State Compliance

Virginia CDPA for Medical Practices: Where It Stacks on HIPAA

8 min read · Last reviewed May 23, 2026

Virginia's Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) took effect January 1, 2023. The single biggest divergence from HIPAA is structural: CDPA is a consumer-rights and processing-purpose statute, where HIPAA is a covered-entity safeguarding statute. CDPA includes a HIPAA carve-out for PHI but still applies to a medical practice's non-PHI data — intake forms for marketing, employee data, website analytics — whenever the practice meets CDPA's volume threshold.

What Virginia CDPA actually requires

CDPA applies to a "controller" or "processor" that conducts business in Virginia or produces products or services targeted to Virginia residents and that, during a calendar year, either controls or processes personal data of at least 100,000 Virginia consumers, or controls or processes personal data of at least 25,000 Virginia consumers and derives over 50 percent of gross revenue from the sale of personal data. Below those thresholds, CDPA does not apply.

When CDPA applies, Va. Code § 59.1-578 imposes core obligations: limit collection to what is adequate, relevant, and reasonably necessary; provide a privacy notice; obtain opt-in consent before processing sensitive data; perform data protection assessments for high-risk processing; honor consumer rights to access, correct, delete, port, and opt out of sale or targeted advertising; and execute written contracts with processors.

The HIPAA carve-out at Va. Code § 59.1-576(C) exempts:

  • Protected health information under HIPAA
  • Patient information held by a HIPAA-covered entity or business associate in the same manner as PHI
  • Information used for public health activities
  • Information processed under specified clinical trial regulations

What is not exempted: the entity itself, marketing data not derived from PHI, website analytics tied to non-employee visitors, and any data collected from non-patients in a consumer capacity (prospects, family members searching the website, wellness program participants who are not patients). Employee and applicant data and persons acting in a commercial or B2B capacity fall outside CDPA's "consumer" definition at Va. Code § 59.1-575 and are not pulled in by the CDPA framework — even though they may be regulated under other workforce-privacy regimes.

Where Virginia CDPA is stricter than HIPAA

Where CDPA bites a healthcare practice is the non-PHI data layer. HIPAA does not regulate the marketing list a practice builds from waiting-room sign-in sheets when the data is not yet linked to treatment. HIPAA does not regulate a website's analytics tracking when the visitor is not a patient. HIPAA's marketing authorization rule at 45 CFR 164.508(a)(3) applies only to marketing communications using PHI. CDPA reaches further.

| Topic | HIPAA | Virginia CDPA | Stricter | |---|---|---|---| | Data scope | PHI held by covered entity or BA | All personal data of Virginia consumers, with HIPAA carve-out | Different scope, not strictly comparable | | Right to delete | None — only access and amendment | Yes for non-PHI data (§ 59.1-577) | Virginia | | Right to data portability | Limited (electronic PHI access) | Yes for all non-PHI personal data | Virginia | | Opt-in for sensitive data | Authorization for non-TPO uses | Opt-in consent required before processing | Virginia | | Data minimization | Minimum necessary rule (164.502(b)) | Data collection adequate and relevant only (§ 59.1-578) | Comparable | | Data protection assessment | Risk analysis required (164.308(a)(1)) | DPA required for high-risk processing (§ 59.1-580) | CDPA specific to processing risk | | Private right of action | None | None — AG only | Tie | | Penalty per violation | Up to $73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted HIPAA; 45 CFR Part 102) | Up to $7,500 per violation | HIPAA per-violation | | Right to cure | None | 30 days before AG can sue (§ 59.1-585) | CDPA more lenient |

The two statutes are designed for different objectives. HIPAA protects health information across all of its forms; CDPA gives consumers rights over their personal data. A medical practice has to comply with both — HIPAA on the PHI track, CDPA on the non-PHI consumer track — and the two rarely overlap in practice.

Where HIPAA is stricter than Virginia CDPA

HIPAA is materially broader on the PHI track. The Security Rule's administrative, physical, and technical safeguards at 45 CFR Part 164, Subpart C have no CDPA equivalent — Virginia does not impose a federal-grade SRA requirement, an encryption standard, or audit logs by statute for medical practices. HIPAA's breach notification rule at 45 CFR 164.400-414 is more prescriptive on form and content than Virginia's general breach statute at § 18.2-186.6.

HIPAA's per-violation penalty ceiling under 45 CFR 160.404 — adjusted annually for inflation — is substantially higher than CDPA's $7,500. And HIPAA has no right-to-cure provision; CDPA's 30-day cure window at § 59.1-585 gives controllers a structural defense CDPA enforcement actions that HIPAA respondents do not enjoy.

Breach notification timeline

CDPA itself is not a breach notification statute. Virginia breach notification lives at Va. Code § 18.2-186.6 and requires notice to affected Virginia residents without unreasonable delay where unencrypted personal information has been accessed and acquired by an unauthorized person. Where the breach affects more than 1,000 Virginia residents, the entity must also notify the Virginia Attorney General and consumer reporting agencies.

For HIPAA-covered breaches, the 60-day individual notification deadline under 45 CFR 164.404(b) controls for PHI. Practices run both tracks in parallel: HIPAA for PHI, Virginia § 18.2-186.6 for non-PHI personal information of Virginia residents.

Penalties + private right of action

Va. Code § 59.1-584 makes the Virginia Attorney General the exclusive enforcer of CDPA. Civil penalties under § 59.1-584(B) run up to $7,500 per violation. The AG can also seek restitution, injunctive relief, and reasonable expenses.

Va. Code § 59.1-585 requires the AG to send a written notice identifying the specific provisions allegedly violated, giving the controller 30 days to cure. Only if the violation continues, or the controller breaches an express written statement provided to the AG, can the AG bring an action. This 30-day cure window is a meaningful structural protection — it converts most CDPA enforcement actions into compliance negotiations rather than litigation.

The lack of a private right of action makes CDPA less plaintiff-friendly than BIPA, GIPA, or Washington's My Health My Data Act. Plaintiffs' firms have not built CDPA class action practices comparable to the Illinois BIPA bar. But the AG's office has been active and has published enforcement actions; assume the AG will examine practices that fail to honor consumer access requests, that miss the 30-day cure, or that lack a published privacy notice.

HIPAA enforcement under 45 CFR Part 160, Subpart D runs concurrently. HHS OCR remains the federal enforcer, with state AGs able to bring parallel HIPAA actions under HITECH § 13410(e). The Virginia AG has used HITECH authority in past matters.

Compliance checklist for in-state practices

For Virginia practices that meet the CDPA volume thresholds:

  • Determine whether CDPA applies by counting Virginia consumers whose personal data the practice controls or processes — not just patients, but all consumers (website visitors, prospects, marketing leads).
  • Map PHI vs non-PHI clearly. PHI under HIPAA is exempt from CDPA consumer rights. Non-PHI data — analytics, marketing lists, prospect intake — is fully covered.
  • Publish a privacy notice that meets Va. Code § 59.1-578(C) requirements: categories of personal data processed, purposes, categories of third parties, how to exercise consumer rights.
  • Stand up a consumer-rights intake mechanism. Virginia consumers have rights to access, correct, delete, port, and opt out of sale or targeted advertising. The response window is 45 days from receipt of a verified request.
  • For any processing of sensitive data — geolocation, genetic, biometric, health diagnosis not under HIPAA, racial or ethnic origin — obtain opt-in consent before processing.
  • Perform a data protection assessment for any high-risk processing (targeted advertising, sale of personal data, profiling, processing of sensitive data) under § 59.1-580. Retain the DPA in writing.
  • Execute written processor contracts under § 59.1-579 with vendors that process Virginia consumer data outside the HIPAA business associate framework. BAAs cover PHI vendors; CDPA processor contracts cover non-PHI vendors.
  • Maintain a 30-day cure response process: when the Virginia AG sends a § 59.1-585 notice, the practice has 30 days to cure the alleged violation. Document the cure thoroughly.

Cross-references: Washington's My Health My Data Act takes the opposite design choice — broad consumer health data coverage with a private right of action — and is far more aggressive than Virginia CDPA. Illinois BIPA and GIPA also runs class actions that CDPA does not allow. The compliance binder covers the HIPAA backbone; Virginia practices layer CDPA's non-PHI consumer rights track on top.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversVirginia CDPA for Medical Practices: Where It Stacks on HIPAA. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

We are a HIPAA-covered entity. Does CDPA apply to us at all?

Yes, but narrower than you might think. Va. Code § 59.1-576(C) exempts protected health information collected and processed under HIPAA. It does not exempt the entity itself. CDPA's definition of 'consumer' at Va. Code § 59.1-575 excludes a natural person acting in a commercial or employment context, so employee data and B2B contact data sit outside CDPA. Patient marketing lists, waiting-room intake-form data not used for treatment, website analytics tied to non-employee visitors, and patient portal account data that is not PHI remain subject to CDPA if the practice meets the volume thresholds at § 59.1-576(A) — 100,000 Virginia consumers or 25,000 consumers with 50% revenue from data sales.

Does CDPA give Virginia patients a right to delete their medical records?

No, not directly. Va. Code § 59.1-577 gives Virginia consumers rights to access, correct, delete, port, and opt out of sale. But because PHI is exempt under § 59.1-576(C), patient medical records governed by HIPAA fall outside the CDPA delete right. Non-PHI data — marketing lists, web tracking data, prospect intake forms not yet tied to treatment — does fall within the delete right. HIPAA's own right of access at 45 CFR 164.524 has no parallel deletion right.

What is sensitive data under CDPA and does it matter for a practice?

Yes, materially. Va. Code § 59.1-575 defines sensitive data to include health information, genetic or biometric data, geolocation, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sex life or sexual orientation, citizenship status, and data of a known child. Sensitive data requires opt-in consent under § 59.1-578(A)(5) before processing. PHI is carved out, but health information collected outside the HIPAA context — wellness app data, marketing intake before treatment — needs CDPA opt-in.

How does Virginia's breach notification interact with CDPA?

Separately. CDPA itself is not a breach notification statute — it is a consumer rights and processing statute. Virginia breach notification lives at Va. Code § 18.2-186.6 and requires notice to affected Virginia residents without unreasonable delay, and to the Virginia AG if more than 1,000 residents are affected. Breaches involving PHI are covered by HIPAA's 45 CFR 164.400-414 with the Virginia statute as a parallel track for non-PHI data classes.

Is there a private right of action under Virginia CDPA?

No. Va. Code § 59.1-584 makes the Virginia Attorney General the exclusive enforcer. Civil penalties run up to $7,500 per violation, plus a 30-day right-to-cure period at § 59.1-585 before the AG can sue. The lack of a private right of action is a meaningful contrast to Illinois BIPA or Washington's My Health My Data Act, both of which let individuals sue. CDPA is materially less plaintiff-friendly than those statutes.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. Va. Code § 59.1-575 et seq.https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
  2. Va. Code § 59.1-578https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-578/
  3. Va. Code § 59.1-576(C)https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-576/
  4. 45 CFR 164.508(a)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
  5. 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  6. 45 CFR 164.400-414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  7. 45 CFR 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
  8. Va. Code § 18.2-186.6https://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/
  9. 45 CFR 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  10. Va. Code § 59.1-584https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-584/
  11. Va. Code § 59.1-585https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-585/
  12. 45 CFR Part 160, Subpart Dhttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides