Does UCPA Exempt HIPAA Covered Entities? Scope, Limitations, and Examples

Overview of Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) sets baseline rules for how organizations collect, use, and share personal data of Utah residents. It applies to entities that do business in Utah, have annual revenue of at least $25 million, and meet data-volume thresholds. Consumers receive rights to access, delete, and obtain a copy of their data, and to opt out of targeted advertising and the sale of personal data.

UCPA contains several data privacy exemptions, including one relevant to healthcare. Specifically, certain processing connected to the HIPAA Privacy Rule may be excluded from UCPA obligations. Understanding how this carveout works—and where it does not—helps you plan practical, durable regulatory compliance across systems that handle both health and non-health data.

Definition of HIPAA Covered Entities

HIPAA covered entities are defined by HIPAA, not by UCPA. They include three categories: health plans, healthcare clearinghouses, and certain health care providers who transmit health information electronically in standard transactions. HIPAA Business Associates are separate organizations that create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of a covered entity.

In practice, many complex organizations wear multiple hats. A hospital may be a covered entity for clinical operations, a controller for non-PHI marketing analytics, and a donor program operator handling nonclinical personal data. Knowing which hat you are wearing for each dataset is essential to applying the right rules.

UCPA Exemptions for HIPAA Entities

Yes—UCPA exempts certain processing by HIPAA covered entities and HIPAA Business Associates. The exemption is not a blanket, organization-wide shield; it is tied to processing that is regulated by HIPAA. Put simply, if you maintain, use, or disclose personal data in the same manner as PHI under the HIPAA Privacy Rule, that activity is generally outside UCPA’s scope.

This carveout helps Health Plans and Healthcare Clearinghouses continue HIPAA-governed operations without duplicative state-law obligations for the same data. However, once processing falls outside HIPAA—for example, consumer-facing marketing that does not involve PHI—the UCPA may apply if your organization meets the revenue and volume thresholds.

Scope of PHI Exemption

What counts as PHI under HIPAA

Protected Health Information is individually identifiable health information held or transmitted by a covered entity or business associate that relates to a person’s health status, care, or payment for care. PHI can include demographics (for example, name or address) when linked to health-related details. De-identified data meeting HIPAA standards is not PHI.

What PHI is not

• Education records covered by FERPA and employment records held by a covered entity in its role as employer are not PHI.
• Health-related information collected by a consumer app that is not acting for a covered entity (for example, a fitness app you download directly) is typically not PHI; it may be ordinary personal data subject to UCPA if other criteria are met.
• De-identified or aggregated data may be outside HIPAA; under UCPA, de-identified data is also treated differently but must be managed to avoid re-identification.

Mixed datasets and adjacent data

Real-world systems blend PHI with other personal data such as website telemetry, cookie IDs, location, and device data. The PHI exemption does not automatically extend to those adjacent signals if they are not processed as PHI. Treat clinical records, claims, and EHR data as PHI; treat marketing analytics, adtech, and loyalty data as non-PHI unless they are created or used in a HIPAA-regulated context.

Limitations of UCPA Exemptions

• Activity-based, not blanket: The exemption covers processing regulated by HIPAA. Non-PHI activities—such as lead generation, event registrations, donor outreach, or retail e-commerce—remain subject to UCPA when thresholds are met.
• Consumer rights still apply to non-PHI: You may need mechanisms to honor access, deletion, and portability requests for personal data that is not PHI.
• Sensitive data rules: For non-PHI “sensitive data” (for example, precise geolocation or health-related information gathered outside HIPAA), UCPA requires clear notice and an opportunity to opt out before processing.
• Targeted advertising and sale: If you use non-PHI personal data for targeted advertising or sell personal data for monetary consideration, UCPA opt-out obligations can apply.
• Vendor and downstream risk: Third parties may act as HIPAA Business Associates for PHI and as processors for non-PHI. Contracts and technical controls must reflect the correct role and rule set for each dataset.
• No exemption from security expectations: Even where UCPA obligations are reduced, you should maintain reasonable security controls. HIPAA’s Security Rule can guide safeguards across systems, including those that process non-PHI.

Compliance Considerations for Business Associates

Classify data and segregate systems

Map where PHI resides versus non-PHI personal data. Use separate data stores, access controls, and logging so your HIPAA-governed environments do not inadvertently ingest adtech identifiers or marketing datasets that trigger UCPA obligations.

Align contracts to roles

Maintain HIPAA Business Associate Agreements for PHI processing and distinct data processing agreements for non-PHI under UCPA. Clearly document purpose, instructions, and data categories so teams know which obligations apply to each workflow.

Build request-handling workflows

Route incoming requests to the right track: deny PHI disclosures that would violate HIPAA, while honoring UCPA rights for non-PHI. Train support teams to recognize dataset type, identity assurance needs, and exceptions that prevent over-disclosure.

Notices and choices

Provide consumer-facing notices for non-PHI activities. Offer opt-outs for targeted advertising and sale where applicable, and add a clear sensitive-data notice and opt-out when collecting health-related information outside HIPAA.

Adtech and measurement controls

Configure tags and SDKs to avoid sending PHI to advertising platforms. Limit event streams from patient portals; prefer server-side measurement for public sites, and suppress signals on pages likely to reveal health conditions.

Security and governance

Apply baseline safeguards—encryption, least privilege, key management, change control—to both PHI and non-PHI environments. Keep data inventories current, and document de-identification or pseudonymization techniques to support data privacy exemptions with evidence.

Case Studies and Examples

1) Health plan website with targeted ads

A health plan markets new coverage using pixels on a public website. Clinical and claims data are PHI and exempt from UCPA, but adtech signals collected on the site are non-PHI. The plan should present a UCPA-compliant opt-out for targeted ads and sales, suppress pixels on pages revealing diagnoses, and keep PHI in separate systems.

2) Hospital philanthropy program

A hospital invites community members to donate through a separate portal. Donation histories, email addresses, and event RSVPs are not PHI. If thresholds are met, UCPA applies to this dataset. Provide privacy notices, honor access/portability requests, and avoid using patient-portal identifiers for fundraising without HIPAA-compliant authorization.

3) Telehealth app that is also a business associate

A telehealth startup provides services to clinics (as a HIPAA Business Associate) and also sells a direct-to-consumer subscription. PHI processed for clinic encounters is HIPAA-regulated and exempt under UCPA. Direct-to-consumer marketing analytics and subscription CRM data are non-PHI and subject to UCPA, requiring opt-outs for targeted ads and clear sensitive-data notices.

4) Healthcare clearinghouse data transformation

A clearinghouse processes claims (PHI) for providers but also runs a separate benchmarking product using de-identified datasets. Properly de-identified data under HIPAA is not PHI; under UCPA, de-identified data can be treated as exempt if re-identification restrictions are honored and documented. If any dataset is only pseudonymous, UCPA obligations may still apply.

Conclusion

UCPA does exempt HIPAA covered entities and business associates—but only for processing that is regulated by HIPAA. Treat the exemption as activity-specific, not blanket. Classify data, segregate systems, and implement notices, opt-outs, and security for non-PHI. With disciplined governance, you can meet UCPA requirements while preserving HIPAA-centered operations.

FAQs

What entities qualify as HIPAA covered entities under UCPA?

UCPA relies on HIPAA’s definitions. Covered entities are health plans, healthcare clearinghouses, and certain health care providers that transmit health information electronically in standard transactions. HIPAA Business Associates are not covered entities, but they are recognized for purposes of the UCPA exemption when they handle PHI on behalf of a covered entity.

How does UCPA define Protected Health Information?

UCPA does not create its own definition; it defers to HIPAA. Protected Health Information is individually identifiable health information related to health, care, or payment that is created or received by a covered entity or business associate. It excludes de-identified data, certain education records, and employment records held in an employer capacity.

What limitations exist for UCPA exemptions?

The exemption covers processing that is subject to HIPAA. Non-PHI personal data—such as marketing analytics, donor records, and consumer app data collected outside HIPAA—remains under UCPA if the law’s thresholds are met. Sensitive-data notices, opt-outs for targeted ads or sales, and consumer-rights responses can still be required for that non-PHI.

How do business associates comply with UCPA and HIPAA concurrently?

Classify datasets as PHI or non-PHI, segregate systems, and align contracts (BAAs for PHI, DPAs for non-PHI). Publish clear notices for non-PHI uses, honor UCPA rights for those datasets, implement opt-outs where applicable, and tighten adtech and security controls so PHI never flows into marketing or analytics tools.