BLOG

Blog Post by Albert Oganesian, Cybersecurity Consultant at Meditology Services

---

A wave of new state privacy regulations has healthcare entities scrambling to stand up programs to address patient information protections. On the heels of ground-breaking Global Data Protection Regulation (GDPR) mandates out of the EU, U.S. regulators in over 20 states are starting to incorporate privacy controls including new and proposed legislation.

One of the most prominent and comprehensive new privacy laws is the California Consumer Privacy Act (CCPA). This blog post provides a quick summary of the CCPA law and implications for healthcare entities.

What is CCPA? When did it go live?

The CCPA creates new consumer rights for businesses that collect, access, delete, and share personal information. It was created for the purpose of protecting the privacy and personal data of consumers who live in California. Any customer in the state of California may request a copy of their information from any operating business. For example, if a business operating in Nevada consumes data from a resident in California, then that resident has every right to obtain his/her information from that business.

The law went into effect on January 1, 2020. California residents may request that a business disclose the types of personal information gathered, the purpose of collecting that information, and who the information is being shared with (these requests can be exercised twice a year, free of charge). Any business that collects personal information must display a visible link within their privacy policy that reads “do not sell my data.”

Who is subject to the law and how does it apply? What are the requirements?

The CCPA applies to any for-profit business in the state of California that collects, shares, or sells California consumers’ personal data and meets at least one of the following criteria:

• Has an annual gross income of more than $25 million
• Possession of more than 50,000 records of consumer data
• Earn more than half of its annual revenue from selling consumers’ personal information

The CCPA requires businesses to inform their consumers that they share personal information, add an option to their websites that prevents the disclosure of personal information, obtain consent to sell data from any consumer under the age of 16 (consumers under the age of 13 must obtain consent from parent/guardian), and treat customers equally with the services they offer regardless of whether they have exercised their rights under the law.

It is unlawful under the CCPA to treat customers that opt-in to permit data resale any differently than those who decide to opt-out. For example, companies are not permitted to provide benefits such as cheaper plans or extended services to consumers that have opted in to permit reselling their data.

The CCPA defines personal information as any data that can be identified, related, described, associated, or potentially linked to a particular consumer or household. A few examples include email addresses, user identification, IP address, biometric information, geolocation data, and online browsing history.

What are the penalties?

Before this law came into effect, businesses weren’t legally required to inform consumers that their personal information was collected and sold to other companies for business marketing purposes. Now, consumers have greater control of their data and have the right to utterly tell a business to delete or opt-out of sharing their personal information.

The law gives Californians the right to sue businesses if their personal information was lost in a data breach caused by negligence with penalties up $750 per consumer violation. The California Attorney General is responsible for investigating companies suspected of violating the law. Organizations can be fined up to $2,500 per incident if the violation was unintentional and up to $7,500 if it was intentional.

Class-action lawsuits are expected to increase following the introduction of the CCPA considering the volume of attacks and data breaches that are mounting in the industry.

How does the CCPA compare to other privacy laws (HIPAA)?

The CCPA contains a series of explicit exclusions, under section 1798.145, from the entire law for information already covered under other state or federal statutes or regulations. The CCPA excludes patient information maintained by covered healthcare entities under HIPAA and HITECH to the extent that these providers maintain patient information in the same manner as their medical information under the Confidentiality of Medical Information Act.

The types of businesses that are exempt to the law are health care providers or insurers under HIPAA, banks and financial companies covered by Gramm-Leach-Bliley, credit reporting agencies that are under the Fair Credit Reporting Act, and government agencies that are subject to the protection under the Drivers’ Privacy Protection Act. Every other company that met the requirements above are subject to the law as of this year.

Best practices for health care entities (not covered by HIPAA)?

Some examples of healthcare entities not covered by HIPAA (under CCPA law) include clinical research organizations, pharmaceutical companies, biotechnology, fitness and lifestyle apps, personal health record vendors, genetic test services, living facilities and services.

Healthcare entities that are not covered by HIPAA are advised to develop their compliance plans, rather than hoping for radical changes to the requirements and risk being caught in a compliance quandary. Given that the law includes challenging compliance obligations, it is recommended that health care organizations begin developing compliance plans now, including:

• Updating privacy policies, consent forms, authorizations and similar notices in compliance with the law
• Updating subject rights policies to account for the rights conferred by the law
• Updating data inventories to identify data collection, disclosure, retention and sale that will need to be disclosed to or modified in response to individual requests
• Building mechanisms to receive individual inquiries through the required designated request methods, verifying individual requests, and delivering results of those requests back to individuals while meeting portability requirements
• Addressing the impact of the restrictions of “selling” personal information and strict opt-out rights on their operations
• Updating vendor diligence and contracting processes/templates to account for the law
• Evaluating the law’s impact on the organization’s risk profile and insurance coverage

The wave of state privacy regulations is likely to grow in 2020 and may yet build into a tsunami of federal regulatory action as privacy breaches gain momentum. Healthcare entities inside and outside of California would be well advised to pay close attention to emerging privacy laws including GDPR, CCPA, and others.

---

REFERENCES

https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Map.pdf
https://blog.zoominfo.com/ccpa-guide-faq/https://www.cnet.com/news/ccpa-is-here-californias-privacy-law-gives-you-new-rights/
https://www.docusign.com/blog/who-is-covered-by-ccpa-and-what-does-it-require/
https://www.comparitech.com/blog/vpn-privacy/california-consumer-privacy-act/
https://www.pbwt.com/data-security-law-blog/part-iii-our-last-look-at-the-ccpas-definition-of-personal-information
https://iapp.org/news/a/paging-all-health-care-privacy-pros-cacpa-deserves-your-attention-despite-hipaa-exemption/