Debunking Four Common Myths of the California Consumer Privacy Act (CCPA)

How CCPA Applies to Healthcare, Non-Profits, and Data Outside of California

Beginning January 1, 2020, the California Consumer Privacy Act (CCPA) requires businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights. Much like the General Data Protection Regulation (GDPR) in Europe, CCPA is expected to dramatically alter the way American businesses use and disclose information about people and, in many cases forcing organizations to reexamine their practices.

Let’s explore some myths about the CCPA and discover action steps every organization should take to minimize the risk of regulatory action or lawsuits for failing to provide California consumers their privacy rights or safeguard the security of their personal information.

Myth #1: CCPA Only Applies to Big Tech Companies

Fact: Nobody is exempt from CCPA. Organizations that have the greatest obligations and compliance risk are for-profit businesses:

  • Doing business in California;
  • Collecting the personal information of California residents; and,
  • Booking annual gross revenues in excess of $25 million or have collected personal information about more than 50,000 California residents. This is equivalent to contact with 137 California residents per day through your website homepage, provider portal, HIE, or telehealth service.

The CCPA definition of personal information is broad and includes cookies, a device identifier, pixel tags, customer number, information linked to a household, and more.

Best practice: Cover your bases and make yourself fully compliant with the strictest state law in the country, as it will likely serve as a benchmark for future state laws and any federal privacy standard.

Myth #2: Healthcare Organizations Are Exempt from CCPA

Fact: CCPA exempts PHI controlled by a HIPAA covered entity/California Medical Information Act (CMIA) provider and their business associates. Personal information not covered by HIPAA is subject to CCPA.

Data that is regulated by HIPAA standards, for providers under the CMIA, and clinical trials subject to the Common Rule are exempt from CCPA’s consumer privacy rights. Health information and clinical trial data held by a covered entity that is not PHI is also exempt so long as they are treated by HIPAA covered entities (or providers under CMIA) with the same privacy and information security protections as HIPAA or clinical trial regulated data. The exemption for identifiable health information that is outside the scope of HIPAA does not extend to business associates (i.e., contractors or vendors to providers or covered entities).

Many companies will find that CCPA’s exemption for certain types of health information will not cover large swaths of the data processed in the healthcare industry. Examples where CCPA might not apply are:

  • Personal information that is not PHI held by a HIPAA business associate that also may receive information from healthcare organizations that are not covered entities or providers;
  • Personal information that is not PHI collected from consumers by HIPAA covered entities or healthcare providers; and,
  • Businesses that are not covered by HIPAA or providers under the CMIA (e.g., genetic testing providers, medical device monitoring companies, vendors of wearables, cloud-based electronic health record companies, pharmaceutical manufacturers, health and wellness product retailers, for-profit assisted living facilities)

Best Practice: Err on the side of caution and become CCPA compliant. Alabama, Illinois, Massachusetts, New York, and Nevada have adopted consumer data protection laws that are more stringent than the HIPAA requirements. Many other states are considering laws that require healthcare organizations to protect all personally identifiable information.

Myth #3: Non-Profit Healthcare Organizations and Small Companies Don’t Meet the CCPA Thresholds, so They Are Off the Hook

Fact: A non-profit healthcare facility, provider, or health plan may be obligated to comply with the CCPA indirectly if they process the personal information of California residents through an agreement with one of their customers, or if they control a HIE or host some other type of electronic health information network.

Best Practice: In order to comply with CCPA, you will need to ensure your third-party service providers use information in a way that allows you to be compliant. For example, they have to agree not to sell information about consumers, use it only as permitted, and delete information as requested. Otherwise, your organization is liable for violations of the CCPA.

Myth #4: There Is No Rush to Comply with CCPA

Fact: The reality is if you have not begun to prepare for compliance with the CCPA, you are taking a very big gamble.

Best Practice: Get started now by building a CCPA-focused data mapping exercise. Get your service providers on board by modifying existing agreements to prohibit the unauthorized use or sale of personal information.

The CynergisTek team is here to assist you with CCPA and will be offering more robust privacy services with our acquisi/ion of Backbone Consultants. Please contact us if you want more information and/or need help updating your privacy, security, and breach notification standards.

November 6th, 2019|

About the Author:

David Holtzman
Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.