[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]

How CCPA Applies to Healthcare, Non-Profits, and Data Outside of California

Beginning January 1, 2020, the California Consumer Privacy Act (CCPA) requires businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights. Much like the General Data Protection Regulation (GDPR) in Europe, CCPA is expected to dramatically alter the way American businesses use and disclose information about people and, in many cases forcing organizations to reexamine their practices.

Let’s explore some myths about the CCPA and discover action steps every organization should take to minimize the risk of regulatory action or lawsuits for failing to provide California consumers their privacy rights or safeguard the security of their personal information.

Myth #1: CCPA Only Applies to Big Tech Companies

Fact: Nobody is exempt from CCPA. Organizations that have the greatest obligations and compliance risk are for-profit businesses:

The CCPA definition of personal information is broad and includes cookies, a device identifier, pixel tags, customer number, information linked to a household, and more.

Best practice: Cover your bases and make yourself fully compliant with the strictest state law in the country, as it will likely serve as a benchmark for future state laws and any federal privacy standard.

Myth #2: Healthcare Organizations Are Exempt from CCPA

Fact: CCPA exempts PHI controlled by a HIPAA covered entity/California Medical Information Act (CMIA) provider and their business associates. Personal information not covered by HIPAA is subject to CCPA.

Data that is regulated by HIPAA standards, for providers under the CMIA, and clinical trials subject to the Common Rule are exempt from CCPA’s consumer privacy rights. Health information and clinical trial data held by a covered entity that is not PHI is also exempt so long as they are treated by HIPAA covered entities (or providers under CMIA) with the same privacy and information security protections as HIPAA or clinical trial regulated data. The exemption for identifiable health information that is outside the scope of HIPAA does not extend to business associates (i.e., contractors or vendors to providers or covered entities).

Many companies will find that CCPA’s exemption for certain types of health information will not cover large swaths of the data processed in the healthcare industry. Examples where CCPA might not apply are:

Best Practice: Err on the side of caution and become CCPA compliant. Alabama, Illinois, Massachusetts, New York, and Nevada have adopted consumer data protection laws that are more stringent than the HIPAA requirements. Many other states are considering laws that require healthcare organizations to protect all personally identifiable information.

Myth #3: Non-Profit Healthcare Organizations and Small Companies Don’t Meet the CCPA Thresholds, so They Are Off the Hook

Fact: A non-profit healthcare facility, provider, or health plan may be obligated to comply with the CCPA indirectly if they process the personal information of California residents through an agreement with one of their customers, or if they control a HIE or host some other type of electronic health information network.

Best Practice: In order to comply with CCPA, you will need to ensure your third-party service providers use information in a way that allows you to be compliant. For example, they have to agree not to sell information about consumers, use it only as permitted, and delete information as requested. Otherwise, your organization is liable for violations of the CCPA.

Myth #4: There Is No Rush to Comply with CCPA

Fact: The reality is if you have not begun to prepare for compliance with the CCPA, you are taking a very big gamble.

Best Practice: Get started now by building a CCPA-focused data mapping exercise. Get your service providers on board by modifying existing agreements to prohibit the unauthorized use or sale of personal information.

The CynergisTek team is here to assist you with CCPA and will be offering more robust privacy services with our acquisi/ion of Backbone Consultants. Please contact us if you want more information and/or need help updating your privacy, security, and breach notification standards.