In 2021, many healthcare organizations faced record-high losses from data breaches. Each of these incidents cost around $9.23 million, or $2 million higher than the previous year’s costs. In March 2022 alone, there were 3,083,988 healthcare records stolen, exposed, or illegally disclosed across 43 data breaches.
Safety regulations are necessary as the industry deals with a staggering amount of protected health information. To that end, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established.
However, on January 1, 2020, the California Consumer Privacy Act (CCPA) took effect in California. While the law contains certain exceptions for healthcare data, it still affects how healthcare organizations should handle data. This article will cover the intersection of the CCPA and California HIPAA laws and what it means for maintaining compliance.
The CCPA was signed into law on June 28, 2018. Its origins can be linked to the Facebook–Cambridge Analytica data scandal, where users’ data was collected without consent for political advertising. As a result, public outcry demanded stricter data privacy laws.
The CCPA is currently the strictest consumer data privacy law in the U.S., mirroring the EU’s Global Data Privacy Regulation (GDPR). The GDPR, which took effect in 2019, is known as the world’s toughest consumer data privacy law.
Under the CCPA, California residents (called “consumers” in the law’s text) have the right to know the “specific pieces” of personal information businesses collect from them. Other key requirements found in the CCPA are:
Regardless of where a business is situated, it must comply with these requirements when handling information of California residents. Failure to comply with these requirements will result in administrative fines and civil penalties from the State of California. A single violation can cost up to $2,500 (or up to $7,500 if the consumer is a minor). In addition, affected consumers can take civil action against the business under the CCPA.
The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples given include (but are not limited to) the following:
Aggregated (i.e., about a group of people instead of an individual) and de-identified information is not considered personal information. As long as the information cannot identify a specific individual or household, it does not fall under the CCPA’s scope.
While the CCPA is a welcome addition for California residents, the personal data handled by the healthcare industry is already subject to HIPAA. The CCPA HIPAA exemption exists to help navigate the overlap between the two laws.
If your healthcare organization handles information on over 50,000 customers or generates over $25 million in gross annual revenue, you may not be subject to CCPA requirements.
The CCPA HIPAA exemption consists of two parts. The first concerns protected health information (PHI) collected by covered entities or business associates. The second concern covered entities that maintain PHI in certain ways.
Health data exclusions do not extend solely to the HIPAA. For example, the CCPA also excludes health information governed by other data privacy laws, such as California’s Confidentiality of Medical Information Act (CMIA). In addition, data collected through clinical trials are also exempt, as it is already governed by the Common Rule, Good Clinical Practice (GCP) guidelines, or Food and Drug Administration (FDA) requirements.
For-profit healthcare organizations cannot ignore the CCPA. They regularly collect personally-identifiable data (e.g., credit card information) that does not fall under the PHI exemption. Most healthcare organizations possess websites that collect visitor data. This data is still subject to the CCPA.
Lastly, the CCPA sets a stricter standard than the HIPAA in certain circumstances. A good example is Google’s controversial Project Nightingale. Millions of health records were obtained by Google without the knowledge of patients or doctors. It was found to be permissible under HIPAA, as the law states PHI can be shared with business associates “to help the covered entity carry out its health care functions.” The data was meant to be used for designing new software. Under the CCPA, this form of data-sharing may not be as permissible.
As mentioned, aggregated and de-identified data does not fall under the CCPA. However, there are certain risks involved with this type of data. For example, it may still be personally identifiable even after aggregated data (e.g., analytics for business metrics, high-level trends, or other insights) is collected.
Under the first part of HIPAA exemptions, data collected for treatment and payment is exempt if used for healthcare activities. However, most organizations also use this data for other purposes (i.e., analytics for other business needs). To that end, they use data aggregation systems to compile and de-identify data. Thus, the resulting data may not be as anonymized as expected and can still be traced back to an individual depending on the system used.
Additional complications can arise due to other consumer rights under the CCPA. For example, if consumers request that their data be deleted, organizations are obliged to comply. If used in an aggregated data set, it would need to be located and extracted. This will not only affect the accuracy of the analytics, but it will also prove to be a difficult task.
As the CCPA (unlike the HIPAA) allows consumers to take civil action against businesses, improper aggregation brings legal risk. Any healthcare organization that depends heavily on aggregated data needs to work with experts that can ensure proper de-identification. Tools and processes that provide data cannot be re-identified but can easily be extracted upon consumer request will be necessary.
HIPAA compliance does not guarantee CCPA compliance. It could be disastrous for your organization if any violations occur due to misunderstood exemptions or unforeseen loopholes.
Ensure that your systems and procedures are compliant on all fronts by seeking the advice of an experienced legal team. At Fenton Law Group, we provide superior legal services to the healthcare industry. Feel free to reach out to us for assistance regarding CCPA vs. HIPAA compliance requirements.