Where HIPAA Stops and Minnesota’s New Privacy Law Starts
On February 5, 2026, Minnesota Attorney General Keith Ellison’s office announced the end of a grace period built into the Minnesota Consumer Data Privacy Act (MCDPA). Until January 31, 2026, the law required the Attorney General to send a warning letter and give businesses 30 days to fix any violation before taking enforcement action. That requirement has expired. By the time of the announcement, the office had already logged over 200 complaints and sent dozens of warning letters, many involving businesses that failed to honor consumers’ opt-out signals.
The MCDPA itself, codified at Minn. Stat. Chapter 325M, took effect July 31, 2025, after Governor Tim Walz signed it into law in May 2024. Among its requirements, a controller must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices… including the maintenance of an inventory of the data that must be managed to exercise these responsibilities,” a first-of-its-kind statutory data inventory mandate.
The MCDPA does not exempt an organization simply because it is already a HIPAA-covered entity. It exempts specific data that HIPAA regulates, not the organization handling it. For a Minneapolis health system, that distinction means a compliance program built for years around one question, is this protected health information, now sits next to a state law asking a different one: is this personal data belonging to an identifiable Minnesota resident. The second question is broader, and it doesn’t disappear just because an organization has already built a mature HIPAA program.
Where HIPAA’s Boundary Actually Sits After the Becerra Ruling
The Department of Health and Human Services first addressed website tracking tools directly in November 2022, when its Office for Civil Rights issued guidance stating that tracking technologies, cookies, pixels, and similar scripts, can trigger HIPAA obligations whenever they transmit protected health information to a vendor. The guidance drew a sharp line between two kinds of web pages. On a patient portal, where a user has logged in, nearly anything a tracking tool captures counts as PHI. On a public page, the guidance went further: even an IP address paired with a visit to a page about a specific health condition could count as PHI, regardless of whether the visitor ever logged in anywhere.
That second part didn’t survive. In June 2024, the U.S. District Court for the Northern District of Texas ruled in American Hospital Association v. Becerra that HHS had overstepped. The court vacated the guidance specifically where it applied to unauthenticated public pages, an IP address combined with a visit to a health-topic page, on its own, no longer automatically counts as protected health information. HHS said at the time it was evaluating its next steps, and it hasn’t reissued guidance to replace the vacated portion since.
What survived the ruling: tracking on authenticated pages, the ones behind a login, patient portals, bill pay, scheduling, is untouched. HIPAA’s reach there is exactly what it was in 2022.
What didn’t survive: the broader claim that any health-adjacent browsing, even by an anonymous visitor to a public page, falls inside HIPAA’s boundary. After Becerra, it doesn’t, not automatically.
That boundary is now a settled, court-confirmed edge of what HIPAA covers. It is not a HIPAA compliance failure to have data sitting on that boundary. It’s simply data HIPAA no longer reaches.


What the MCDPA Covers That HIPAA No Longer Does
The MCDPA doesn’t share HIPAA’s authenticated-versus-unauthenticated distinction. Its definition of “personal data” is any information linked or reasonably linkable to an identified or identifiable Minnesota resident. A visitor’s IP address, browsing behavior, and device identifiers can qualify, whether that visitor logged into a portal or simply viewed a public page.
The law does carve out data that HIPAA already regulates. But that exemption operates at the data level, not the organization level. A hospital doesn’t get to step outside the MCDPA’s reach by virtue of being a HIPAA-covered entity. Only the specific data HIPAA actually governs is excluded. Everything else the hospital collects, including exactly the category of unauthenticated-page tracking data that Becerra pulled outside HIPAA’s boundary, falls under Minnesota’s broader definition instead.
The practical result: a health system’s HIPAA program can be fully compliant, correctly scoped, properly excluding non-PHI data exactly as the Becerra ruling says it should, and still leave that same data uncovered by any privacy law at all, until the MCDPA is accounted for separately.
The Statutory Data Inventory Mandate and What It Requires First
The MCDPA’s data security provision, Minn. Stat. § 325M.16(c), requires a controller to maintain “an inventory of the data that must be managed” as part of its security practices. This is a data inventory requirement, a catalog of what personal data an organization holds, where it came from, and what it’s used for. It is not, on its own, a requirement to inventory infrastructure, servers, systems, or network connections.
That distinction matters, because a data inventory is only as complete as the organization’s knowledge of where its data actually lives. A compliance team can’t catalog personal data sitting on a system nobody has identified. Before any list of “the data we manage” can be accurate, someone has to know which systems, pages, and integrations exist to hold or transmit that data in the first place.
That earlier step, knowing a system exists at all, is a discovery problem. It sits one layer beneath the data inventory the statute requires, not inside it.
What Recent Minnesota Cases Show About This Exposure
The exposure this creates isn’t hypothetical. Allina Health System, a Minneapolis-based nonprofit health system, agreed in 2026 to pay $12.5 million to settle a class action lawsuit alleging its website tracking pixels disclosed patient information to Meta and Google. The lawsuit, filed in September 2024, predates the MCDPA’s effective date and was brought under the Electronic Communications Privacy Act, the Minnesota Health Records Act, and Minnesota’s unfair trade practices law, not the MCDPA. It illustrates the category of exposure this piece is about; it is not itself an MCDPA case.
The settlement’s own structure makes the underlying pattern visible. It split the class into two groups: patient portal, bill pay, and scheduling users on one side, and visitors who never logged in at all on the other. That split mirrors the exact authenticated-versus-unauthenticated line Becerra drew through HIPAA two years later. The tracking tools involved weren’t installed to touch health data. Marketing and web teams commonly add analytics and ad-tracking scripts to hospital websites for ordinary reasons, measuring visits, retargeting, conversion tracking, without classifying the page as one that handles regulated health information.
The pattern extends beyond Allina. Minnesota’s Department of Human Services disclosed a breach affecting nearly 304,000 individuals after a user with legitimate system credentials accessed far more data than their role permitted, a scope problem rather than an external attack. Consulting Radiologists, serving more than 100 Minnesota health care facilities, agreed to a $2.2 million settlement over a 2024 breach affecting close to 584,000 people, with claims brought under Minnesota’s consumer protection and health records statutes alongside HIPAA-related allegations. None of these cases were brought under the MCDPA either. Together, they establish the same underlying condition the MCDPA’s data inventory requirement is meant to address: data moving through systems that were never formally identified as data-holding systems in the first place.
Discovery as the Layer Beneath the Data Inventory


A data inventory catalogs personal data. Infrastructure discovery identifies the servers, cloud instances, and network-connected systems an organization actually runs, and how those systems connect to one another. These are adjacent responsibilities, not the same one.
For a health system working to satisfy the MCDPA’s inventory requirement, discovery is the layer that makes the inventory possible to build accurately. A marketing team spinning up a new campaign microsite, a lab plugging in a new vendor integration, a legacy analytics tool nobody decommissioned, each is a system that has to be found before anyone can ask what data it collects or where that data goes. High-frequency scheduled discovery, run on a recurring cycle rather than a single annual pass, reflects that kind of environment more accurately than a review conducted once a year or reconstructed after an incident.
What discovery does not do is classify the content moving through a given connection or determine whether a specific disclosure was lawful. Whether a tracking script on a given webpage is transmitting personal data of a Minnesota resident is a data-classification question, sitting with the organization’s privacy and compliance teams.
Whether that same webpage runs on infrastructure the organization actually knows about is a visibility question, and it has to be answered first. A configuration management database, kept current through scheduled discovery rather than manual audit, supplies that visibility. It does not build the data inventory the MCDPA requires. It surfaces the systems a compliance team needs in order to build one honestly.
Two Laws, One Prerequisite
A Minneapolis health system now answers to two separate privacy obligations that don’t ask the same question. HIPAA asks whether information is protected health information, a question sharpened and narrowed by the Becerra ruling. The MCDPA asks whether information is personal data of an identifiable Minnesota resident, a broader question with no authenticated-page carve-out and its own statutory inventory mandate. Neither law’s compliance work can start from a list of data alone. Both depend on knowing, first, which systems exist to hold that data.






