Providing consumers greater control and transparency over their personal data, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The law sets requirements and standards for businesses collecting, sharing or selling the personal information of California residents – regardless of where the business is headquartered. For-profit businesses subject to the law have until July 1, 2020, to ensure compliance.
While the impact on the operations of healthcare organizations is expected to be less significant than for other businesses due to the fact that certain types of health data are excluded, the law will still bear significant consequences for the healthcare industry, and will affect some aspects of the personal data collected and processed by healthcare delivery (and adjacent) organizations.
This article discusses the convergence of the CCPA and healthcare: the scope of the law and its potential implications with respect to medical operations.
An Overview of the CCPA
The law, the strictest consumer data protection regulations in the U.S. currently, was enacted to protect consumers from businesses selling their data without their consent. This law can be traced back to the groundswell of public interest and outcry following the 2018 Facebook/Cambridge Analytica data scandal and the revelation that there is woefully little regulation restricting how businesses collect and use personal information without user consent.
The CCPA follows in the footsteps of the EU’s Global Data Privacy Regulation (GDPR), which took effect in early 2019. While the laws have similarities and generally protect the same types of data, each law defines the data types differently.
The CCPA guarantees California residents (referred to as “consumers” in the CCPA) the right to know what personal information businesses collect from them, where the information comes from, what it’s used for, and how it’s shared. Consumers can also stop or limit the collection, use, sharing or selling of their personal data.
The CCPA includes the following key requirements:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted;
- Consumer have a right to opt-out of the sale or sharing of their personal information;
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent;
- Businesses must disclose the reason for collecting personal data; and
- If a business sells consumer information, it must identify the third-party receiving the data.
Failure to comply with the CCPA will be met with strong penalties from the State of California. The law also allows for consumers to take civil action against any businesses misusing their data.
Businesses in Scope
The CCPA applies to for-profit businesses collecting and processing personal data from California residents, and meet one of these requirements:
- Take in over $25 million in gross annual revenue.
- Obtains personal information from more than 50,000 California residents, households or devices each year.
- Proceeds from selling personal consumer information contributes to 50% or more of the company's annual revenue.
Nonprofit organizations are exempt from the law, which means many hospitals and health systems are exempt. However, for-profit healthcare companies, insurance providers, and digital health technology companies may be subject to the CCPA for any non-health data collected from California residents.
Because the CCPA applies to all businesses collecting information on California residents, international companies are also subject to the law if they meet the requirements. In effect, this makes the CCPA a global regulation — at least to the extent that Californians travel. (At a minimum that would extend the burden of compliance across all 50 of the United States.) This is another way in which the law follows the example set by GDPR — affording internationally enforceable protections to individuals hailing from or taking up legal residence within a certain geographical area.
Speaking of GDPR, it must be emphasized that despite the similarities, the CCPA and GDPR are separate legal frameworks with different scopes, requirements, and definitions of data types. Businesses already compliant with GDPR should not assume they are in compliance with the CCPA. In fact, the California Attorney General described certain differences in a recently-released CCPA fact sheet.
Personal Information Defined Under the CCPA
The law defines personal information as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include Social Security numbers, certain demographic information, financial account information, and biometric data.
De-identified information and information that exists in the aggregate (about a group of individuals) and cannot identify any specific individual or household is not considered personal information and therefore is not subject to the CCPA
Health Data Exclusions Under the CCPA
The CCPA contains an exclusion for health information governed by federal and state data privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA), and California's health privacy law, the Confidentiality of Medical Information Act (CMIA). Similarly, information collected in the course of a clinical trial is governed by already established FDA requirements, GCP guidelines, or the Common Rule.
Despite this, the CCPA doesn’t exactly portend business as usual for for-profit healthcare organizations. These organizations routinely collect payment card information and personally identifiable data that extend beyond the bounds of “medical information” or “PHI”, as defined by and supersedently subject to the CMIA and HIPAA.
Additionally, most modern for-profit healthcare organizations will maintain websites that collected visitor data. These activities would be subject to the CCPA regardless of the organization’s classification.
Finally, while it’s not entirely clear from the way the law is written, there is some basis to think that in certain circumstances the CCPA would set a higher compulsory standard for data management practices than those set out under HIPAA. For example, data sharing schemes designed to further a healthcare organization’s financial interests but not its patient care, such as the controversial “Project Nightingale”, might fall in violation of the CCPA. (Ultimately, the matter would need to be brought to adjudication in order to clarify the matter and establish a legal precedent.)
The Bottom Line on the CCPA and Healthcare
Though hospitals are no strangers to data protection regulations, when it comes to the CCPA and healthcare the new privacy law may present a challenge as businesses try to get a handle on their unique points of impact.
Even if your organization doesn’t currently collect data on Californians, you should be prepared. California may have been the first state to enact a law but several states including New York and Washington have proposals for similar regulations and there has been some discussion of a national law.