CCPA and Healthcare Explained: What is it, and Does it Apply to Your Business?

Clement Baptiste

Clement Baptiste

Posted on January 27, 2020

CCPA and Healthcare 

The state of California has a history of enacting consumer privacy legislation, and it’s stepping up to lead the country in the protection of citizen’s personal information through the California Consumer Privacy Act (CCPA). This is taking place just two years after Europe led the way with the implementation of a similar consumer privacy legislation known as General Data Protection Regulation (GDPR).

As if healthcare didn’t already have enough IT-related regulations to follow, ie. HIPAA, ADA, PCI and in some cases GDPR, CCPA is a new addition to the group. But what exactly is the CCPA, what types of businesses does the law apply to, and what does it mean for those businesses? 

What is the CCPA?

The CCPA was enacted on January 1, 2020, and requires covered businesses to comply with requests that allow a consumer to exercise control over the collection and sale of his or her personal information. The CCPA ensures Californians the right to:  

  • Know what personal information is collected about them
  • Know whether the personal information is sold or disclosed and to whom
  • Say no to the sale of their personal information 
  • Access their personal information 
  • Receive equal service and price, even if they exercise their privacy rights 

What is considered personal information?

Personal information is anything that can identify, relate to, describe, is capable of being associated with, or could be reasonably linked to a specific individual or household.

How personal information is defined by the CCPA is extensive and includes the following 11 categories:

  1. Identifiers (e.g., name, postal/email/IP address, account name, passport number, among others) 
  2. Select Information in Customer Records 
  3. Legally Protected Characteristics
  4. Commercial Purchasing Information
  5. Biometric Information 
  6. Internet or Network Activity
  7. Geolocation
  8. Information Typically Detected by the Senses 
  9. Employment Information
  10. Education Information
  11. Inferences from Above Used to Profile

Businesses should be cautious because what is considered personal information is expected to keep evolving, and is not limited to these categories. The attorney general may add additional classes after broad implementation to address developments in technology, data collection, challenges to enactment, and privacy concerns.

What does personal information mean for CPPA and healthcare? As a healthcare organization, you may be unsure whether some of the data you collect is regulated by HIPAA or CCPA. The National Law Review suggests the following data types could be subject to CCPA:

  • Personal information not regulated by HIPAA
  • Personal information which is processed by a non-healthcare division of a HIPAA-hybrid entity, or connected non-profit
  • Certain employee data
  • Personal information collected through conferences, fundraisers, marketing events, or similar activities
  • Personal information used for research

Exclusions to personal information include HIPAA-covered data, de-identified and aggregate consumer information, and publicly available information made available from federal, state, or local government records. 

Does the CCPA apply to your healthcare business?

Covered businesses include people and organizations who: 

1. Conduct business in California for-profit,

2. Collect consumers’ personal information directly or through a third party, and

3. Satisfy at least one of the following criteria:

  • Has annual gross revenues in excess of $25 million
  • Handle the personal information of at least 50,000 consumers or devices annually
  • Obtain 50 percent or more in annual revenue via selling consumers’ personal information

Even if your organization doesn’t have offices or locations in California, if you do business or market your product/services in California and meet the criteria above, CCPA laws apply to you.

If you are the parent company of a business that meets CCPA criteria, or you’re owned by a company that meets CCPA criteria, then CCPA laws also apply to you.

Read the CCPA checklist to learn what this means for your business. 

We pride ourselves on maintaining a position at the cutting edge of technology awareness and protection. Not only are we experts on HIPAA, ADA, and GDPR compliance for the healthcare industry, but we also offer custom audits for CCPA compliance. Contact us online or call (866) 932-9944 to learn more.


Clement Baptiste

Clement Baptiste

Clement is a strategic marketing leader dedicated to advancing science and health. His experience spans digital marketing, communications, and brand management for tech, consumer goods, higher education, and medical devices. Clement holds a B.A. in Business Administration from California State University, Los Angeles and an M.S. in Marketing & Business Analysis from the University of Edinburgh.

Related Posts

Illustration of a doctor sitting at a computer reading messages on a HIPAA compliant messaging portal.

Posted on April 12, 2023 by Pablo Bullian

Data security is a major challenge in healthcare. With data breaches on the rise, it seems that criminals are increasingly viewing digital healthcare data as low-hanging fruit. According to the…Read more


Health App Solution

Posted on July 01, 2020 by Pablo Bullian

On March 9, 2020, the ONC and CMS released updated rules for interoperability and patient access provisions of the bipartisan 21st Century Cures Act. The Cures Act, which was first…Read more