State Compliance

Connecticut CTDPA for Medical Practices: HIPAA Overlay + Penalty Math

9 min read · Last reviewed May 23, 2026

The Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), effective July 1, 2023, exempts HIPAA-covered entities at the entity level — but only to the extent the entity is processing data in compliance with HIPAA. The single biggest divergence from HIPAA: even with the covered-entity exemption, Connecticut still requires AG notification of any breach affecting Connecticut residents at the same time as individual notice, and free credit monitoring when SSN is involved.

What Connecticut CTDPA actually requires

The CTDPA, codified at Conn. Gen. Stat. § 42-515 et seq., is Connecticut's comprehensive consumer privacy statute. It applies to persons who conduct business in Connecticut or produce products or services targeted to Connecticut residents and meet the data-volume threshold: 100,000+ Connecticut consumers per calendar year, or 25,000+ consumers when 25%+ of gross revenue comes from the sale of personal data.

Core obligations under the CTDPA:

  • Consumer rights under § 42-518. Access, correction, deletion, portability, opt-out of targeted advertising, opt-out of sale, and opt-out of profiling for decisions producing legal or similarly significant effects. Controllers respond within 45 days, extendable once for 45 days.
  • Opt-in for sensitive data processing. § 42-520(a)(4) requires opt-in consent for "sensitive data," defined at § 42-515(31) to include personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, personal data from a known child, or precise geolocation data.
  • Privacy notice. § 42-520(c) — a controller must provide a reasonably accessible, clear, and meaningful privacy notice.
  • Data protection assessments. § 42-522 — controllers must conduct and document a data protection assessment before any processing that presents a heightened risk of harm, including sensitive-data processing and the sale of personal data.
  • Universal opt-out signals. Required since January 1, 2025, under § 42-518(e) — controllers must recognize universal opt-out mechanisms for opt-out of sale and targeted advertising.

The HIPAA exemption at Conn. Gen. Stat. § 42-516(a)(7) is entity-level: it excludes a covered entity or business associate as defined by HIPAA, governed by the privacy, security, and breach notification rules at 45 CFR Parts 160 and 164. The phrase "governed by" is what attaches the exemption to actual HIPAA compliance — but no published enforcement has tested how aggressively the AG would read a lapse.

The separate breach-notification statute at Conn. Gen. Stat. § 36a-701b imposes its own requirements regardless of CTDPA exemption status, and is the rule most healthcare practices interact with after an incident.

Where Connecticut is stricter than HIPAA

The single comparative table a Connecticut practice needs:

| Topic | HIPAA | Connecticut | Stricter | |---|---|---|---| | Breach notification to individual | 60 days from discovery (45 CFR § 164.404(b)) | 60 days from discovery (Conn. Gen. Stat. § 36a-701b(b)(2)) | Tie | | AG notification on breach | Not required to AG directly | Required at same time as individual notice, regardless of size (§ 36a-701b(b)(1)) | Connecticut | | Free credit monitoring | Not required | 24 months minimum if SSN involved (§ 36a-701b(b)(2)(B)) | Connecticut | | Sensitive-data consent | Authorization for non-TPO use (45 CFR § 164.508) | Opt-in for ALL sensitive data including non-PHI health data (§ 42-520(a)(4)) | Connecticut | | Universal opt-out signals | Not required | Required since 1/1/2025 (§ 42-518(e)) | Connecticut | | Data protection assessments | Optional risk analysis | Mandatory before high-risk processing (§ 42-522) | Connecticut | | Consumer access response | 30 days, +30 (45 CFR § 164.524(b)(2)) | 45 days, one 45-day extension (§ 42-518(c)) | HIPAA tighter on PHI | | Civil penalty per violation | $145–$73,011 per violation, $2,190,294 annual cap per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | $5,000 per willful violation under CUTPA + injunctive relief | HIPAA per-violation higher |

Where Connecticut practices most often trip is the credit-monitoring obligation under § 36a-701b(b)(2)(B). A HIPAA-aware practice that satisfies the OCR breach-notification rule cleanly can still be in violation of the Connecticut breach statute if it didn't offer 24 months of identity-theft prevention services for any Connecticut resident whose SSN was exposed. The cost — typically $15–$25 per resident per year — is the practical liability driver in moderate-size CT breaches.

The other consistent surprise is the AG-at-same-time rule under § 36a-701b(b)(1). HIPAA's HHS notification under 45 CFR § 164.408 is triggered by breach size and timing; Connecticut requires AG notification for every breach affecting CT residents, simultaneously with individual notice, regardless of size.

Where HIPAA is stricter than Connecticut

The three areas where federal law is the harder rule:

  • Security Rule technical safeguards. CTDPA's "reasonable security" standard at § 42-520(d) is unspecified. HIPAA's Security Rule at 45 CFR Part 164, Subpart C prescribes a structured technical, administrative, and physical safeguards program — annual risk analysis, audit logging, encryption decisions, contingency planning, sanction policy.
  • PHI access response window. HIPAA's 30-day individual access right under 45 CFR § 164.524(b)(2) is faster than CTDPA's 45-day consumer access right. The PHI clock controls for PHI.
  • Civil penalty tier ceiling. HIPAA's top per-violation amount ($73,011) and $2,190,294 annual cap per identical violation (2026 HHS-adjusted under 45 CFR Part 102) exceed CTDPA's $5,000 per-violation civil penalty by an order of magnitude. The CTDPA's enforcement leverage is the AG investigation process and equitable relief, not the per-violation dollar figure.

Breach notification timeline

A Connecticut practice that discovers a breach affecting CT residents runs four parallel notifications:

  1. Individual notice within 60 days under § 36a-701b(b)(2) — "without unreasonable delay, but not later than 60 days after the discovery of the breach." The notice must describe the categories of personal information involved and provide contact information for the major credit bureaus and the AG.
  2. AG notification at the same time as individual notice under § 36a-701b(b)(1) — regardless of breach size. Submit electronically through the AG's privacy reporting portal.
  3. Credit-monitoring offer under § 36a-701b(b)(2)(B) — at least 24 months of identity-theft prevention services if SSN was exposed.
  4. HHS report and individual notice under HIPAA at 45 CFR § 164.408 and 45 CFR § 164.404 — 60-day individual notice; HHS report within 60 days for 500+ affected.

Substitute notice via statewide media is available under § 36a-701b(b)(3) when direct-notice cost exceeds $250,000 or 500,000+ affected.

Penalties + private right of action

The numbers a Connecticut practice needs:

  • CTDPA civil penalty. Conn. Gen. Stat. § 42-525 — up to $5,000 per willful violation, plus injunctive relief and restitution, with exclusive enforcement by the Connecticut Attorney General.
  • CUTPA exposure (independent claims only). Conn. Gen. Stat. § 42-110b creates broader Unfair Trade Practices liability, and § 42-110g provides a private right of action for predicate CUTPA violations — but a CTDPA violation cannot itself be the predicate. § 42-524(d) bars CTDPA from being used as the basis for a private action 'under [CTDPA] or any other law.' Plaintiffs must point to a freestanding CUTPA-actionable practice, not the CTDPA violation.
  • Breach-statute enforcement. § 36a-701b — failure to comply with breach notification or credit-monitoring obligations is itself a CUTPA violation, triggering AG enforcement and (where the elements are independently met) individual CUTPA private claims that do not rely on the CTDPA predicate.
  • No private right of action under CTDPA. § 42-524(d) bars any private claim premised on a CTDPA violation. Only the Connecticut AG can enforce CTDPA directly.
  • HIPAA OCR penalties continue to apply in parallel under 45 CFR § 160.404.

The 60-day cure period at § 42-525(b) — which lets a controller cure an alleged violation within 60 days of AG notice — sunset on December 31, 2024. Post-2024 enforcement does not provide the cure cushion.

Compliance checklist for in-state practices

A Connecticut-specific overlay to a HIPAA program:

  • HIPAA-exemption documentation — keep evidence that the covered-entity exemption applies, including current Security Risk Analysis, BAA inventory, and Notice of Privacy Practices. The "governed by HIPAA" phrase in § 42-516(a)(7) is the hook the exemption hangs on.
  • Non-PHI data scope review — identify which data flows fall outside the HIPAA exemption (employee data, marketing lists, prospect data, non-patient web analytics) and apply CTDPA controls.
  • CTDPA privacy notice for non-PHI consumer data flows, separate from the Notice of Privacy Practices for PHI.
  • Opt-in consent flow for any sensitive-data processing under § 42-520(a)(4), including non-PHI health data.
  • Universal opt-out recognition as of 1/1/2025 — site honors browser-based Global Privacy Control signals.
  • Data protection assessment under § 42-522 for any high-risk processing.
  • Breach response runbook that triggers individual notice + AG notice simultaneously within 60 days, with credit-monitoring offer if SSN was involved.
  • CUTPA awareness training for compliance staff — independent CUTPA violations (claims not premised on a CTDPA breach) are the practical private-litigation exposure, since § 42-524(d) bars using CTDPA as a CUTPA predicate.

The d3rx compliance binder state-overlay branches on Connecticut and produces the CTDPA-aware breach response template (with simultaneous AG notice), the credit-monitoring offer language, and the CUTPA exposure tracker a Connecticut practice runs alongside the federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls.

Cross-references: see Massachusetts 201 CMR 17 for healthcare and New York SHIELD Act for healthcare for the neighboring-state regimes a Connecticut multi-state practice often runs alongside.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversConnecticut CTDPA for Medical Practices: HIPAA Overlay + Penalty Math. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

We're a HIPAA-covered Connecticut practice — does CTDPA still apply to us?

The covered entity itself is exempt at the entity level under Conn. Gen. Stat. § 42-516(a)(7), but the exemption only attaches to data processed in compliance with HIPAA. A business associate's *own* consumer data (employee data, marketing lists, prospect data) is not HIPAA data and is not exempt. Most Connecticut practices satisfy the covered-entity exemption for the practice itself but still face CTDPA obligations through any non-HIPAA data flow.

What's the CTDPA threshold for applicability?

Under Conn. Gen. Stat. § 42-516(a), CTDPA applies to a person that conducts business in Connecticut or targets Connecticut residents and that during the preceding calendar year (i) controlled or processed personal data of 100,000+ Connecticut consumers (excluding payment-transaction data), or (ii) controlled or processed personal data of 25,000+ consumers and derived more than 25% of gross revenue from the sale of personal data. Many single-location practices don't hit the threshold.

Is there a private right of action under the Connecticut CTDPA?

No. Conn. Gen. Stat. § 42-525 gives exclusive enforcement to the Connecticut Attorney General, and § 42-524(d) expressly bars any private cause of action under the CTDPA — including using a CTDPA violation as a predicate for a private claim 'under [the CTDPA] or any other law' (see the [Connecticut AG CTDPA page](https://portal.ct.gov/AG/Sections/Privacy-/The-Connecticut-Data-Privacy-Act)). The AG can seek civil penalties of up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act framework, plus injunctive relief and restitution. (Conn. Gen. Stat. § 42-528 is an unrelated minors/social-media statute, not CTDPA enforcement.)

Does Connecticut's 60-day breach window line up with HIPAA?

Mostly. Conn. Gen. Stat. § 36a-701b(b)(2) requires notice 'without unreasonable delay, but not later than 60 days after the discovery of the breach.' HIPAA's [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) imposes the same 60-day outer deadline. The Connecticut statute is functionally aligned with HIPAA on individual notice. Where the two diverge: § 36a-701b(b)(1) requires AG notification at the same time as individual notice, regardless of breach size, and credit-monitoring offers if SSN was compromised.

Do we have to offer free credit monitoring after a Connecticut breach?

If the breach involves a Social Security number, yes. Conn. Gen. Stat. § 36a-701b(b)(2)(B) requires the offering of at least 24 months of identity-theft prevention services and, if applicable, identity-theft mitigation services at no cost to the affected Connecticut resident. The credit-monitoring obligation is one of CT's most-missed breach-response requirements and does not exist as a federal HIPAA requirement.

What's the difference between the CTDPA HIPAA exemption and the Virginia version?

Functionally similar — both are entity-level exemptions covering HIPAA-covered entities and business associates. CTDPA at Conn. Gen. Stat. § 42-516(a)(7) is read slightly narrower than Virginia's CDPA carve-out in that it requires the entity be in compliance with HIPAA at the time of the alleged CTDPA violation. A HIPAA-covered Connecticut practice that has lapsed on, say, Security Risk Analysis can theoretically lose the exemption — though no published enforcement action has tested this reading.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. Conn. Gen. Stat. § 42-515 et seq.https://www.cga.ct.gov/
  2. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  3. 45 CFR Part 164, Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
  4. 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  5. 45 CFR § 164.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
  6. 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides