What You Need to Know:

• Starting January 1, 2023, businesses that meet CCPA thresholds must apply extensive CCPA requirements, particularly with regard to personal information concerning employees, contractors, and job applicants.
• Businesses in the health care industry must be aware of their CCPA compliance requirements and be proactive to ensure compliance.
• Compliance will require organizations to understand what health-related data they maintain, and potentially provide privacy policies and a mechanism for data subjects to exercise their rights under CCPA. These requirements are separate from and additional to similar requirements under HIPAA.

​Background

CCPA applies to any business that processes the personal information of California residents and: (i) has annual gross revenues over $25 million; (ii) annually processes the personal information of 50,000 or more California residents or households (this threshold will be increased to 100,000 by CPRA as of January 1, 2023); or (iii) derives 50 percent or more of its annual revenue from selling California residents’ personal information. Non-profit organizations are generally outside the scope of CCPA. Data governed by other data privacy laws including Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach-Bliley Act are also not covered by the CPRA. However, CCPA and CPRA regulate the activities of “service providers” to covered businesses, which includes health care and life sciences entities that provide services to businesses subject to CCPA and CPRA. Such organizations may also have compliance obligations under these laws. 

In addition, at passage, CCPA included an exemption for data collected about employees and job applicants and personal data exchanged in a business-to-business context. In its summer session, the California legislature failed to enact an extension of these exemptions, meaning they will end on January 1, 2023. Businesses subject to CCPA must be prepared to comply as of that date with its requirements concerning personal data of employees, contractors, and job applicants. 

Health Care Data

Health care providers are not generally exempt from CCPA at the entity level. Instead, CCPA and CPRA provide a number of exemptions concerning health-related data sets. Specifically, under CCPA and CPRA, protected health information (“PHI”) collected by a covered entity (health care provider, health plan, or health care clearinghouse) or business associate (providing “business associate” services to a covered entity) is exempt from CCPA requirements. In addition, CPRA exempts health care providers governed by the California Confidentiality of Medical Information Act. Again, however, the provider must maintain the patient information in a HIPAA-compliant manner.  

Critically, these exemptions do not completely remove an organization from CCPA unless the organization maintains all personal information collected about an individual, including, for example, information inputted into its website or a user’s IP address or geolocation data collected during visits to the organization’s website, in the same manner as it maintains PHI (e.g., inclusion in the organization’s electronic medical record). To the extent the organization collects data on individuals who are not patients of the organization, the HIPAA exemption may not apply. And it is unlikely that most businesses in the health care space would maintain employment-related personal information in a manner that exempts that information from the scope of CCPA. This exemption patchwork means businesses in the health care industry must take steps to determine if they must comply with CCPA.

Implementation

An organization’s first step is to understand what health-related information is maintained. This can be done by creating an inventory of data and identifying what information is considered PHI under HIPAA (and what is not PHI).

If an organization collects personal information subject to CCPA, the organization should prepare and provide a full privacy policy to data subjects that incorporates all the content requirements of CCPA as amended by CPRA. Further, additional state privacy laws (such as those passed by Virginia, Colorado, Connecticut and Utah) will become applicable throughout 2023, and laws of foreign jurisdictions, such as the European Union General Data Protection Regulation, may apply. Practitioners should be aware that any requirement established by these laws constitutes a separate requirement from the HIPAA Notice of Privacy Practices. 

Finally, organizations should develop and implement a mechanism for data subjects to exercise their rights under CCPA. This means creating a procedure to receive and respond to privacy rights requests from individuals. This is a separate, additional requirement to requests under HIPAA such as Right of Access requests, which are subject to significant government enforcement.

Although health care organizations benefit from carve-outs under CCPA and CPRA, they remain subject to obligations for information collected that is not HIPAA PHI. Organizations should start the process to determine compliance requirements.