We would understand if health care organizations have been ignoring the California Consumer Privacy Act of 2018. The act was signed June 28, just before the July 4 holiday, most privacy pros have a GDPR hangover, and there’s a HIPAA exemption, so who cares — right?
Dear readers: It is our unfortunate duty to inform you that this act will significantly impact health care organizations.
In a nutshell, the California Consumer Privacy Act requires “businesses” involved in the “processing” of “personal information” of California “consumers” to provide those consumers with certain privacy rights, including a privacy notice, the right to request information about disclosures, and the right to request access to personal information or to have it deleted. These terms are broadly defined, such that the act will apply to a wide range of health care organizations processing such data across the U.S. and globally.
The CCPA also imposes significant restrictions on the “sale” of personal information, which is defined such that a wide range of disclosures will be restricted and will require many health care organizations to offer individuals clear opt-out rights. Unless material amendments are undertaken, the amount of work required to comply prior to the Jan. 1, 2020, effective date will obligate health care privacy pros to begin developing compliance plans immediately.
Application to health care entities
"Protected health information" collected by a "covered entity" governed by the California Confidentiality of Medical Information Act or U.S. Health Insurance Portability and Accountability Act is exempt. That exemption is certainly helpful when it applies, but will likely have no benefit for:
- Employee data (except when held by a HIPAA-covered health plan).
- Entities not covered by HIPAA or the CMIA, such as pharmaceutical companies, clinical research organizations, biotechnology, wearables, fitness and lifestyle apps, personal health record vendors, genetic test services, certain workplace and benefits services, and certain assisted living facilities and services.
- Business associates in many circumstances (given that BAs are not specifically exempted from the act, and may receive information from non-HIPAA-covered entities).
- A covered entity’s collection of non-PHI from consumers.
- Health care providers that do not engage in standard transactions in electronic format (as defined by HIPAA), such as cash-pay services.
Non-HIPAA-covered health care providers
A business must be a covered entity or otherwise handling HIPAA-covered PHI before the CCPA's HIPAA exemption will apply. A multitude of health care providers operate outside HIPAA’s reach, in whole or in part, by avoiding standard transactions. Further, the consumerization of health care has driven the proliferation of non-HIPAA-covered health care services that will be subject to the act, including consumer-facing apps, wearables, mail-away lab tests, and related services addressing needs including disease management and mental health counseling.
Nonprotected health information
Regarding non-PHI, the act applies to email address, device identifiers, biometrics, geolocation and other personal data that could be associated to a person’s physical movements, use of websites or online services, and other activities that do not necessarily pertain to health, treatment or payment for treatment. As such, normal web traffic and similar behaviors tracked and collected by covered entities engaged in activities so mundane as hosting an informational website will be subject to the CCPA because the information gathered through such activities is not PHI subject to HIPAA.
Employee data
The CCPA’s application to employee data has been debated, and there is the potential to argue it may not fully apply to such data. However, the act uses the term “consumer,” defined as a “natural person who is a California resident,” suggesting that the act will apply broadly to employee data.
Further, the types of personal information covered expressly include “professional or employment-related information.” It is clear that the will apply to job applicant data, and likely that the will be interpreted to apply to all employee data.
Clinical trials and research
Many companies engaged in clinical trials and other health-related research are not HIPAA-covered, such as pharmaceutical companies and clinical research organizations. They may receive PHI from HIPAA covered entities regularly pursuant to a patient authorization, but such PHI will no longer be subject to HIPAA protections once disclosed pursuant to an authorization. It is not entirely clear how the California legislature intended its act to apply to such information; however it is extraordinarily broad and protective, and will likely apply in these circumstances. The act does include an exception to the right of erasure relating to “research” data, but as discussed below, the term “research” is defined narrowly, such that it will not apply to all health care research.
Scope and Requirements
The CCPA applies to businesses that process of “personal information” of California residents, when those businesses have annual gross revenues exceeding $25M; the business buys, receives, sells, or shares personal information of 50,000 of more individuals, households, or devices annually for commercial purposes; or the business derives 50 percent or more of its annual revenues from “selling” individuals’ personal information.
It includes an extremely broad definition of personal information, which includes not only “information that identifies, relates to, describes” the individual or household, but also specific illustrative examples, such as device identifiers, IP addresses, browsing history, and audio, visual, thermal, and olfactory information.
Key requirements of the act that are relevant to health care organizations include the following:
- Notice and consent: Businesses must inform individuals of the personal information to be collected and purpose of collection before collecting such information. Health care organizations will need to evaluate their current consent forms and practices to ensure compliance with the Act.
- Right of access and data portability: Individuals have a broad right to access regarding their personal information being processed, including information on the categories and “specific pieces” of personal information, along with the sources and business purpose of collection. Businesses are also obligated to deliver, upon request, such personal information to individuals free of charge by mail or electronically (in a portable and usable format); this single requirement will necessitate substantial development and implementation work for health care organizations maintaining patient portals or other electronic accounts.
- Right to erasure: Individuals have the right to request that businesses delete their personal information the business has collected. There are several exceptions to this right that are relevant to health care, including where it's necessary for the business to maintain the personal information to complete transactions or provide goods/services to individuals, engage in scientific/historical research, or comply with a legal obligation.
- Right to information about sale and opt-out rights: Individuals have the right to “explicit” prior notice and an ongoing right to opt out (via a clear and conspicuous notice stating “Do Not Sell My Personal Information”) of a business disclosing or “selling” their personal information. The term “sell” is broadly defined to include not only a commercial sale, but also disclosing information for monetary or other valuable consideration, such that individuals may opt out of such disclosures unless an exception under the act applies (e.g., individual directs the business to disclose the information, disclosures to service providers). These restrictions and opt-out rights are expected to have a significant impact on health care organizations.
- Method of request and business response: A business must make available to individuals a toll-free telephone number and a web address (if the business maintains a website) for submitting requests for access/erasure.
For further analysis of the requirements and applicability of the act generally, please see: Lothar Determan's Analysis: The California Consumer Privacy Act of 2018.
Useful exceptions for health care
The CMIA and HIPAA exemptions described above are useful, but limited, particularly for non-HIPAA covered entities. Other exceptions that will be useful in health care include an exemption for de-identified data, and an exception to the right of erasure in research contexts.
Exemption for “de-identified” personal information
The CCPA's exemption for de-identified data provides that its obligations “shall not restrict a business’s ability” to “collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.” De-identified is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that the business: (1) has implemented processes and technical safeguards to prohibit reidentification and inadvertent release of the information; and (2) make no attempt to reidentify the information.”
This de-identification standard provides some assistance to health care, but organizations will need to carefully evaluate whether their de-identification techniques will bring their activities outside the act. Although the standard does not align to HIPAA, it is likely that an expert statistician’s opinion that satisfies the HIPAA standard will also be sufficient here.
Research exception to right of erasure
The act includes a right of erasure exemption that applies when a business maintains personal information to engage in scientific, historical or statistical research; if the individual has provided informed consent; the business adheres to all other applicable ethics and privacy laws; and deletion of the information will “seriously impair the achievement” of the research.
The act defines “research” narrowly, providing that personal information is not used for “research” unless it is de-identified, subject to a variety of technical controls and safeguards, and not used for any commercial purpose. As a result, this exception will not apply to all forms of health care research. If processing of personal information qualifies as research, however, then a health care organization should document the bases upon which it will deny an erasure request, and be prepared to respond to such requests as they arrive.
Other impacts on health care
The CCPA’s requirements apply far more broadly than those of pre-existing law (including the California Online Privacy Protection Act and the California Shine the Light law). Complying with the requirements will be challenging for health care from a legal, compliance, operational and resourcing perspective. We expect that the act’s enhanced privacy rights will prompt a broad range of inquiries from individuals (similar to the impact of the GDPR), including patients, regardless of the extent to which the act applies, so health care organizations should thoroughly evaluate their obligations under the act and prepare.
The law also creates a private right of action for individuals whose personal information was subject to a data breach involving unauthorized access in violation of the duty to maintain reasonable security, vastly increasing related risks — including class-action risks — for such organizations. Further, the California Attorney General's Office may pursue remedies in the event of noncompliance, and noncompliance will be much more evident due to the public-facing obligations of the law. Notably, since state attorneys general can (and often do) enforce HIPAA, we expect that noncompliance could lead to multilevel enforcement.
Compliance steps
Although the health care industry has long been subject to privacy and security regulations, the California Consumer Privacy Act is a landmark piece of legislation that will have a broad and significant impact on health care organizations. Given that the law includes challenging compliance obligations, it is recommended that health care organizations begin developing compliance plans now, including:
- Updating privacy policies, consent forms, authorizations and similar notices in compliance with the law.
- Updating subject rights policies to account for the rights conferred by the law.
- Updating data inventories to identify data collection, disclosure, retention and sale that will need to be disclosed to or modified in response to individual requests.
- Building mechanisms to receive individual inquiries through the required designated request methods, verifying individual requests, and delivering results of those requests back to individuals while meeting portability requirements.
- Addressing the impact of the restrictions of “selling” personal in information and strict opt-out rights on their operations.
- Updating vendor diligence and contracting processes/templates to account for the law.
- Evaluating the law’s impact on the business's risk profile and insurance coverage.
It is possible the law may be amended in future, but the act is not expected to be materially altered in terms of individual rights and protections because it was implemented to avoid a stricter prior ballot initiative. Health care organizations are advised to begin developing their compliance plans, rather than hoping for radical changes to the requirements and risking being caught in a compliance quandary as the implementation date approaches.
photo credit: Close-up of hands taking blood pressure via photopin (license)