Exclusion Screening

CCPA 2020 and the Healthcare Sector


Emptech's founder, Jeff Aleixo


Jeffrey Aleixo

CCPA 2020 healthcare sector healthcare compliance

In June 2018, California passed a privacy law that went into effect on January 1, 2020. The California Consumer Privacy Act (CCPA) has a wide definition of what is considered private data. In some ways, the CCPA 2020 goes even further to protect private information compared to the General Data Protection Regulation (GDPR) passed by the European Union. 

Providers in the healthcare sector need to comply with regulations regarding protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA). They also have to follow regulations for medical information under the California Confidentiality of Medical Information Act (CMIA). In addition to all of this, the CCPA 2020 sets additional privacy protections for personal information.

The CCPA exempts certain patient information from its requirements, but it does not provide precise exemptions for healthcare providers. Therefore, businesses operating in the healthcare sector should pay close attention to the CCPA’s healthcare-related exemptions and the applicability of the CCPA 2020 requirements to certain data.

Applicability of CCPA 2020

Any company with annual revenue of at least $25 million that serves California consumers has to comply with the privacy law. Also, companies that get more than half of their revenue from the sale of personal data or collect data on at least 50,000 people need to comply with the CCPA. California consumers can request to view any information a company has saved about them and ask for a list of all the third parties that their data is shared with. In case these privacy guidelines are violated, consumers can sue the companies that have collected their data.

Before the CCPA, healthcare data privacy and security in California were primarily regulated through HIPAA. However, HIPAA’s focus is primarily on health insurance and it only applies to covered entities holding protected health information.

On the other hand, the CCPA 2020 applies to all for-profit organizations that do business in California and operate above certain revenue and data processing thresholds. The CCPA exempts personal data protected by HIPAA and CMIA, meaning that some types of personal healthcare data continue to be covered by the existing rules. However, the CCPA now covers the majority of other personal data created, processed, and exchanged by healthcare organizations. As a result, it is hard to understand when healthcare data is protected by data privacy rules and when it is not.

Private data under the CCPA

According to the CCPA, personal information refers to non-public information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Types of data described as personal information under the CCPA 2020 include personal information identifiers such as name, postal address, email address, online identifier IP address, Social Security number, driver’s license, and passport number, and other similar identifiers.

The following data types that organizations in the healthcare sector handle could be subject to the CCPA:

  • Personal information that is not regulated by the CMIA or HIPAA and is collected through websites, health apps, health portals, and other digital technology or connected devices;
  • Personal information processed by the non-healthcare components of a HIPAA hybrid entity or information processed between a non-profit institution and its CCPA-covered affiliates, partners or related entities;
  • Pending a proposed amendment that may exclude certain employee data, personal information about employees collected or processed in an employer function as opposed to a HIPAA-covered health plan. Also, CCPA covers general employee information such as Social Security numbers, tax IDs, drivers’ license numbers, biometric or demographic information;
  • Personal information collected through in-person conferences, fundraisers, marketing events or similar activities;
  • Personal information processed for research that falls outside the CCPA’s clinical research exemption;

CCPA 2020 Impact on Healthcare Sector

There are significant changes to the way personal data and healthcare data in particular need to be handled under the CCPA. Accordingly, healthcare organizations should take into account the following alterations while obtaining, processing, and storing personal information:

All individuals within healthcare organizations have their data privacy protected

Prior to the CCPA 2020, individuals who were not patients within organizations in the healthcare sector were not covered by HIPAA, but now personal data of non-patients engaging with HIPAA-covered healthcare organizations will be covered. To comply with this, HIPAA-covered organizations and other healthcare organizations will now need to have policies and processes for the protection of all of their employees’ personal data. In addition to this, they will have to protect any employee data shared with third parties.

Organizations operating in California that are not covered by HIPAA but handle personal healthcare data also need to comply

These types of organizations will now need to follow the CCPA 2020 requirements for all of the personal data they hold and process regarding personal healthcare data. Apart from taking new approaches for securely managing personal data, organizations will also need to inform the individuals impacted about these changes.

Healthcare companies doing business in California will have to apply CCPA to their entire US organization 

Healthcare sector organizations that process data on California residents will have to apply CCPA data protection policies and processes across their entire corporate network.

Preparing for Changes in Healthcare Sector

CCPA 2020 does not restrict itself to a particular industry, type, or use of data. It covers personal information quite broadly and includes exceptions for particular types or uses of data that are already regulated. As a result, there are cases where the new requirements do not match with existing rules.

Most providers assume that their personal health information is exempt because they are covered by HIPAA. However, organizations in the healthcare sector should carefully examine the information they collect, consider whether the CCPA applies to specific categories of data, and implement the required consumer protections on time.

Since the healthcare industry is already heavily regulated, it is necessary for every organization to assess compliance while taking into account new CCPA regulations. Also, it is likely that additional privacy regulations will follow in other states as well as globally. Such an environment of intense regulatory change combined with CCPA ambiguities, compliance challenges, and significant penalties highlights the importance of a proactive approach to data privacy. Thus, healthcare organizations can manage the CCPA’s immediate requirements and prepare for any future privacy-related concerns.

Use a set of advanced solutions to ensure constant compliance with different types of regulations while minimizing internal resources and saving time.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.