We're sorry, but OSHAcademy doesn't work properly without JavaScript enabled. Please turn on JavaScript or install a browser that supports Javascript.

625 HIPAA Privacy Training
Skip to main content

625 HIPAA Privacy Training

Connecticut Data Privacy Act (CTDPA)

Difference between HIPAA and CTDPA

The Connecticut Data Privacy Act (CTDPA) introduces privacy protections that differ from the Health Insurance Portability and Accountability Act (HIPAA) in several key areas:

The state of Connecticut with an overlay of the Connecticut flag.
  1. Scope and Applicability
    • HIPAA: Applies to "covered entities" such as healthcare providers, health plans, healthcare clearinghouses, and their business associates handling protected health information (PHI).
    • CTDPA: Applies to individuals or entities conducting business in Connecticut or targeting products or services to Connecticut residents, provided they meet certain thresholds:
      • Process personal data of at least 100,000 consumers annually (excluding data processed solely for payment transactions), or
      • Process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
  2. Definition of Protected Data
    • HIPAA: Protects PHI, which includes individually identifiable health information related to an individual's physical or mental health condition, healthcare provision, or payment for healthcare services.
    • CTDPA: Protects "personal data," defined as any information linked or reasonably linkable to an identified or identifiable individual, excluding publicly available information. It also designates "sensitive data," encompassing data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data.
  3. Consent Requirements
    • HIPAA: Allows the use and disclosure of PHI for treatment, payment, and healthcare operations without explicit patient consent.
    • CTDPA: Requires controllers to obtain consumer consent before processing sensitive data, ensuring consumers are informed and have control over their personal data.
  4. Consumer Rights
    • HIPAA: Grants individuals rights to access, amend, and receive an accounting of certain disclosures of their PHI.
    • CTDPA: Provides consumers with rights to:
      • Access their personal data.
      • Correct inaccuracies.
      • Delete personal data provided or obtained about them.
      • Obtain a copy of their personal data in a portable format.
      • Opt out of the sale of personal data, targeted advertising, and profiling.
  5. Prohibition of Geofencing
    • HIPAA: Does not address geofencing practices.
    • CTDPA: Prohibits the use of geofencing technology within 1,750 feet of any mental, reproductive, or sexual health facility to collect data or send targeted advertisements without consumer consent, enhancing privacy protections in sensitive locations.
  6. Enforcement and Penalties
    • HIPAA: Enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services, with penalties ranging from fines to corrective action plans.
    • CTDPA: Enforced by the Connecticut Attorney General, with no private right of action for consumers. The Attorney General has the authority to issue fines and seek injunctive relief for violations.
  7. Obligations of Entities
    • HIPAA: Requires covered entities to implement safeguards to protect PHI's privacy and security, including administrative, physical, and technical measures.
    • CTDPA: Mandates that data controllers:
      • Limit data collection to what is adequate, relevant, and reasonably necessary.
      • Establish data security practices to protect personal data confidentiality, integrity, and accessibility.​
      • Provide clear privacy notices detailing data processing activities.
      • Conduct data protection assessments for processing activities that present a heightened risk of harm to consumers.
  8. Entity Exemptions
    • HIPAA: Applies to specific "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.
    • CTDPA: Exempts certain entities and data types, including:
      • Protected health information under HIPAA.
      • Entities subject to the Gramm-Leach-Bliley Act.
      • Nonprofits and institutions of higher education.

While HIPAA focuses on protecting health information within the healthcare sector, the CTDPA provides broader consumer data protections, encompassing various types of personal and sensitive data across multiple industries, thereby granting Connecticut residents enhanced control over their personal information.​

Knowledge Check Choose the best answer for the question.

3-10-Connecticut. Which of the following best describes a key difference in scope between HIPAA and CTDPA?

Back