CCPA: How California’s new privacy law impacts healthcare
by Heather C. Orr
In June 2018, California passed a new privacy law, AB 375, that in some ways goes even further to protect private data than the General Data Protection Regulation (GDPR) that was passed by the European Union.
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, and has a wide definition of what is considered private data. For the companies that are affected by CCPA, it may mean more complications in locating and securing private data.
What is the CCPA and how does it affect healthcare?
The CCPA allows California consumers to view any information a company has saved about them and request a list of all the third parties that their data is shared with. If these privacy guidelines are violated, consumers can sue the companies that have collected their data.
Any companies with annual revenue of at least $25 million that serve California consumers must comply with the privacy law.
Also, companies that get more than half of their revenue from the sale of personal data or that have data on at least 50,000 people need to comply with the CCPA, even if they’re not based in the United States.
An amendment to the law was made that exempts protected health information (PHI) that is already subject to regulations under the Health Insurance Portability and Accountability Act (HIPAA).
Information that is not considered PHI and doesn’t fall under the HIPAA requirements must comply with the CCPA.
For instance, if healthcare organizations collect personal information through conferences, fundraisers, or marketing events and activities the data would not be exempt.
What if a company doesn’t comply with the CCPA?
Once companies are notified of a violation, they have 30 days to comply with the law. A fine of up to $7,500 per record is assessed if the issue isn’t resolved.
The CCPA also gives individuals the right to sue companies and allows class action lawsuits for damages.
If a consumer believes that their privacy rights have been violated and they give written notice to a company, it has 30 days to comply. Specific penalties of $100 to $750 per consumer, per incident, or actual damages, whichever is greater apply to a breach or unauthorized access.
What is considered private data under the CCPA?
Among what the CCPA considers private data is personal information identifiers such as name, postal address, email address, online identifier IP address, Social Security number, driver’s license and passport number, and other similar identifiers.
According to the National Law Review, the following data types that healthcare organizations handle could be subject to the CCPA:
- Personal information that is not regulated by the CMIA or HIPAA and that is collected through websites, health apps, health portals, and other digital technology or connected devices
- Personal information processed by the non-healthcare components of a HIPAA hybrid entity or information processed between a non-profit institution and its CCPA-covered affiliates, partners or related entities
- Pending a proposed amendment that may exclude certain employee data, personal information about employees collected or processed in an employer function as opposed to a HIPAA-covered health plan as well as general employee information such as Social Security numbers, tax IDs, drivers’ license numbers, biometric or demographic information
- Personal information collected through in-person conferences, fundraisers, marketing events or similar activities
- Personal information processed for research that falls outside the CCPA’s clinical research exemption
The CCPA will require companies to separate the user data they collect to give consumers the opportunity to choose how they want to share it. Companies can also give incentives to consumers who share their personal information.
Fortunately, healthcare organizations that are already complying with HIPAA and GDPR are well on their way to being in compliance with the CCPA.