Utah Consumer Privacy Act vs HIPAA: Covered Entity Exemptions, Gray Areas, Checklist

Overview of Utah Consumer Privacy Act

Scope and thresholds

The Utah Consumer Privacy Act (UCPA) applies to organizations that conduct business in Utah or target Utah residents and meet both a revenue threshold and a data-volume threshold. In practice, you are in scope if you have annual revenue of at least $25 million and either process personal data of 100,000+ Utah consumers in a year, or process 25,000+ and derive over 50% of revenue from the sale of personal data.

Core terminology

• Controller: the party deciding why and how personal data is processed.
• Processor: the party that processes personal data on behalf of a controller under instructions.
• Personal data: information linked or reasonably linkable to an identified individual, excluding de-identified and publicly available data.
• Sale: exchange of personal data for monetary consideration (narrower than regimes that include “valuable consideration”).

Key obligations at a glance

• Publish a clear privacy notice describing categories of data processed, purposes, sharing, and how to exercise Consumer Data Rights.
• Offer opt-outs for targeted advertising and the sale of personal data, and honor choices consistently.
• Maintain reasonable administrative, technical, and physical security safeguards.
• Ensure processor contracts contain required instructions and confidentiality commitments.

Sensitive data treatment

UCPA treats sensitive data (for example, precise geolocation, certain health information, race/ethnicity, religious beliefs, sexual orientation, citizenship/immigration status, and biometric/genetic data) with elevated protections. You must provide clear notice and an opportunity to opt out before processing sensitive data, and obtain verifiable parental consent for data about known children under 13.

HIPAA Covered Entity Definitions

Who is a HIPAA Covered Entity

• Health care providers that transmit health information electronically in standard transactions (e.g., claims, eligibility checks).
• Health plans (insurers, HMOs, employer group health plans, government programs).
• Health care clearinghouses that standardize health information.

Business Associate Regulations

A business associate is a vendor or service provider that performs functions involving protected health information (PHI) for or on behalf of a HIPAA Covered Entity. Business associates operate under Business Associate Agreements (BAAs) that dictate permitted uses, safeguards, breach notification, and downstream subcontractor controls.

What counts as PHI

PHI is individually identifiable health information created, received, maintained, or transmitted by a HIPAA Covered Entity or business associate in connection with treatment, payment, or health care operations. De-identified data under HIPAA safe harbor or expert determination falls outside PHI but still requires safeguards against reidentification.

Covered Entity Exemptions Under UCPA

UCPA Data Exemptions tied to HIPAA

• Protected health information (PHI) handled in compliance with HIPAA is exempt from UCPA.
• Processing by a HIPAA Covered Entity or business associate is exempt when the organization is acting in that HIPAA-regulated capacity.
• Medical records and other data maintained in compliance with HIPAA privacy, security, and breach rules fall outside UCPA’s obligations.

Practical implications

• If you are a HIPAA Covered Entity, your PHI processing is governed by HIPAA, not UCPA. However, personal data processed outside your HIPAA role (e.g., website analytics for a general wellness blog or retail gift shop sales) may be within UCPA if thresholds are met.
• Business associates are likewise exempt when performing HIPAA-covered services for a covered entity under a BAA. If that same vendor offers a direct-to-consumer app unrelated to a covered entity, UCPA may apply to that separate product.
• Federal Privacy Law Preemption principles mean HIPAA generally controls where there is a conflict. UCPA avoids conflict by explicitly carving out HIPAA-regulated entities/data for those covered activities.

Gray Areas in UCPA and HIPAA Intersection

• Non-PHI marketing data: A hospital’s community newsletter list or event RSVPs might not be PHI. If not processed in a HIPAA capacity, treat this data as potentially in scope for UCPA obligations.
• Pixel and tracker deployments: Analytics or advertising tags on appointment pages can inadvertently touch PHI-adjacent signals. Segment pages, limit identifiers, and ensure any tracking for covered functions runs under HIPAA rules; otherwise evaluate UCPA controls.
• Research and de-identification: Data de-identified to HIPAA standards may still be “personal data” if reasonably linkable under UCPA. Maintain robust de-identification documentation and contractual prohibitions on reidentification.
• Employer-sponsored benefits: Plan data is PHI, but HR systems, wellness programs, or perks outside a group health plan may fall under separate regimes. Classify each flow by purpose and governing law.
• Foundation and donation activities: Hospital foundations may solicit donors using information not regulated as PHI. If you meet UCPA thresholds, apply UCPA notice and opt-outs for sale/targeted advertising.
• Multi-role vendors: A business associate that also markets a consumer health app must apply the correct rule set per product line—BAA-backed services under HIPAA; direct-to-consumer offerings potentially under UCPA.

Consumer Rights Under UCPA

Rights you must enable

• Confirm and access: Consumers can request confirmation that you process their personal data and access it.
• Delete (consumer-provided data): Consumers may request deletion of personal data they provided to you.
• Data portability: Provide a portable copy of consumer-provided personal data where feasible.
• Opt out: Allow opt-outs from the sale of personal data and targeted advertising.

Important nuances

• No general right to correct: UCPA does not include a broad correction right found in some other states.
• Response timelines: Acknowledge and fulfill requests within standard statutory timeframes, with a limited extension available when reasonably necessary.
• Verification and rate-limiting: Authenticate requestors and apply reasonable limits; you may charge a fee for manifestly unfounded, excessive, or repetitive requests.
• Sensitive data signals: Provide clear notices and an opt-out for sensitive data (and obtain parental consent for known children under 13).

Enforcement and Compliance Checklist

Utah Attorney General Enforcement

• Exclusive public enforcement—no private right of action.
• Mandatory cure period (typically 30 days) before enforcement.
• Civil penalties up to $7,500 per violation, plus injunctive relief.
• Consumer complaints may be funneled through Utah’s consumer protection authorities for investigation and referral.

Actionable compliance checklist

• Determine applicability: Confirm revenue and data-volume thresholds and whether you act as controller, processor, HIPAA Covered Entity, or business associate.
• Map data flows: Separate PHI from non-PHI; catalog purposes, legal bases, recipients, retention, and systems.
• Segment systems by regime: Isolate HIPAA workloads (PHI, BAAs) from UCPA-regulated consumer data to prevent cross-contamination.
• Update privacy notice: Disclose categories, purposes, sharing/sale, targeted advertising, Consumer Data Rights, and contact methods.
• Stand up rights operations: Build intake, verification, fulfillment, logging, and recordkeeping for access, deletion (consumer-provided), portability, and opt-outs.
• Sensitive data governance: Provide notices and opt-outs; obtain parental consent for known children under 13; minimize collection by default.
• Advertising and sale review: Classify trackers and ad-tech. If you exchange data for monetary consideration, treat it as a “sale” and honor opt-outs.
• Processor management: Implement data processing agreements that specify instructions, security, subcontractor controls, and deletion/return at contract end.
• Security program: Maintain risk-based safeguards, access controls, encryption, retention limits, and breach playbooks aligned with both HIPAA and UCPA expectations.
• Training and playbooks: Train staff on HIPAA vs UCPA scoping, sensitive data, and request handling; document a 30-day cure plan for issues.
• Assessments and audits: While not expressly required, perform periodic risk and privacy impact assessments to demonstrate accountability.
• Preemption and conflicts: When both regimes could touch a dataset, apply the stricter standard or segregate processing to avoid conflict.

Data Processing and Employment Context Exceptions

Employment and B2B exclusions

UCPA defines “consumer” to exclude individuals acting in an employment or commercial (B2B) context. Employee records, job applicants, independent contractors, and business-contact data are generally outside UCPA’s scope, though other laws may apply.

Operational Data Processing Exemptions

• Compliance with law and legal process, public health and safety functions, and internal security and integrity protections.
• Debugging, repair, and service provision activities that are reasonably necessary to deliver requested products or services.
• De-identified and publicly available data, provided you commit not to reidentify and maintain appropriate safeguards.

Conclusion

Think in layers: HIPAA governs PHI handled by a HIPAA Covered Entity or business associate, while UCPA governs non-PHI consumer data when thresholds are met. Classify each data flow, segment systems, and implement UCPA opt-outs and Consumer Data Rights where HIPAA does not apply. Clear scoping, tight vendor management, and a documented cure plan will minimize risk under both regimes.

FAQs.

What entities are exempt from the Utah Consumer Privacy Act under HIPAA?

HIPAA Covered Entities and their business associates are exempt under UCPA when acting in their HIPAA-regulated roles, and PHI processed in compliance with HIPAA is exempt. If those same organizations handle non-PHI outside a HIPAA capacity (e.g., general marketing or consumer apps), UCPA may apply if thresholds are met.

How does the UCPA define covered entities in relation to HIPAA?

UCPA does not redefine “covered entity.” It references the HIPAA Covered Entity and business associate constructs and ties its UCPA Data Exemptions to processing performed in those HIPAA capacities. Separately, UCPA uses its own “controller” and “processor” terminology for entities it regulates.

What are the main gray areas between UCPA and HIPAA exemptions?

Common grey zones include marketing and fundraising lists, website trackers on health-related pages, wellness programs outside group health plans, de-identified data that may still be reasonably linkable, and vendors that serve both HIPAA workloads and direct-to-consumer products. Each requires purpose-based scoping and documentation.

What enforcement mechanisms apply to UCPA covered entities?

UCPA is enforced by the Utah Attorney General. There is typically a 30-day opportunity to cure alleged violations, penalties can reach up to $7,500 per violation, and there is no private right of action. Agencies may investigate complaints and refer matters for Utah Attorney General Enforcement.