Preparing Healthcare Organizations for the California Consumer Privacy Act

Manatt, Phelps & Phillips, LLP
Contact

Manatt, Phelps & Phillips, LLP

Editor’s Note: The California Consumer Privacy Act (CCPA)—the strictest consumer privacy and data protection law in the country—goes into effect on January 1, 2020. The CCPA exempts nonprofit entities that handle healthcare information, as well as providers and businesses already covered by the Health Insurance Portability and Accountability Act (HIPAA). The law could, however, have an enormous impact on a wide range of consumer-directed healthcare organizations, including those working with pharmaceutical and medical device manufacturers, digital health organizations, healthcare technology companies, wearables manufacturers, and mHealth app developers.

In a recent interview with Healthcare Innovation, summarized below, Manatt’s Brandon Reilly discusses the CCPA’s requirements, exemptions and potential effects. Click here to read the full article. To learn how you can prepare your organization for the open (and hidden) litigation risks that the CCPA presents, click here to register free for our upcoming webinar (and earn CLE).

_________________________________________________

Health Systems and Insurers Could Be Impacted (Even Non-Profits)

Most health insurers and providers assume that their personal health information (PHI) is exempt, since they are covered by HIPAA. But that assumption needs to be carefully tested, because HIPAA’s definition of PHI is so context-specific. Healthcare organizations need to be very sure about how they are collecting information to figure out whether the CCPA applies.

How, why and with whom entities are sharing information also come into play when determining if the CCPA applies. For example, telehealth and other health-adjacent tech companies are likely to be collecting nonexempt data, such as data purchased from data brokers, non-health-related entities or profiling companies whose data is used for market intelligence in a way that is not sufficiently related to providing healthcare or insurance services.

Even if the data that a health insurer purchases is about its own members, that does not mean it is automatically exempt. If the data was originally created for providing healthcare services, it might be exempt. If, however, it is simply a data set of demographic profiles, then it may not be.

Even nonprofits need to be cautious. It’s true that the CCPA only applies to for-profit entities. There are some circumstances, however, where a nonprofit organization could be pulled into scope based on an affiliation with a for-profit entity somewhere in its governance structure.

In addition, even though the CCPA exceptions might be comforting to healthcare companies, they need to take a hard look at the law. As it is currently written, the CCPA also applies to employee data, and personal information collected during employment or about potential employment is in scope. There are amendments seeking to address the issue, but right now the definition of “consumer” in the CCPA is any California resident.

Differences and Similarities Between the CCPA and Europe’s General Data Protection Regulation (GDPR)

A major difference between the CCPA and the GDPR is that the GDPR applies to all entities—for-profit and nonprofit. Europeans believe privacy is an issue whether or not entities are making money off of the data. California is focused only on the business of data.

The GDPR and the CCPA also differ in that the GDPR is prescriptive, telling businesses how to process data, while the CCPA is proscriptive, allowing businesses to process data however they want—but requiring them to stop if a consumer tells them to stop. In addition, the CCPA requires entities to disclose what they are doing.

The GDPR and the CCPA also have many similarities. Both allow consumers to learn about their personal data, delete personal data and opt out of certain activities. The GDPR also includes some additional rights, such as the right to correct certain information and an expanded right of portability.

Are Out-of-State and Wearable Tech Companies Affected?

A company based in any state might as well be based in California as far as the CCPA is concerned. As long as companies meet the CCPA’s parameters (earn $25 million in annual revenue and process data of California residents), they must comply with the CCPA.

The issue of whether the CCPA applies is murkier for wearable tech companies, with the question of why they collected the data an important deciding factor. If the data was collected to provide healthcare and the business is a covered entity or business associate under HIPAA, then it is most likely exempt. A broader, consumer-facing company that collects data for a variety of reasons (such as Fitbit), however, is going to have a much harder time concluding that it is exempt from the CCPA.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

Manatt, Phelps & Phillips, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.