WHERE HIPAA STOPS AND MINNESOTA'S NEW PRIVACY LAW STARTS

Where HIPAA Stops and Minnesota’s New Privacy Law Starts

On February 5, 2026, Minnesota Attorney General Keith Ellison’s office announced the end of a grace period built into the Minnesota Consumer Data Privacy Act (MCDPA). Until January 31, 2026, the law required the Attorney General to send a warning letter and give businesses 30 days to fix any violation before taking enforcement action. That requirement has expired. By the time of the announcement, the office had already logged over 200 complaints and sent dozens of warning letters, many involving businesses that failed to honor consumers’ opt-out signals.

The MCDPA itself, codified at Minn. Stat. Chapter 325M, took effect July 31, 2025, after Governor Tim Walz signed it into law in May 2024. Among its requirements, a controller must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices… including the maintenance of an inventory of the data that must be managed to exercise these responsibilities,” a first-of-its-kind statutory data inventory mandate.

The MCDPA does not exempt an organization simply because it is already a HIPAA-covered entity. It exempts specific data that HIPAA regulates, not the organization handling it. For a Minneapolis health system, that distinction means a compliance program built for years around one question, is this protected health information, now sits next to a state law asking a different one: is this personal data belonging to an identifiable Minnesota resident. The second question is broader, and it doesn’t disappear just because an organization has already built a mature HIPAA program.

Where HIPAA’s Boundary Actually Sits After the Becerra Ruling

The Department of Health and Human Services first addressed website tracking tools directly in November 2022, when its Office for Civil Rights issued guidance stating that tracking technologies, cookies, pixels, and similar scripts, can trigger HIPAA obligations whenever they transmit protected health information to a vendor. The guidance drew a sharp line between two kinds of web pages. On a patient portal, where a user has logged in, nearly anything a tracking tool captures counts as PHI. On a public page, the guidance went further: even an IP address paired with a visit to a page about a specific health condition could count as PHI, regardless of whether the visitor ever logged in anywhere.

That second part didn’t survive. In June 2024, the U.S. District Court for the Northern District of Texas ruled in American Hospital Association v. Becerra that HHS had overstepped. The court vacated the guidance specifically where it applied to unauthenticated public pages, an IP address combined with a visit to a health-topic page, on its own, no longer automatically counts as protected health information. HHS said at the time it was evaluating its next steps, and it hasn’t reissued guidance to replace the vacated portion since.

What survived the ruling: tracking on authenticated pages, the ones behind a login, patient portals, bill pay, scheduling, is untouched. HIPAA’s reach there is exactly what it was in 2022.

What didn’t survive: the broader claim that any health-adjacent browsing, even by an anonymous visitor to a public page, falls inside HIPAA’s boundary. After Becerra, it doesn’t, not automatically.

That boundary is now a settled, court-confirmed edge of what HIPAA covers. It is not a HIPAA compliance failure to have data sitting on that boundary. It’s simply data HIPAA no longer reaches.

Diagram showing website tracking data falling through a gap in HIPAA's coverage, where unauthenticated pages are excluded after the Becerra ruling, and landing in Minnesota's Consumer Data Privacy Act, which has no such gap.
HIPAA’s tracking-technology guidance stops at unauthenticated pages after the 2024 Becerra ruling. The MCDPA has no equivalent carve-out.

What the MCDPA Covers That HIPAA No Longer Does

The MCDPA doesn’t share HIPAA’s authenticated-versus-unauthenticated distinction. Its definition of “personal data” is any information linked or reasonably linkable to an identified or identifiable Minnesota resident. A visitor’s IP address, browsing behavior, and device identifiers can qualify, whether that visitor logged into a portal or simply viewed a public page.

The law does carve out data that HIPAA already regulates. But that exemption operates at the data level, not the organization level. A hospital doesn’t get to step outside the MCDPA’s reach by virtue of being a HIPAA-covered entity. Only the specific data HIPAA actually governs is excluded. Everything else the hospital collects, including exactly the category of unauthenticated-page tracking data that Becerra pulled outside HIPAA’s boundary, falls under Minnesota’s broader definition instead.

The practical result: a health system’s HIPAA program can be fully compliant, correctly scoped, properly excluding non-PHI data exactly as the Becerra ruling says it should, and still leave that same data uncovered by any privacy law at all, until the MCDPA is accounted for separately.

The Statutory Data Inventory Mandate and What It Requires First

The MCDPA’s data security provision, Minn. Stat. § 325M.16(c), requires a controller to maintain “an inventory of the data that must be managed” as part of its security practices. This is a data inventory requirement, a catalog of what personal data an organization holds, where it came from, and what it’s used for. It is not, on its own, a requirement to inventory infrastructure, servers, systems, or network connections.

That distinction matters, because a data inventory is only as complete as the organization’s knowledge of where its data actually lives. A compliance team can’t catalog personal data sitting on a system nobody has identified. Before any list of “the data we manage” can be accurate, someone has to know which systems, pages, and integrations exist to hold or transmit that data in the first place.

That earlier step, knowing a system exists at all, is a discovery problem. It sits one layer beneath the data inventory the statute requires, not inside it.

What Recent Minnesota Cases Show About This Exposure

The exposure this creates isn’t hypothetical. Allina Health System, a Minneapolis-based nonprofit health system, agreed in 2026 to pay $12.5 million to settle a class action lawsuit alleging its website tracking pixels disclosed patient information to Meta and Google. The lawsuit, filed in September 2024, predates the MCDPA’s effective date and was brought under the Electronic Communications Privacy Act, the Minnesota Health Records Act, and Minnesota’s unfair trade practices law, not the MCDPA. It illustrates the category of exposure this piece is about; it is not itself an MCDPA case.

The settlement’s own structure makes the underlying pattern visible. It split the class into two groups: patient portal, bill pay, and scheduling users on one side, and visitors who never logged in at all on the other. That split mirrors the exact authenticated-versus-unauthenticated line Becerra drew through HIPAA two years later. The tracking tools involved weren’t installed to touch health data. Marketing and web teams commonly add analytics and ad-tracking scripts to hospital websites for ordinary reasons, measuring visits, retargeting, conversion tracking, without classifying the page as one that handles regulated health information.

The pattern extends beyond Allina. Minnesota’s Department of Human Services disclosed a breach affecting nearly 304,000 individuals after a user with legitimate system credentials accessed far more data than their role permitted, a scope problem rather than an external attack. Consulting Radiologists, serving more than 100 Minnesota health care facilities, agreed to a $2.2 million settlement over a 2024 breach affecting close to 584,000 people, with claims brought under Minnesota’s consumer protection and health records statutes alongside HIPAA-related allegations. None of these cases were brought under the MCDPA either. Together, they establish the same underlying condition the MCDPA’s data inventory requirement is meant to address: data moving through systems that were never formally identified as data-holding systems in the first place.

Discovery as the Layer Beneath the Data Inventory

Flowchart showing authenticated and unauthenticated health system data flowing through Virima's CMDB discovery layer, then branching into HIPAA compliance and MCDPA data inventory requirements, converging in a Minneapolis health system compliant under both laws.
Discovery sits beneath both compliance obligations. Virima surfaces the systems that feed a HIPAA risk analysis and an MCDPA data inventory alike.

A data inventory catalogs personal data. Infrastructure discovery identifies the servers, cloud instances, and network-connected systems an organization actually runs, and how those systems connect to one another. These are adjacent responsibilities, not the same one.

For a health system working to satisfy the MCDPA’s inventory requirement, discovery is the layer that makes the inventory possible to build accurately. A marketing team spinning up a new campaign microsite, a lab plugging in a new vendor integration, a legacy analytics tool nobody decommissioned, each is a system that has to be found before anyone can ask what data it collects or where that data goes. High-frequency scheduled discovery, run on a recurring cycle rather than a single annual pass, reflects that kind of environment more accurately than a review conducted once a year or reconstructed after an incident.

What discovery does not do is classify the content moving through a given connection or determine whether a specific disclosure was lawful. Whether a tracking script on a given webpage is transmitting personal data of a Minnesota resident is a data-classification question, sitting with the organization’s privacy and compliance teams.

Whether that same webpage runs on infrastructure the organization actually knows about is a visibility question, and it has to be answered first. A configuration management database, kept current through scheduled discovery rather than manual audit, supplies that visibility. It does not build the data inventory the MCDPA requires. It surfaces the systems a compliance team needs in order to build one honestly.

Two Laws, One Prerequisite

A Minneapolis health system now answers to two separate privacy obligations that don’t ask the same question. HIPAA asks whether information is protected health information, a question sharpened and narrowed by the Becerra ruling. The MCDPA asks whether information is personal data of an identifiable Minnesota resident, a broader question with no authenticated-page carve-out and its own statutory inventory mandate. Neither law’s compliance work can start from a list of data alone. Both depend on knowing, first, which systems exist to hold that data.

Explore how Virima’s Trusted Runtime Truth gives compliance teams authoritative system visibility across HIPAA and MCDPA obligations.

Frequently Asked Questions

What is the Minnesota Consumer Data Privacy Act (MCDPA)?
The MCDPA is Minnesota’s comprehensive consumer data privacy law, codified at Minnesota Statutes Chapter 325M. Governor Tim Walz signed it in May 2024, and it took effect July 31, 2025. It grants Minnesota residents rights over their personal data and requires covered organizations to maintain a documented data inventory and reasonable data security practices.
Does the MCDPA exempt HIPAA-covered health systems?
No, not entirely. The MCDPA exempts specific data that HIPAA already regulates, not the organization handling it. A hospital that is a HIPAA-covered entity still has to account for any personal data it holds that falls outside HIPAA’s definition of protected health information.
What did the Becerra ruling change about HIPAA and website tracking?
In June 2024, a federal court vacated the part of HHS’s 2022 tracking-technology guidance that applied to unauthenticated public webpages. An IP address combined with a visit to a health-topic page no longer automatically counts as protected health information on its own. Tracking on authenticated pages, such as patient portals, remains fully covered.
Was the Allina Health settlement a violation of the MCDPA?
No. The lawsuit was filed in September 2024, before the MCDPA took effect, and was brought under different state and federal laws. It illustrates the kind of website-tracking exposure this article discusses, but it is not an MCDPA case.
Can a CMDB satisfy the MCDPA’s data inventory requirement?
Not directly. The MCDPA requires an inventory of personal data, not infrastructure. A CMDB identifies the servers, cloud instances, and connected systems within an organization’s environment. That system-level visibility is a prerequisite for building an accurate data inventory, not a substitute for one.

Move faster. Act safely.

Get live, explainable runtime truth across your entire estate — without platform lock-in.

Similar Posts