Does the Connecticut Data Privacy Act Exempt HIPAA Covered Entities? Explained

Exempt Entities Under Connecticut Data Privacy Act

Yes. The Connecticut Data Privacy Act (CTDPA) expressly exempts HIPAA “covered entities” and “business associates.” If your organization fits either definition under 45 CFR 160.103, the CTDPA’s controller and processor obligations generally do not apply to you.

Other exempt organizations include state and local governments, certain financial institutions subject to the Gramm–Leach–Bliley Act, national securities associations, higher education institutions, and many nonprofit organizations. These exemptions sit alongside broad data-level carveouts described below.

Be mindful of corporate structure. The exemption attaches to the legal entity that is a covered entity or business associate. Separate affiliates that are not covered entities or business associates should independently assess whether the CTDPA applies.

Exempt Data Categories Pertaining to HIPAA

Beyond entity-level relief for covered entities and business associates, the CTDPA also excludes several health-related data categories. These carveouts matter when data may be handled by nonexempt entities, or when you evaluate downstream sharing.

Key health and research carveouts

• Protected health information (PHI) governed by HIPAA.
• Information used for public health activities authorized by HIPAA.
• Patient safety work product under the Patient Safety and Quality Improvement Act.
• Information and documents created for purposes of the Health Care Quality Improvement Act.
• Research data subject to the Common Rule (45 CFR 46), FDA human subject protections (21 CFR Parts 50 and 56), or collected under ICH Good Clinical Practice, as applicable.
• De-identified data derived from health information in accordance with HIPAA de-identification standards.

Other important statutory carveouts touching health-adjacent data

• Data regulated by the Fair Credit Reporting Act (for example, consumer reports or data used by a consumer reporting agency).
• Education records regulated by the Family Educational Rights and Privacy Act.

Practically, these exemptions mean that CTDPA obligations generally do not attach to PHI or de-identified health datasets handled as described above—even when processed by entities that would otherwise be subject to the Act.

Consumer Rights and Protections

For nonexempt controllers, the CTDPA grants Connecticut residents strong rights over their personal data. You must be ready to authenticate and fulfill requests within statutory time frames.

Core CTDPA rights

• Access: confirm whether you process personal data and provide access.
• Correction: fix inaccuracies in personal data.
• Deletion: delete personal data, including data obtained from third parties.
• Portability: provide a portable, readily usable copy of personal data.
• Opt-out: allow consumers to opt out of the sale of personal data, targeted advertising, and certain profiling.

Processing “sensitive data” requires opt-in consent. Sensitive data includes consumer health data (personal data used to identify a consumer’s physical or mental health condition or diagnosis), genetic and biometric identifiers, and children’s data.

As of January 1, 2025, controllers covered by the CTDPA must honor universal opt-out preference signals sent by Connecticut consumers for targeted advertising and data sales.

HIPAA covered entities and business associates do not have to offer CTDPA rights because they are exempt. Instead, they must continue to meet HIPAA rights, such as access and amendment, under federal law.

Comparison of Connecticut Data Privacy Act and HIPAA

Scope and who is covered

• CTDPA: a comprehensive state privacy law applying to controllers and processors that meet thresholds or handle consumer health data; it expressly exempts covered entities and business associates.
• HIPAA: a federal sectoral law applying to health plans, most health care providers, health care clearinghouses, and their business associates when handling PHI.

What data is covered

• CTDPA: “personal data” broadly, with heightened rules for sensitive data, including consumer health data.
• HIPAA: PHI created, received, maintained, or transmitted by covered entities and business associates in connection with health care operations, payment, or treatment, plus defined “hybrid entity” constructs.

Individual rights

• CTDPA: access, correction, deletion, portability, and opt-outs; consent required for sensitive data.
• HIPAA: access and copies, amendment, accounting of disclosures, restrictions in certain cases, and confidential communications.

Enforcement

• CTDPA: enforced exclusively by the Connecticut Attorney General; no private right of action.
• HIPAA: enforced primarily by HHS Office for Civil Rights, with civil and criminal penalties; state attorneys general may also enforce under federal law.

Compliance Obligations for Covered Entities

If you are a HIPAA covered entity, the CTDPA’s obligations do not apply to your entity. Still, you should verify boundaries and reduce regulatory risk across your enterprise.

Practical steps

• Confirm status: document why you qualify as a “covered entity” and map which legal entities in your corporate family are—and are not—covered entities or business associates.
• Mind affiliates: a non-covered, non–business associate affiliate that targets Connecticut residents could fall under the CTDPA, even if your covered entity is exempt.
• Validate de-identification: when sharing data, ensure HIPAA de-identification so downstream use stays within the CTDPA’s de-identified data exemption.
• Marketing and apps: if you run consumer-facing wellness tools or retail operations through a separate entity, assess whether CTDPA applies to that entity and whether “consumer health data” is in scope.
• Vendor governance: continue using HIPAA-compliant BAAs for PHI. Where an affiliate subject to CTDPA engages vendors, ensure CTDPA-style processor terms are in place for that affiliate.

Implications for Business Associates

Business associates are also exempt under the CTDPA. In their HIPAA capacity, they do not need to build CTDPA-specific consumer rights workflows, universal opt-out handling, or conduct CTDPA data protection assessments.

However, watch for role changes. If work is performed through a separate company that is neither a covered entity nor a business associate, that separate legal entity should perform its own CTDPA analysis. Contractually, you may still be asked by clients to support state privacy requirements; align your commitments with your actual regulatory posture.

Enforcement and Penalties

The Connecticut Attorney General has exclusive CTDPA enforcement authority. Violations may result in civil penalties of up to $5,000 per violation under the Connecticut Unfair Trade Practices Act, along with potential injunctive relief, restitution, or disgorgement. There is no private right of action. The statutory right-to-cure period sunset on December 31, 2024.

HIPAA obligations remain fully enforceable for covered entities and business associates, including potential civil money penalties and corrective action requirements under federal oversight.

Conclusion

In short, the Connecticut Data Privacy Act exempts HIPAA covered entities and business associates, while also carving out PHI and several health-related data categories. If you operate affiliates or services outside HIPAA, confirm which legal entities and datasets are truly exempt. This scoping exercise ensures you continue meeting HIPAA requirements while avoiding unexpected CTDPA exposure elsewhere in your organization.

FAQs

What entities are exempt under the Connecticut Data Privacy Act?

The Act exempts HIPAA covered entities and business associates, as well as certain other organizations such as state and local governments, nonprofits, financial institutions subject to the Gramm–Leach–Bliley Act, national securities associations, and higher education institutions. Separate affiliates that are not covered entities or business associates must assess CTDPA applicability on their own.

How does HIPAA protect covered entities from the Act?

HIPAA covered entities are expressly exempt from the CTDPA, so the state law’s controller obligations, consumer rights processes, and consent requirements do not apply to them. Instead, they must follow HIPAA’s Privacy, Security, and Breach Notification Rules and associated individual rights under federal law.

What types of health data are exempted by the Act?

PHI under HIPAA is exempt, as are HIPAA de-identified datasets; patient safety work product; information and documents created for purposes of the Health Care Quality Improvement Act; certain research data subject to federal human subject protections; and health-related information processed for authorized public health activities. In addition, data regulated by the Fair Credit Reporting Act and the Family Educational Rights and Privacy Act is excluded from CTDPA coverage.

Are business associates included in the exemption?

Yes. Entities that qualify as HIPAA business associates are exempt under the CTDPA. If a separate affiliate that is not a business associate processes personal data about Connecticut consumers, that affiliate should independently evaluate CTDPA obligations.