Conn. Gen. Stat. § 42-517

Current with legislation from the 2024 Regular and Special Sessions.
Section 42-517 - Exemptions
(a) The provisions of sections 42-515 to 42-525, inclusive, do not apply to any:
(1) Body, authority, board, bureau, commission, district or agency of this state or of any political subdivision of this state;
(2) person who has entered into a contract with any body, authority, board, bureau, commission, district or agency described in subdivision (1) of this subsection while such person is processing consumer health data on behalf of such body, authority, board, bureau, commission, district or agency pursuant to such contract;
(3) nonprofit organization;
(4) institution of higher education;
(5) national securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, as amended from time to time;
(6) financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq.;
(7) covered entity or business associate, as defined in 45 CFR 160.103;
(8) tribal nation government organization; or
(9) air carrier, as defined in 49 USC 40102, as amended from time to time, and regulated under the Federal Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 41713, as said acts may be amended from time to time.
(b) The following information and data is exempt from the provisions of sections 42-515 to 42-526, inclusive:
(1) Protected health information under HIPAA;
(2) patient-identifying information for purposes of 42 USC 290dd-2;
(3) identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR 46;
(4) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use;
(5) the protection of human subjects under 21 CFR Parts 6, 50 and 56, or personal data used or shared in research, as defined in 45 CFR 164.501, that is conducted in accordance with the standards set forth in this subdivision and subdivisions (3) and (4) of this subsection, or other research conducted in accordance with applicable law;
(6) information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 USC 11101 et seq.;
(7) patient safety work product for purposes of section 19a-127o and the Patient Safety and Quality Improvement Act, 42 USC 299b-21 et seq., as amended from time to time;
(8) information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
(9) information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection that is maintained by a covered entity or business associate, program or qualified service organization, as specified in 42 USC 290dd-2, as amended from time to time;
(10) information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities;
(11) the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended from time to time;
(12) personal data collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq., as amended from time to time;
(13) personal data regulated by the Family Educational Rights and Privacy Act, 20 USC 1232g et seq., as amended from time to time;
(14) personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et seq., as amended from time to time;
(15) data processed or maintained (A) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor, consumer health data controller or third party, to the extent that the data is collected and used within the context of that role, (B) as the emergency contact information of an individual under sections 42-515 to 42-526, inclusive, used for emergency contact purposes, or (C) that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under subdivision (1) of this subsection and used for the purposes of administering such benefits; and
(16) personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Federal Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 41713, as said acts may be amended from time to time.
(c) Controllers, processors and consumer health data controllers that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent pursuant to sections 42-515 to 42-526, inclusive.

Conn. Gen. Stat. § 42-517

Amended by P.A. 23-0204, S. 207 of the Connecticut Acts of the 2023 Regular Session, eff. 10/1/2023.
Amended by P.A. 23-0056, S. 3 of the Connecticut Acts of the 2023 Regular Session, eff. 7/1/2023. Effective date amended by P.A. 23-0204.
Added by P.A. 22-0015, S. 3 of the Connecticut Acts of the 2022 Regular Session, eff. 7/1/2023.