As of January 1, 2020, the California Consumer Privacy Act (CCPA) enacted by the State of California, has officially gone into effect. With advances in technology, and the vast extent that consumer information is collected digitally, the CCPA endeavors to help empower consumers. Through the requirements of this act, consumers in California gain the right to inquire which of their personal information is collected, how it’s being used, if it is sold — and ultimately, to request its erasure.
While commercial businesses and marketers have been preparing for CCPA, the healthcare industry has more subtly been affected. Understanding how your healthcare business is impacted by CCPA and how CCPA and HIPAA work together is important in ensuring compliance.
We’ve created this CCPA checklist for wellness professionals to make sure you’re in line with the new regulation. You’ll learn the areas you need to cover for CCPA compliance, including how to:
- Understand CCPA requirements for healthcare providers
- Determine personal information that may differ from HIPAA-protected PHI
- Comply with CCPA consumer data rights
What is the California Consumer Privacy Act?
The CCPA creates new consumer rights relating to the “access to, deletion of, and sharing of personal information that is collected by businesses.” It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes.
In short, consumers residing in California have been granted the following new rights:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and by extension, a business’s service provider;
- The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
- The right to non-discrimination in terms of price or service when a consumer exercises privacy right under CCPA.
According to the Office of the Attorney General, the Attorney General cannot bring an enforcement action under the CCPA until July 1, 2020 — which means your wellness business still has time to become compliant.
The CPA goes on to further define in detail what is considered “personal information,” in an extensive list that includes personal identifiers, health insurance, and medical information, education and professional information, audio and visual content, and more. Even biometrics is included in the CCPA definitions as personal information, including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, and voice recordings.
Notably, any publicly available information is not considered personal information under CCPA.
Who must follow CCPA?
Under CCPA, “business” is defined as any “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information” doing business in the State of California.
Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of annual revenues from selling consumers’ personal information
- Handles the personal information of more than 4 million consumers
Based on these criteria, the CCPA is only set to impact healthcare businesses of large size, like clinics and health systems. Smaller businesses, such as private wellness practices that do not meet these criteria — while still subject to other privacy requirements — do not need to make any compliance changes under CCPA.
How are healthcare businesses required to comply with CCPA?
For healthcare businesses that meet the CCPA requirements, compliance stipulations are outlined by the Office of the Attorney General.
Business obligations imposed under CCPA include:
- Businesses subject to the CCPA must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know, and delete. For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app.
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timeframes. As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Businesses must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business
As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Businesses must also explain how the incentive is permitted under the CCPA.
- As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance. In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
How does HIPAA impact CCPA compliance for healthcare providers?
Where things get murky for healthcare providers is how HIPAA or California’s Confidentiality of Medical Information Act (CMIA) exempts compliance for CCPA. In order to operate, healthcare providers such as in health clinics must collect private health information (PHI) along with personal information in order to deliver, and bill, for services. Thus, a health clinic cannot simply comply with a patient’s request to “delete” collected personal information.
Both HIPAA and CMIA in California require healthcare providers to safeguard private health information. CCPA goes as far as to state that the title shall not apply to any of the medical information governed by:
- Health Information Technology for Economic and Clinical Health Act
- US Department of Health and Human Services
- Any personal information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects
- Public health research programs that otherwise meet privacy and ethical requirements, and follow important stipulations to “deidentify” personal information
However, it is less clear if these exemptions cover a healthcare provider’s marketing data. This information can include internet activity (ie browsing history, cookies), email address, recorded phone calls. The CCPA title even goes as far as to outline personal information, as including “inferences drawn” to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes — in short, marketing information.
What we can infer from CCPA is that healthcare providers need to proceed with caution in the personal and private health information that they collect from clients. Disclosing which information will be collected, how it will be used, and if it will be sold may need to be required may be required in policy forms and disclaimers — Furthermore, personal information that is not protected under HIPAA or CMIA may be subject to a consumer’s request for deletion.
Make more time to grow your business.
Use a platform that automates the administrative, so you can focus on growth and care.