On August 31st, the California legislative session closed without passing amendments to the California Consumer Privacy Act ("CCPA"), meaning the CCPA's prior exemptions for employment and business-to-business information will no longer apply. The California Privacy Rights Act ("CPRA"), which California voters adopted through a ballot initiative in November 2020, will amend and expand CCPA effective January 1, 2023. This is notable for businesses in the health care industry because CCPA and CPRA do not provide a blanket exemption for medical data; instead, only certain health care data sets are exempt. Businesses in the health care industry must be aware of their CCPA compliance requirements, particularly with regard to personal information concerning employees, contractors, and job applicants, and be proactive to ensure compliance.
What You Need to Know:
- Starting January 1, 2023, businesses that meet CCPA thresholds must apply extensive CCPA requirements, particularly with regard to personal information concerning employees, contractors, and job applicants.
- Businesses in the health care industry must be aware of their CCPA compliance requirements and be proactive to ensure compliance.
- Compliance will require organizations to understand what health-related data they maintain, and potentially provide privacy policies and a mechanism for data subjects to exercise their rights under CCPA. These requirements are separate from and additional to similar requirements under HIPAA.
CCPA applies to any business that processes the personal information of California residents and: (i) has annual gross revenues over $25 million; (ii) annually processes the personal information of 50,000 or more California residents or households (this threshold will be increased to 100,000 by CPRA as of January 1, 2023); or (iii) derives 50 percent or more of its annual revenue from selling California residents' personal information. Non-profit organizations are generally outside the scope of CCPA. Data governed by other data privacy laws including Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Gramm-Leach-Bliley Act are also not covered by the CPRA. However, CCPA and CPRA regulate the activities of "service providers" to covered businesses, which includes health care and life sciences entities that provide services to businesses subject to CCPA and CPRA. Such organizations may also have compliance obligations under these laws.
In addition, at passage, CCPA included an exemption for data collected about employees and job applicants and personal data exchanged in a business-to-business context. In its summer session, the California legislature failed to enact an extension of these exemptions, meaning they will end on January 1, 2023. Businesses subject to CCPA must be prepared to comply as of that date with its requirements concerning personal data of employees, contractors, and job applicants.
Health Care Data
Health care providers are not generally exempt from CCPA at the entity level. Instead, CCPA and CPRA provide a number of exemptions concerning health-related data sets. Specifically, under CCPA and CPRA, protected health information ("PHI") collected by a covered entity (health care provider, health plan, or health care clearinghouse) or business associate (providing "business associate" services to a covered entity) is exempt from CCPA requirements. In addition, CPRA exempts health care providers governed by the California Confidentiality of Medical Information Act. Again, however, the provider must maintain the patient information in a HIPAA-compliant manner.
Critically, these exemptions do not completely remove an organization from CCPA unless the organization maintains all personal information collected about an individual, including, for example, information inputted into its website or a user's IP address or geolocation data collected during visits to the organization's website, in the same manner as it maintains PHI (e.g., inclusion in the organization's electronic medical record). To the extent the organization collects data on individuals who are not patients of the organization, the HIPAA exemption may not apply. And it is unlikely that most businesses in the health care space would maintain employment-related personal information in a manner that exempts that information from the scope of CCPA. This exemption patchwork means businesses in the health care industry must take steps to determine if they must comply with CCPA.
An organization's first step is to understand what health-related information is maintained. This can be done by creating an inventory of data and identifying what information is considered PHI under HIPAA (and what is not PHI).
Finally, organizations should develop and implement a mechanism for data subjects to exercise their rights under CCPA. This means creating a procedure to receive and respond to privacy rights requests from individuals. This is a separate, additional requirement to requests under HIPAA such as Right of Access requests, which are subject to significant government enforcement.
Although health care organizations benefit from carve-outs under CCPA and CPRA, they remain subject to obligations for information collected that is not HIPAA PHI. Organizations should start the process to determine compliance requirements. Saul Ewing's health care, cybersecurity and data privacy lawyers can help organizations identify their compliance obligations and prioritize the necessary tasks.
This alert was written by Samantha Gross, Associate in the Firm's Health Care Practice, and Patrick M. Hromisin, Counsel in the Firm's Cybersecurity and Privacy Practice. Samantha can be reached at (215) 972-7161 or Samantha.Gross@saul.com. Patrick can be reached at (215) 972-8396 or Patrick.Hromisin@saul.com. Please reach out to either author with questions about how this change to CCPA may impact your organization. This alert has been prepared for information purposes only.