[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_size=”” border_color=”” border_style=”solid”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_size=”0″ border_color=”” border_style=”solid” border_position=”all” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”no”][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]

Much has been written about the potential impacts that the California Consumer Privacy Act of 2018 (CaCPA) could make on health care organizations and their business partners. The California legislature quickly passed an amendment and technical correctionthat rolled back some of CaCPA’s provisions exempting data that is regulated by the HIPAA privacy standards and the Common Rule, sparing some health care businesses from CaCPA’s requirements.

CaCPA requires that starting in January 2020, businesses that have some role in the processing personal information of California residents must provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and to have it deleted. CaCPA defines these terms very broadly and the act will apply to many businesses throughout the U.S. that collect the personal information of California residents through a physical or digital presence in the state.

What Businesses Are Covered?

CaCPA defines a business as any organization that is formed to make a profit for its owners or shareholders. The new law will apply to businesses that:

What Healthcare Businesses are Exempted?

Businesses are fully exempt from CaCPA’s privacy requirements for data that is regulated by the HIPAA standards, or they are providers under the California Medical Information Act (CMIA), or if clinical trials are subject to the Common Rule. In addition, the amendments to CaCPA also exempt health information and clinical trial data that falls outside privacy regulations, so long as they are treated by covered entities (or providers under CMIA) with the same protections as HIPAA or clinical trials regulated data. However, this exemption for non-HIPAA protected health information was not extended to business associates.

Many companies will find that CaCPA’s exemption for certain types of health information will not cover large swaths of the data processed in the health care industry. Examples where CaCPA might apply are:

CaCPA will take effect on January 1, 2020. However, the enforcement of the new law has been pushed back to July 2020. There is broad agreement that the California legislature and the state Attorney General will have to revisit CaCPA to address a number of drafting errors and an array of contradictory provisions that make compliance impractical.

Some may be tempted to hold off assessing how the CaCPA may apply to their company until all the kinks have been worked out. But, the scope and reach of the new law to organizations that do business in California, makes waiting for the legislature to get its act together is a very risky proposition. CynergisTek can help assess and develop your privacy program, policies, and/or procedures.

Learn more.