Just as we always welcome the new year on January 1, new regulations and requirements are there to greet us as well. One new law causing a lot of activity is the California Consumer Privacy Act (CCPA). First signed into law in June 2018, the CCPA took effect on January 1, 2020. Despite the CCPA 2020 enforcement date, there is a 12-month “look-back period” going back to January 1, 2019.
Similar to the European Union’s General Data Protection Regulation (GDPR), this law vests certain patient rights to control how their data is used. GDPR, in effect since May 2018, created many implementation concerns within the marketplace, and the CCPA is expected to cause the same confusion. The uncertainty surrounding the appropriate steps to achieve compliance is steadily increasing with the arrival of the CCPA deadline—and will only escalate further as some companies try to balance the state law and federal law with their patients, including non-California residents.
The regulation impacts all industries, including healthcare. However there may be some exclusion under the Health Insurance Portability and Accountability Act (HIPAA) for those healthcare organizations that meet certain requirements.
What is CCPA?
California has a population of 39 million people—and, through the use of technology and a more transient society, a high likelihood exists of conducting business with a resident of California, no matter where your company is located. In addition, California is not likely to be the only state to enact a privacy law that vests so much power in the patient to control their data.
Other states are likely to follow in California’s footsteps. Maine and Nevada recently enacted laws to allow patients to opt-out or protect online patient information. Hawaii, Massachusetts, Maryland, New York, and Pennsylvania have also enacted privacy legislation.
CCPA Requirements: How Does This Apply To Mostly Everyone?
In general, the CCPA applies to any business that:
- Does business in the state of California
- Collects the personal information of California residents
- Alone or jointly determines the purposes or means of processing that data
- Satisfies at least one of the following:
- Annual gross revenue exceeds $25 million
- Alone, or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares (for commercial purposes) the personal information of at least 50,000 patients, households, or devices
- Derives at least 50% of its annual revenue from selling patient’s personal information
However, uncertainty still exists on the appropriate steps to meet these criteria—especially now that the deadline arrived. For example, does the revenue have to be from California sources or does it apply for the organization in its entirety? It is expected that some of this uncertainty will be fleshed out as the law is further cemented in 2020.
The Rights of the Consumer Lead 2020
In this new decade, the CCPA empowers the patient to have more control over what happens to the personal information shared with different organizations.
The patient has a right to request that a business disclose the categories and specific pieces of personal information that is collected about them, the sources where the information is collected, the purpose of the collection, and categories of third parties with whom the information is shared. The patient will now have the right to request that businesses and their service providers delete their personal information. While this is new for many industries, healthcare under HIPAA already has these processes and practices in place.
Some exceptions to this provision do exist. For example, a business is not required to delete information that is needed to complete the transaction for which it was collected, to comply with a legal or regulatory obligation, or to protect against fraud. If a business sells personal information, the patient has the right to opt-out. If a patient chooses to exercise their rights under the CCPA, the business cannot discriminate against them by charging a different price or denying goods or services. HIPAA has similar rules for data related to patient treatment, payment, and operations.
The HIPAA Exemption
The CCPA has created an exemption designed around HIPAA. Section 1798.145(c) (1) of the California civil code codifies this exemption—and organizations that are otherwise subject to the CCPA regulation may find shelter under HIPAA, even if they satisfy other parts of the criteria.
The key to determining if an organization qualifies for the exception is challenging. While the best option is to consult legal counsel, there are some things to review that may help you determine if your business needs to comply.
The first part of the exemption is straightforward. If a company is collecting protected health information (PHI) related to the physical or mental health of an individual for the purposes of treatment, payment, or operations, the company may be exempt from the CCPA. Therefore, an organization’s status under HIPAA and the reason they are collecting and using certain data will determine if the data will qualify for an exemption.
For example, a healthcare technology company operating in California that collects data on individuals probably does not qualify for the exemption.
On the other hand, a healthcare system operating in California with a research branch that collects data for patient use probably does qualify. This nuanced difference is a very tricky part of the CCPA and represents why you must carefully consider your business operations and the CCPA criteria to see whether you qualify for the exemption.
It would appear that the law specifically applies the exemption to covered entities. It’s also unclear if the HIPAA exemption covers other types of data that a healthcare provider may have—including marketing or mobile app information, or data acquired as result of an internet search (think: cookies, phone calls, and emails).
There are many opportunities for healthcare organizations to qualify for the HIPAA exemption. However, all organization’s must perform due diligence to determine whether or not their specific circumstances allow for exemption.
New Year, New Disclosures: CCPA Updates
As with any law that grants patients new or additional protections, disclosures must be provided. Under the CCPA, a business that collects personal information must, at or before the point of collection, inform patients as to the categories of personal information that are being collected and how the gathered information will be used. The business cannot collect personal information beyond what is stated in the notice.
Within its online privacy policy, the business must disclose the rights a patient has under the CCPA, and add a list of categories of collected personal information that were sold or disclosed for business purposes in the last 12 months. This notice requires an update every 12 months.
If the business sells personal information, it is required to provide a clear and conspicuous link on its webpage titled Do Not Sell My Personal Information that allows a person to opt-out of the sale of information. This link must also be available through the online privacy policy or other document that contains a California-specific description of patients’ privacy rights
CCPA Compliance Checklist
Healthcare organizations need to examine the business they are in and where they do business to determine if they need to be in compliance with CCPA. Below are some important steps to consider when making that determination.
Phase 1: Due Diligence
In this phase, you need to answer a few questions about your activities, such as:
- Where are your patients?
- What data are you collecting?
- What are you doing with it?
- What are your plans for it?
- Where is it?
For those organizations that are not located within or near California, you may need to determine your patient’s residence. This identification can be completed through the performance of risk assessments or other data mapping tools. This audit allows you to document what you collect from patients, and as privacy laws are expanded to other states, see which state law applies to which patient.
Data mapping is not limited to your patients and should include third parties as well. Ensure that all third-party vendors are also compliant with the requests of your patients. If a patient requests for certain data to be removed from your processes, and that same data is also held by a third-party vendor, the vendor must also remove the data.
Phase 2: Remediation and Documentation
Once you determine where data originates from—along with its usage and storage—solid programs are needed, such as rights process, security, incident response, and data use. You will need to update documents such as disclosures, patient consents or opt-out notices, vendor contacts, and privacy policies.
Internal communication and training is also critical. Many employees are not up to date on the new privacy laws and the effect they have on their job and patient interactions. Trainings should include an introduction to the guidelines and processes needed to address data usage and behavioral targeting through marketing activities.
Phase 3: Updating and Maintenance
Once your program is set up, you should conduct routine reviews and maintenance every 12 months as required by CCPA’s statement regarding privacy policies that are posted on websites. An ongoing review of data collected and where patients reside should also be conducted as business can change over the course of a year.
For additional information on the CCPA, please visit the Attorney General’s California Consumer Privacy Act homepage.
