Much has been written about the potential impacts that the California Consumer Privacy Act of 2018 (CaCPA) could make on health care organizations and their business partners. The California legislature quickly passed an amendment and technical correction that rolled back some of CaCPA’s provisions exempting data that is regulated by the HIPAA privacy standards and the Common Rule, sparing some health care businesses from CaCPA’s requirements.
CaCPA requires that starting in January 2020, businesses that have some role in the processing personal information of California residents must provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and to have it deleted. CaCPA defines these terms very broadly and the act will apply to many businesses throughout the U.S. that collect the personal information of California residents through a physical or digital presence in the state.
What Businesses Are Covered?
CaCPA defines a business as any organization that is formed to make a profit for its owners or shareholders. The new law will apply to businesses that:
- Have annual gross revenues of $25 million; or,
- Annually receives buys, receives sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices (e.g. smartphones or computers); or,
- Receives 50% or more of its revenues from selling consumer data.
What Healthcare Businesses are Exempted?
Businesses are fully exempt from CaCPA’s privacy requirements for data that is regulated by the HIPAA standards, or they are providers under the California Medical Information Act (CMIA), or if clinical trials are subject to the Common Rule. In addition, the amendments to CaCPA also exempt health information and clinical trial data that falls outside privacy regulations, so long as they are treated by covered entities (or providers under CMIA) with the same protections as HIPAA or clinical trials regulated data. However, this exemption for non-HIPAA protected health information was not extended to business associates.
Many companies will find that CaCPA’s exemption for certain types of health information will not cover large swaths of the data processed in the health care industry. Examples where CaCPA might apply are:
- Data about employees, except when in connection with a health plan that is a HIPAA covered entity.
- Personal information held by a business associate that is not PHI. They also may receive information from health care organizations that are not covered entities or providers.
- Personal information collected by HIPAA covered entities or health care providers from consumers that is not health information.
- Businesses that are not covered by HIPAA or are providers under the CMIA. For example: genetic testing providers, medical device monitoring companies, vendors of wearables, cloud-based electronic health record companies, pharmaceutical manufacturers, health and wellness product retailers, and for-profit assisted living facilities.
CaCPA will take effect on January 1, 2020. However, the enforcement of the new law has been pushed back to July 2020. There is broad agreement that the California legislature and the state Attorney General will have to revisit CaCPA to address a number of drafting errors and an array of contradictory provisions that make compliance impractical.
Some may be tempted to hold off assessing how the CaCPA may apply to their company until all the kinks have been worked out. But, the scope and reach of the new law to organizations that do business in California, makes waiting for the legislature to get its act together is a very risky proposition. CynergisTek can help assess and develop your privacy program, policies, and/or procedures.