California’s new Consumer Privacy Act (CCPA), imposes the nation’s most stringent regulations on businesses that collect personal data from Californians. But many in the healthcare world aren’t too worried about the new law. That’s because, despite its sweeping scope, CCPA has carved out an exemption for HIPAA. But what does this exemption mean and is it a hard and fast rule for healthcare entities in regards to CCPA?

CCPA’s HIPAA Exception

Essentially, healthcare companies that would have otherwise been subject to CCPA – because they’re for-profit entities “operating” in California that collect personal information and have either the information of 50,000 consumers or annual gross revenues in excess of $25 million – may find shelter under HIPAA instead.

In CCPA, Subsection (c)(1)(A) exempts a certain kind of information: “protected health information” (PHI) collected by a  “covered entity” or “business associate” as defined in HIPAA. HIPAA, in turn, defines PHI as information relating to the physical or mental health or condition of an individual, or the provision of or payment for health care to an individual, for which there is a reasonable basis to believe it can be used to identify the individual.

Worry About CCPA?

So, healthcare companies don’t really need to worry about CCPA if they’re covered under HIPAA, right?

Maybe.

It all depends on an organization’s status under HIPAA, and the purpose for which it collects data. It also depends on how courts will interpret CCPA’s HIPAA exception in regulatory hearings.

For example, it’s uncertain if CCPA’s HIPAA exemption covers a health care provider’s marketing data, data from mobile apps, or customer service or call center data that is not also PHI. While the actual text of subsection (c)(1)(B) would seem to cover such information, health care organizations should nevertheless proceed with caution because a regulator may reject that reading in favor of one that creates more protection of consumers. Here’s a great article covering four other ways that personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA.

Additionally, CCPA includes a private right of action for certain data breaches. HIPAA does not. This is another area of debate that will come up in future court proceedings – namely, does CCPA’s HIPAA exemption extend to remove a consumer’s private right of action in case of a data breach, or is the healthcare entity subject to CCPA’s law since HIPAA does not include such a provision.

As CCPA has more time on the books and becomes more defined, many of the
remaining questions about the HIPAA exemption will be answered. But, today, with so many possibilities out there, healthcare organizations should proceed with caution. Before shrugging off CCPA, healthcare entities and related service providers need to take a hard look at their systems, processes and data repositories to determine what (if any) personal information they collect is within CCPA’s reach.

According to the National Law Review:

If your healthcare organization is wondering about its responsibility to CCPA or looking to ensure that its systems and processes are in line with the latest HIPAA compliance requirements, let’s connect. Dev IQ is an expert in secure, compliant
software development and system modernization. We’ve worked with many healthcare entities to create solutions that improve the efficacy of their workflows and the quality of life for their patients and staff. We’d love to connect to hear about your healthcare software projects.

Jamie Murphy

Marketing Strategist, busy mama, & blogger extraordinaire.