CCPA and Healthcare
The state of California has a history of enacting consumer privacy legislation, and it’s stepping up to lead the country in the protection of citizen’s personal information through the California Consumer Privacy Act (CCPA). This is taking place just two years after Europe led the way with the implementation of a similar consumer privacy legislation known as General Data Protection Regulation (GDPR).
As if healthcare didn’t already have enough IT-related regulations to follow, ie. HIPAA, ADA, PCI and in some cases GDPR, CCPA is a new addition to the group. But what exactly is the CCPA, what types of businesses does the law apply to, and what does it mean for those businesses?
What is the CCPA?
The CCPA was enacted on January 1, 2020, and requires covered businesses to comply with requests that allow a consumer to exercise control over the collection and sale of his or her personal information. The CCPA ensures Californians the right to:
- Know what personal information is collected about them
- Know whether the personal information is sold or disclosed and to whom
- Say no to the sale of their personal information
- Access their personal information
- Receive equal service and price, even if they exercise their privacy rights
What is considered personal information?
Personal information is anything that can identify, relate to, describe, is capable of being associated with, or could be reasonably linked to a specific individual or household.
How personal information is defined by the CCPA is extensive and includes the following 11 categories:
- Identifiers (e.g., name, postal/email/IP address, account name, passport number, among others)
- Select Information in Customer Records
- Legally Protected Characteristics
- Commercial Purchasing Information
- Biometric Information
- Internet or Network Activity
- Information Typically Detected by the Senses
- Employment Information
- Education Information
- Inferences from Above Used to Profile
Businesses should be cautious because what is considered personal information is expected to keep evolving, and is not limited to these categories. The attorney general may add additional classes after broad implementation to address developments in technology, data collection, challenges to enactment, and privacy concerns.
What does personal information mean for CPPA and healthcare? As a healthcare organization, you may be unsure whether some of the data you collect is regulated by HIPAA or CCPA. The National Law Review suggests the following data types could be subject to CCPA:
- Personal information not regulated by HIPAA
- Personal information which is processed by a non-healthcare division of a HIPAA-hybrid entity, or connected non-profit
- Certain employee data
- Personal information collected through conferences, fundraisers, marketing events, or similar activities
- Personal information used for research
Exclusions to personal information include HIPAA-covered data, de-identified and aggregate consumer information, and publicly available information made available from federal, state, or local government records.
Does the CCPA apply to your healthcare business?
Covered businesses include people and organizations who:
1. Conduct business in California for-profit,
2. Collect consumers’ personal information directly or through a third party, and
3. Satisfy at least one of the following criteria:
- Has annual gross revenues in excess of $25 million
- Handle the personal information of at least 50,000 consumers or devices annually
- Obtain 50 percent or more in annual revenue via selling consumers’ personal information
Even if your organization doesn’t have offices or locations in California, if you do business or market your product/services in California and meet the criteria above, CCPA laws apply to you.
If you are the parent company of a business that meets CCPA criteria, or you’re owned by a company that meets CCPA criteria, then CCPA laws also apply to you.
Read the CCPA checklist to learn what this means for your business.
We pride ourselves on maintaining a position at the cutting edge of technology awareness and protection. Not only are we experts on HIPAA, ADA, and GDPR compliance for the healthcare industry, but we also offer custom audits for CCPA compliance. Contact us online or call (866) 932-9944 to learn more.