CTDPA vs HIPAA: When the Covered Entity Exemption Applies, and When Not

CTDPA Applicability Criteria

The Connecticut Data Privacy Act (CTDPA) applies to “controllers” that do business in Connecticut or target Connecticut residents and meet specific data processing thresholds. Through June 30, 2026, the law generally applies if you controlled or processed personal data of at least 100,000 consumers in the prior year (excluding data processed solely to complete payment transactions) or at least 25,000 consumers and derived over 25% of gross revenue from selling personal data. These are the core data processing thresholds that determine baseline Consumer Data Privacy duties under CTDPA. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

CTDPA also imposes distinct Data Controller Obligations, including data minimization, opt-in consent for sensitive data, timely responses to consumer requests, and conducting data protection assessments for high-risk processing. As of January 1, 2025, covered businesses must honor universal opt-out preference signals from Connecticut residents, which automate opt-outs of targeted advertising and data sales. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

Importantly, controllers of Consumer Health Data face additional duties and CTDPA applies to such controllers regardless of organization size or general thresholds, a key difference from the baseline scope. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

CTDPA Exemptions Explained

CTDPA contains both entity-level and data-level exemptions. Entity-level exemptions currently include state and local governments, nonprofits, higher education institutions, GLBA-regulated financial institutions, national securities associations, and—crucially—HIPAA covered entities and business associates. Data-level exemptions include Protected Health Information (PHI) under HIPAA and various federally regulated data categories (for example, FCRA and FERPA data). ([law.justia.com](https://law.justia.com/codes/connecticut/title-42/chapter-743jj/section-42-517/?utm_source=openai))

There are notable carvebacks. For example, the nonprofit exemption does not apply to Consumer Health Data controllers, so nonprofits handling such data must comply with relevant health data provisions. By contrast, the HIPAA entity-level exemption is broad: if you are a HIPAA covered entity or business associate, CTDPA generally does not apply to you. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

HIPAA Covered Entities Overview

Under HIPAA, “covered entities” are health plans, health care clearinghouses, and health care providers that transmit health information electronically in standard transactions. “Business associates” are vendors or partners that create, receive, maintain, or transmit PHI on behalf of covered entities for regulated functions (for example, claims processing, billing, data analysis). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

PHI is individually identifiable health information held by covered entities or their business associates. When you handle PHI, HIPAA’s Privacy, Security, and Breach Notification Rules control; Business Associate Agreements specify permitted uses and safeguards for PHI when a business associate is involved. ([hhs.gov](https://www.hhs.gov/answers/hipaa/what-is-phi/index.html?utm_source=openai))

Covered Entity Exemption Details

When the exemption applies

CTDPA expressly exempts any “covered entity or business associate” as defined by HIPAA. If your organization qualifies as either, the CTDPA’s consumer rights and controller obligations generally do not apply to your processing activities. This is an entity-level exemption, not limited to PHI, and it coexists with the separate data-level exemption for PHI itself. ([law.justia.com](https://law.justia.com/codes/connecticut/title-42/chapter-743jj/section-42-517/?utm_source=openai))

When the exemption does not apply

• If you are not a HIPAA covered entity or business associate, you cannot claim the exemption and must meet CTDPA obligations once the data processing thresholds or other triggers are met. This is common for wellness apps, consumer wearables, or health websites that fall outside HIPAA. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))
• Corporate affiliates that are not themselves covered entities or business associates do not inherit another affiliate’s exemption; their Non-HIPAA Entity Compliance posture is evaluated independently under CTDPA. ([law.justia.com](https://law.justia.com/codes/connecticut/title-42/chapter-743jj/section-42-517/?utm_source=openai))
• Signing a Business Associate Agreement alone is not enough; to be a “business associate” you must perform HIPAA-regulated functions involving PHI on behalf of a covered entity, consistent with 45 C.F.R. 160.103’s definition. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

CTDPA Amendments Impact

Connecticut enacted significant amendments in 2025 (SB 1295; Public Act 25-113), with major scope changes effective July 1, 2026. The amendments lower the general applicability threshold to 35,000 consumers and add new triggers—such as processing sensitive data or offering personal data for sale—bringing more organizations into scope even without hitting traditional thresholds. Impact assessment requirements associated with certain processing begin August 1, 2026. ([open.pluralpolicy.com](https://open.pluralpolicy.com/ct/bills/2025/SB1295/?utm_source=openai))

These changes expand CTDPA’s reach and reflect the Attorney General’s recommendations to scale back exemptions and strengthen protections, especially for minors and sensitive data. As of November 26, 2025, analyses indicate the HIPAA covered entity/business associate exemption remains in place, while exemptions for other sectors (for example, GLBA) are being narrowed or refocused. Organizations should reassess whether they fall in scope under the new tests well ahead of the 2026 effective date. ([portal.ct.gov](https://portal.ct.gov/ag/press-releases/2025-press-releases/attorney-general-tong-releases-updated-report-on-connecticut-data-privacy-act?utm_source=openai))

Consumer Health Data Regulations

Connecticut strengthened consumer health data protections by deeming Consumer Health Data a form of “sensitive data” and by creating specific duties for Consumer Health Data controllers. Unlike the baseline CTDPA scope, these health-data duties apply regardless of organizational size or volume of data processed, and nonprofits are not exempt from these provisions. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

Key rules include: obtaining consent before selling Consumer Health Data, imposing confidentiality obligations on personnel and processors, requiring contracts with processors that handle such data, and prohibiting geofencing around mental, reproductive, or sexual health facilities to collect or target health data. These rules are designed to capture health data outside HIPAA’s PHI (for example, app- or device-collected wellness information). ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

Enforcement and Compliance Measures

The Connecticut Attorney General has exclusive enforcement authority under CTDPA, with penalties up to $5,000 per violation under CUTPA, plus injunctive relief, restitution, and disgorgement. The law’s 60-day “right to cure” sunset on December 31, 2024; since January 1, 2025, the Office issues Notices of Violation at its discretion, and it has conducted public enforcement sweeps focused on privacy notices and rights mechanisms. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

Practical next steps depend on your status. HIPAA covered entities and business associates should validate that their operations truly fall within the covered entity exemption and ensure Business Associate Agreements appropriately scope PHI processing. Non-HIPAA entities should map data, confirm whether they cross Data Processing Thresholds or the new sensitive-data triggers (effective July 1, 2026), enable universal opt-out signal handling, and prepare data protection assessments for high-risk processing. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))

Conclusion

In short, CTDPA vs HIPAA turns on status and data type. HIPAA covered entities and business associates benefit from an entity-level exemption under CTDPA, while non-HIPAA organizations processing personal or health data must meet CTDPA’s growing obligations. With 2026 amendments lowering thresholds and adding new triggers, now is the time to re-check scope, shore up consumer rights workflows, and align health data practices with Connecticut’s enhanced standards. ([law.justia.com](https://law.justia.com/codes/connecticut/title-42/chapter-743jj/section-42-517/?utm_source=openai))

FAQs

When does the CTDPA covered entity exemption apply?

The exemption applies when your organization qualifies as a HIPAA “covered entity” or “business associate” under 45 C.F.R. 160.103. In that case, CTDPA generally does not apply to your processing activities, and PHI is also separately exempt at the data level. ([law.justia.com](https://law.justia.com/codes/connecticut/title-42/chapter-743jj/section-42-517/?utm_source=openai))

What types of entities are exempt under CTDPA due to HIPAA?

Health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions (covered entities), as well as vendors performing covered functions involving PHI for them (business associates), are exempt at the entity level under CTDPA. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

How do recent CTDPA amendments affect HIPAA-covered entities?

The 2025 amendments expand CTDPA’s scope starting July 1, 2026, but they do not eliminate the HIPAA entity-level exemption as of November 26, 2025. Covered entities and business associates should still monitor rule changes and AG guidance, particularly around sensitive data and minors’ protections, in case future adjustments narrow exemptions. ([natlawreview.com](https://natlawreview.com/article/connecticut-provisions-state-adds-new-provisions-its-privacy-law?utm_source=openai))

What consumer health data falls outside HIPAA but within CTDPA scope?

Examples include wellness and fitness app data, browsing or location data tied to visits to health facilities, and retail purchase histories suggesting health conditions—when handled by Non-HIPAA entities. Connecticut treats Consumer Health Data as sensitive and imposes duties on controllers of such data regardless of business size, with added restrictions like geofencing prohibitions. ([portal.ct.gov](https://portal.ct.gov/ag/sections/privacy/the-connecticut-data-privacy-act.))