Utah Consumer Privacy Act HIPAA Covered Entity Exemption: Requirements Explained

Covered Entities Under HIPAA

Who qualifies

HIPAA covered entities include: (1) health plans (for example, insurers, HMOs, employer health plans, government health programs), (2) health care clearinghouses, and (3) health care providers that conduct standard electronic transactions. If you fit one of these categories, you are a HIPAA Covered Entity.

What the UCPA exemption covers

The Utah Consumer Privacy Act (UCPA) recognizes a consumer data privacy exemption for HIPAA-regulated data. When you process Protected Health Information as a covered entity, that data is generally exempt from UCPA obligations. Non‑HIPAA personal data you hold (such as marketing or website analytics data) may still be in scope if you meet UCPA applicability thresholds.

Practical implications

• Segment data systems so PHI remains separate from other personal data.
• Apply HIPAA safeguards and record-keeping to PHI; apply UCPA requirements only to non‑exempt data.
• Confirm whether subsidiaries or affiliates fall outside the HIPAA Covered Entity boundary.

Definition of Protected Health Information

Core elements

Protected Health Information (PHI) is individually identifiable health information created, received, maintained, or transmitted by a HIPAA Covered Entity or its Business Associate. It relates to an individual’s past, present, or future health status, health care, or payment for health care, and includes common identifiers such as names, addresses, and medical record numbers.

Important exclusions

• Education records subject to the Family Educational Rights and Privacy Act (FERPA) are not PHI.
• Employment records held by a covered entity in its role as employer are not PHI.
• Data de‑identified under HIPAA is not PHI; de‑identified data is also generally outside the UCPA.

UCPA treatment of PHI

Because PHI is carved out, you do not treat it as “personal data” for Utah Consumer Privacy Act compliance. Consumer rights requests, notices, and opt‑out mechanisms under the UCPA apply only to non‑exempt data you process.

Scope of Business Associates

Who is a Business Associate

A Business Associate is any vendor or partner that creates, receives, maintains, or transmits PHI on behalf of a HIPAA Covered Entity. Typical examples include cloud hosting, billing, EHR vendors, and analytics providers handling PHI.

Business Associate Agreement and UCPA impact

When PHI processing is governed by a Business Associate Agreement (BAA) and handled in accordance with HIPAA, that PHI is generally exempt from the UCPA. However, if a Business Associate processes non‑PHI personal data outside the BAA (for example, product marketing lists), UCPA obligations may attach to that non‑exempt data.

Action steps

• Inventory processing under each BAA and confirm boundaries between PHI and non‑PHI.
• Flow down privacy and security requirements for PHI via the BAA; use separate data processing terms for UCPA‑covered data.
• Define a process to route Utah consumer rights requests only to datasets not covered by HIPAA.

Exemptions for Financial Institutions

GLBA interplay

The UCPA provides an exemption for financial institutions and for personal data processed pursuant to the Gramm‑Leach‑Bliley Act (GLBA). If you are subject to GLBA, the GLBA‑regulated data is outside UCPA scope; apply GLBA’s privacy and safeguard rules to that information.

Mixed‑regime environments

Some organizations handle multiple regulated datasets (for example, patient payment information under HIPAA and certain financial products under GLBA). Classify each dataset by governing law, then apply the appropriate obligations so you do not over‑ or under‑apply UCPA controls.

Government and Nonprofit Exemptions

Government entities

State agencies and political subdivisions are generally exempt from the UCPA. Where a public health department or other government unit holds health data, HIPAA and public records laws govern, not the UCPA.

Nonprofit organizations

Nonprofits are exempt under the UCPA. Many hospitals operate as nonprofit entities; for them, the nonprofit exemption often removes UCPA obligations at the entity level, while HIPAA continues to apply to PHI. Confirm whether any for‑profit affiliates or joint ventures fall outside this exemption.

Higher Education Institution Exclusions

Institution‑level carve‑out

Institutions of higher education are excluded from the UCPA. Student education records remain governed by FERPA, and health services provided by campus clinics typically fall under HIPAA when they function as covered components.

Hybrid entities and clinics

Universities may designate HIPAA health care components as “hybrid entities.” In practice, the UCPA exclusion applies at the institution level, FERPA applies to education records, and HIPAA applies to PHI within health care components. Maintain clear scoping so each dataset follows the correct rule set.

Regulatory Overlaps and Compliance

Build a data map first

Start with an inventory that tags each system and dataset as PHI (HIPAA), GLBA, FERPA, de‑identified, or general personal data. This lets you apply the HIPAA Covered Entity exemption precisely and direct Utah Consumer Privacy Act compliance efforts only where required.

Apply the right obligations to the right data

• PHI: follow HIPAA and your Business Associate Agreements; UCPA generally does not apply.
• GLBA data: follow GLBA; exclude from UCPA scope.
• FERPA records: follow FERPA; exclude from UCPA scope.
• Other personal data (marketing, web logs, consumer accounts): assess UCPA applicability and implement notices, consumer rights handling, and opt‑outs as needed.

Governance practices that help

• Maintain documented scoping decisions for each exemption (Consumer Data Privacy Exemption rationale, data flows, and controls).
• Use vendor due diligence to confirm whether partners act as Business Associates, GLBA service providers, or UCPA processors, and contract accordingly.
• Train teams so PHI never commingles with general personal data used for advertising or profiling.

Conclusion

The UCPA largely steps back where HIPAA, GLBA, and FERPA already regulate data. For Utah Consumer Privacy Act compliance, identify exempt datasets, wall them off with the right controls, and focus UCPA obligations on residual non‑exempt personal data. Clear scoping and contracting turn overlapping laws into a manageable, defensible program.

FAQs

What entities qualify as HIPAA covered entities under the UCPA exemption?

Health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions are HIPAA Covered Entities. When these entities process PHI in accordance with HIPAA, that data generally falls under the UCPA’s consumer data privacy exemption.

How is Protected Health Information treated under the UCPA?

PHI is typically excluded from the UCPA. You handle PHI under HIPAA’s rules, while applying UCPA requirements only to non‑exempt personal data, such as marketing or website analytics information.

Do business associates have UCPA obligations?

For PHI processed under a Business Associate Agreement, HIPAA governs and the UCPA generally does not apply to that PHI. If a business associate processes non‑PHI personal data outside the BAA (for example, lead generation), the UCPA may apply to that non‑exempt data.

Are financial institutions exempt from the UCPA?

Yes. Financial institutions subject to the Gramm‑Leach‑Bliley Act, and personal data processed pursuant to GLBA, are exempt from the UCPA. Apply GLBA obligations to that data and reserve UCPA controls for non‑GLBA datasets.

How does the UCPA exemption affect institutions of higher education?

Institutions of higher education are excluded from the UCPA. Their student records remain under FERPA, and health clinic PHI remains under HIPAA, so UCPA obligations typically do not apply to those datasets.