data
MODPA places additional responsibility on businesses to verify the age of their users. Specifically, the law prohibits the sale of data collected from minors and bans targeted advertising to individuals under 18.
Unlike other privacy laws that require the knowledge of a consumer’s age, MODPA’s protections apply when a business “should have known” that a consumer was a minor.
The intersection of MODPA and HIPAA compliance
HIPAA mandates safeguarding patients’ protected health information (PHI), while MODPA introduces additional requirements for consumer health data.
Healthcare organizations operating in Maryland must navigate the overlap between MODPA and HIPAA to adhere to both state and federal requirements.
How healthcare providers can prepare for regulatory compliance
Review data collection practices: Healthcare providers must limit data collection to what is necessary and directly related to the services provided, adhering to HIPAA’s minimum necessary standard and MODPA’s data minimization requirements.
Update privacy policies: Providers must revise their privacy policies to incorporate MODPA’s broader definitions of biometric and health information, ensuring these updates do not conflict with HIPAA requirements. These policies should outline how data will be collected, used, and protected.
Implement data protection measures: Healthcare providers should implement confidentiality agreements and set controls on health data. They include enhanced encryption, access controls, and regular audits to comply with both regulations.
Train employees: Healthcare organizations must regularly educate their employees and contractors on MODPA’s specific requirements, alongside HIPAA’s Privacy and Security Rules.
Read also: How to prevent common HIPAA compliance mistakes
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who does HIPAA apply to?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
What are patient rights under HIPAA?
Patients have the right to access, request corrections, and obtain a copy of their PHI. Patients can also request an accounting of PHI disclosures, file complaints, receive electronic copies, opt out of certain uses, and must be notified of PHI breaches.
