CCPA vs. HIPAA

HIPAA and the California Consumer Privacy Act (CCPA) both protect sensitive data, but they serve distinct purposes when it comes to data privacy. HIPAA specifically relates to healthcare-related data and patient records, while the CCPA covers a range of industries, emphasizing individual rights over personal information. Both the CCPA and HIPAA can apply in healthcare organizations that deal with data covered under both regulations. 

Contents:

1. What is the CCPA? 
2. Similarities between the CCPA and HIPAA
3. Differences between the CCPA and HIPAA
4. Individual rights under HIPAA v CCPA
5. Can a healthcare organization be subject to both HIPAA and the CCPA?

What is the CCPA? 

The CCPA is a data privacy law enacted in California to protect the personal information of California residents. Under the CCPA, personal information is broadly defined as data that can directly or indirectly identify, relate to, or describe an individual or household. This legislation grants California consumers enhanced rights and control over how businesses collect, process, and use their personal data. 

Who does the CCPA apply to?

The CCPA applies to businesses that:

1. Operate for profit.
2. Collect personal information from California residents or on their behalf.
3. Determine the purposes and means of processing this information.

In addition to these requirements, a business must meet at least one of the following criteria to be regulated by the CCPA:

• Earn gross annual income over $25 million.
• Buy, receive, sell, or share the personal information of 50 thousand or more consumers, households, or devices annually.
• Earn more than 50% of their annual revenue from selling personal information, irrespective of the total revenue amount.

What is considered private data under the CCPA?   

Among what the CCPA considers private data are personal information identifiers such as name, postal address, email address, online identifier IP address, Social Security number, driver's license and passport number, and other similar identifiers. 

According to the National Law Review, the following data types that healthcare organizations handle could be subject to the CCPA:

1. Personal information that is not regulated by California's Confidentiality of Medical Information Act (CMIA) or HIPAA and that is collected through websites, health apps, health portals, and other digital technology or connected devices.
2. Personal information processed by the non-healthcare components of a HIPAA hybrid entity or information processed between a nonprofit institution and its CCPA-covered affiliates, partners, or related entities.
3. Pending a proposed amendment that may exclude certain employee data, personal information about employees collected or processed in an employer function as opposed to a HIPAA covered health plan, as well as general employee information such as Social Security numbers, tax IDs, driver's license numbers, biometric or demographic information.
4. Personal information collected through in-person conferences, fundraisers, marketing events, or similar activities.
5. Personal information processed for research that falls outside the CCPA's clinical research exemption.

See also: CCPA: How California's new privacy law impacts healthcare

Similarities between the CCPA and HIPAA

1. Data privacy and security: CCPA and HIPAA are designed to protect the privacy and security of personal and health-related data, respectively. HIPAA specifically defines protected data as protected health data (PHI); the CCPA provides a broader scope of protection that includes consumers' health data. 
2. Data de-identification: Both CCPA and HIPAA acknowledge the significance of de-identifying data to protect individual privacy. They provide a framework for de-identification, although the specific methods and standards differ. 
3. Legal risks: Both CCPA and HIPAA have legal risks associated with noncompliance. These legal risks vary within both regulations, imposing fines and penalties for various degrees of noncompliance. 
4. Data protection standards: Both CCPA and HIPAA set standards for data protection, outlining requirements for businesses and covered entities to ensure data security and privacy. 

See also: The HIPAA Privacy Rule's preemption of state law

Differences between the CCPA and HIPAA

Scope

1. CCPA: Applies to all businesses operating in California, with a primary focus on personal data privacy. It extends beyond healthcare and covers a wide range of industries.
2. HIPAA: Specifically targets the healthcare industry, applying to entities like healthcare providers, health plans, healthcare clearinghouses, and their business associates. Its focus is on the protection of PHI.

Applicability

1. CCPA: Applies to businesses that collect personal information from California residents, even if they have no physical presence in California.
2. HIPAA: Applies only to entities directly involved in healthcare, focusing on PHI, and primarily applies to the healthcare industry.

Consumer rights

1. CCPA: CCPA grants consumers extensive rights to access, delete, and opt out of the sale of their personal information, emphasizing consumer data privacy.
2. HIPAA: HIPAA primarily focuses on ensuring the security and confidentiality of PHI but doesn't grant patients the same level of control over their health data.

Exemptions

1. CCPA: Includes exemptions for specific data, such as medical information covered by California's CMIA and PHI collected under HIPAA.
2. HIPAA: Does not provide specific exemptions for CCPA requirements; organizations subject to both must adhere to the stricter of the two laws in cases of conflict.

Individual rights under HIPAA v CCPA

Right to access

1. HIPAA: Patients have the right to access their PHI held by covered entities, such as healthcare providers and health plans. This right includes the ability to obtain copies of medical records.
2. CCPA: Under the CCPA, individuals have the right to request access to the personal information that a business collects about them. Businesses must provide this information upon request.

Right to amendments

1. HIPAA: Patients can request corrections or amendments to their PHI if they believe it is inaccurate or incomplete.
2. CCPA: Individuals can request the deletion of their personal information held by businesses. Businesses are obligated to comply with such deletion requests, subject to certain exceptions.

Right to confidential and preferred communication

1. HIPAA: Patients can request that their healthcare provider communicate with them through alternative means such as HIPAA compliant email or at an alternative location to protect their privacy.
2. CCPA: Consumers have the right to opt out of the sale of their personal information. Businesses must provide a "Do Not Sell My Personal Information" link on their websites, and respect opt-out preferences.

Right to nondiscrimination

1. HIPAA: Patients can file a complaint with the Office for Civil Rights (OCR) if they believe their HIPAA rights have been violated.
2. CCPA: Businesses cannot discriminate against individuals who exercise their CCPA rights. They must provide equal service and pricing, regardless of whether individuals exercise their privacy rights.

See also: What are patient rights under HIPAA?

Can a healthcare organization be subject to both HIPAA and the CCPA?

Yes, a healthcare organization can be subject to both HIPAA and the CCPA. 

If a healthcare organization conducts business in California and collects personal information from California residents, it falls under the purview of the CCPA, in addition to its obligations under HIPAA. While HIPAA focuses on healthcare-related data and PHI, the CCPA addresses broader data privacy issues. These organizations should take note of the CCPA HIPAA exemption. 

This provision offers some relief to healthcare organizations that are already compliant with HIPAA regarding the handling of PHI. If a healthcare entity strictly adheres to HIPAA's privacy and security regulations, it may not need to comply with certain aspects of the CCPA.

Specifically, the CCPA HIPAA exemption focuses on PHI collected for specific healthcare purposes like treatment, payment, or healthcare operations. Data collected for these purposes would be exempt from certain CCPA requirements. 

Note: This exemption does not cover all aspects of the CCPA, and healthcare organizations must still comply with CCPA rules concerning other forms of data and individual privacy rights, such as individual rights relating to their non-PHI personal data (Eg. financial information). This exemption aims to prevent redundant or conflicting regulations for healthcare entities already governed by HIPAA while ensuring that non-PHI data remains subject to CCPA requirements.