The healthcare industry is among the most highly regulated industries when it comes to privacy protections. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare providers also must comply with a growing number of state laws governing data privacy and security. Fully complying with this patchwork of privacy protections is a complex task because these laws often classify different kinds of personal information as “protected information” and impose varying security and reporting requirements.

For example, HIPAA protects certain “individually identifiable health information,” often referred to as “protected health information” or PHI. HIPAA requires covered entities to adopt and implement a plethora of policies and technical safeguards to protect PHI. The California Consumer Privacy Act (CCPA), a relatively new law, protects consumers regarding the collection, use, processing, deletion, sale, and security of personal information, among other things, and also imposes obligations on businesses regarding the same. A healthcare provider covered by the CCPA (generally a for-profit entity doing business in California) has to comply with both HIPAA and the CCPA.

With the growing number of state laws governing privacy protection, healthcare organizations must be sure their compliance efforts consider state law in addition to HIPAA. Meshing these obligations into one cohesive privacy protection system can be complicated. (See Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?). A recent article by our Jackson Lewis Privacy, Data and Cybersecurity practice group addresses these issues. The article breaks down some factors that may trigger business obligations related to personal information and applies such considerations to the healthcare industry. These factors include but are not limited to industry, business location, categories of customers, types of equipment used, specific services provided, marketing and promotion methods, the categories of information collected, and employment practices. The article also provides some examples of laws that may be triggered (although it is not exhaustive).

So, what is the takeaway? Healthcare organizations should regularly evaluate their compliance efforts around the protection of personal information. This starts with understanding the state and federal laws applicable to their business. From there, healthcare organizations must work to establish and implement policies and safeguards that meet their obligations under each of the applicable laws. Failing to meet these obligations could expose an organization to potentially significant liability and reputational harm. To ensure compliance, healthcare organizations should, at minimum, consider doing the following:

• Implement comprehensive data safeguards;
• Conduct cybersecurity assessments;
• Reconsider the types of data collected and the purposes for collection;
• Determine whether data collected is the minimum necessary to accomplish the intended purpose; and
• Monitor pending privacy legislation.