Connecticut CTDPA and HIPAA: What Connecticut Clinics Must Know

Connecticut’s Data Privacy Act (CTDPA, Public Act 22-15, effective July 1, 2023) layers compliance obligations directly on top of HIPAA for Connecticut medical clinics. Its private right of action — effective January 1, 2025 — raises the stakes beyond what most state privacy laws impose. For Connecticut practice administrators, the CTDPA’s scope, its health-data consent requirements, and its interaction with Connecticut’s HIV confidentiality statute each require specific action items your HIPAA program does not cover.

CTDPA Scope and Thresholds

The CTDPA applies to controllers and processors of personal data who conduct business in Connecticut or produce products or services targeted to Connecticut residents and who, during a calendar year, either:

• Control or process the personal data of not fewer than 100,000 Connecticut consumers, or
• Control or process the personal data of not fewer than 25,000 Connecticut consumers and derive more than 25 percent of gross revenue from selling personal data

Connecticut’s data-sale threshold uses a 25 percent gross revenue standard — lower than Virginia’s 50 percent threshold. A small Connecticut clinic that does not sell data and serves fewer than 100,000 consumers annually may fall below the CTDPA’s reach, but confirm this with an annual data volume count.

The HIPAA Exemption

Section 3(d) of Public Act 22-15 exempts from the CTDPA protected health information as defined under HIPAA, and information held in the same manner as PHI, to the extent the entity is subject to HIPAA. As with other state privacy laws, this exemption tracks the data, not the entity. A HIPAA-covered Connecticut clinic is not exempt from the CTDPA for all data it processes — only for data it processes in its capacity as a HIPAA-covered entity under HIPAA.

Health information the clinic collects through a non-HIPAA channel — a website contact form, a non-covered patient portal, a wellness program administered without a BAA — may not qualify for the HIPAA exemption. The practical test is whether, at the point of collection, the data was being gathered as part of a covered transaction and would be governed by the HIPAA Privacy Rule.

Private Right of Action: Connecticut’s Distinctive Provision

Most state consumer data privacy laws — including those of Virginia, Colorado, and Texas — limit enforcement to the state AG. Connecticut’s CTDPA departs from this pattern. Section 5(a) of Public Act 22-15, which took effect January 1, 2025, creates a private right of action for consumers whose rights under the CTDPA are violated.

Consumers bringing CTDPA private claims may seek:

• Actual damages
• Attorney’s fees
• Court costs

The private right of action covers violations of the consumer rights provisions of the CTDPA — the rights of access, correction, deletion, portability, and opt-out. It does not replace AG enforcement; both mechanisms operate in parallel.

If your clinic handles any CTDPA-covered health data, this provision matters. A consumer whose deletion request was improperly denied, or whose sensitive health data was processed without consent, has a direct litigation path without going through the AG’s office. That is materially higher compliance risk than the AG-only enforcement model in most other states, and it means your clinic cannot treat the CTDPA as a low-priority item even with a solid HIPAA program in place.

Sensitive Data and Consent Requirements

Under Section 1 of Public Act 22-15, sensitive data includes:

• Personal data revealing a consumer’s mental or physical health diagnosis or condition
• Personal data revealing a consumer’s mental or physical health treatment
• Genetic data
• Biometric data processed for the purpose of uniquely identifying a consumer
• Personal data of a known child

Controllers must not process sensitive data without first obtaining the consumer’s consent — a clear affirmative act indicating agreement to the specific processing. This consent requirement applies to CTDPA-covered data processing involving health categories. If your clinic collects health condition or diagnosis information through a non-HIPAA channel, you must implement an affirmative consent mechanism before collecting that data.

Consumer Rights Under the CTDPA

Connecticut consumers have the following rights under Public Act 22-15:

• Access: Confirm whether personal data is being processed and receive a copy
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of personal data, including data the controller inferred from other data
• Portability: Receive a copy of personal data in a portable format
• Opt-out: Opt out of targeted advertising, sale of personal data, and profiling in decisions with legal or significant effects

Controllers must respond to authenticated consumer requests within 45 days, with one 45-day extension available. Declined requests must allow an appeal, with the controller responding to appeals within 60 days.

Connecticut HIV Testing Confidentiality: CGS § 19a-583

Connecticut’s HIV testing confidentiality statute, at CGS § 19a-583, creates strict limitations on disclosure of HIV test results and HIV-related information. These limitations operate independently of HIPAA and are more restrictive than HIPAA’s general TPO exception for treatment disclosures.

Permitted disclosures

Under CGS § 19a-583(b), disclosure of HIV test results without written informed consent is permitted only in specifically enumerated circumstances, including:

• To the attending physician of the patient, or to the physician’s designee, when the physician has a treatment relationship with the patient and a need to know for treatment purposes
• To a healthcare provider or facility providing care to the patient in an emergency
• To the state Department of Public Health for epidemiological monitoring purposes
• As compelled by specific court order

This is a narrow set of exceptions. A Connecticut clinic that shares a patient’s HIV-positive status with a consulting specialist without specific written consent — even if the purpose is treatment coordination — may violate CGS § 19a-583 unless the consulting specialist has an established treatment relationship and documented need to know. HIPAA’s TPO exception is broader and would generally permit this disclosure; Connecticut law is not.

Practical implications

Connecticut clinics should implement a specific access-control and disclosure-review procedure for HIV-related records. Staff involved in record release, care coordination, and referral management should be trained that Connecticut HIV confidentiality requirements apply whenever HIV status is part of the disclosed information, and that standard HIPAA TPO authorization does not automatically satisfy CGS § 19a-583.

Connecticut Breach Notification: CGS § 36a-701b

Connecticut’s breach notification statute at CGS § 36a-701b requires notification to affected Connecticut residents in the most expedient time possible and without unreasonable delay following discovery of a breach. Connecticut does not specify a maximum number of days in the statute itself, though state enforcement guidance emphasizes promptness.

When a breach affects 500 or more Connecticut residents, the controller must simultaneously notify the Connecticut AG. Connecticut also requires notification to consumer reporting agencies for breaches affecting 1,000 or more residents.

For HIPAA-covered breaches involving Connecticut residents, the HIPAA 60-day ceiling applies to HIPAA notification obligations, while Connecticut’s “expedient time” standard applies to the state notification. In practice, Connecticut’s standard strongly encourages notification as quickly as reasonably possible — well before the HIPAA 60-day ceiling.

Psychiatric and Mental Health Records

Beyond the CGS § 52-146d communications privilege for psychiatric professionals, Connecticut’s mental health system is governed in part by CGS § 17a-688 (substance abuse confidentiality), which tracks federal 42 CFR Part 2 requirements for substance use disorder treatment records. Connecticut clinics providing substance use disorder treatment must comply with both 42 CFR Part 2’s disclosure restrictions — which are significantly stricter than HIPAA’s — and the CTDPA for any data outside HIPAA’s scope.

Action Items for Connecticut Clinics

Confirm CTDPA threshold applicability. Calculate your annual consumer data volume including patients, employees, and website users. If you approach or exceed 100,000 Connecticut consumers, the CTDPA applies.

Audit non-HIPAA health data. Identify all health data collected outside covered transactions and assess whether it involves CTDPA-sensitive categories.

Implement consent for sensitive health data. For any CTDPA-covered collection of health diagnosis, condition, or treatment data, implement pre-collection affirmative consent.

Build consumer request infrastructure. Create a process for receiving, authenticating, and responding to CTDPA consumer rights requests within the 45-day window — distinguishing these from HIPAA access requests.

Update HIV disclosure protocols. Train staff on CGS § 19a-583 requirements; build a specific review step into the record release process for any record that may include HIV-related information.

Review breach response for Connecticut timing. Incorporate the Connecticut AG notification trigger into your breach response plan. See HIPAA breach notification templates for a starting framework to adapt.

For guidance on the underlying HIPAA framework, see HIPAA administrative safeguards and HIPAA audit log requirements for small clinics.

PHIGuard helps Connecticut clinics maintain the documentation, vendor tracking, and breach response timelines that HIPAA and CTDPA compliance requires. With a private right of action now in effect in Connecticut, documentation of compliant data practices is no longer optional. See PHIGuard’s compliance tools or compare plan pricing.