healthcare compliance

HealtWhat the CCPA Means for Healthcare Compliance

Healthcare compliance is never static. There are always changes, whether that be in the technology or with regulations. Now, there’s a new statute that has healthcare organizations rethinking privacy. The California Consumer Privacy Act (CCPA), which became effective in 2020, sets new standards and requirements for businesses collecting, sharing, or selling California residents' personal information.

The impact of this law may not be as significant for healthcare as other industries. However, it still changes the game, and not just for California companies. It applies to the personal information of any Californian. For life sciences organizations to understand its effect and how to ensure compliance, we’re offering an overview of the law and best practices to take.

The CCPA: An Overview

Legal pundits call the CCPA the strictest consumer data protection law in the U.S. Its focus is to protect consumers from companies selling their data. Many see it as a consequence of the Facebook/Cambridge Analytica scandal. This bombshell revealed little regulation regarding how businesses collect and use personal information when there’s no user intent. It also follows the footsteps of the European Union’s Global Data Privacy Regulation (GDPR).

The statute provides California consumers the right to know what data businesses collect on them, where the information originates, how companies use it, and if it’s shared. The critical requirements include:

For companies that violate the law, the attorney general can levy civil penalties of $2,500 for each violation or $7,500 for each intentional violation.

What Business Must Comply?

The CCPA applies to all for-profit businesses that collect and process personal data from California residents. It must also meet one of these additional conditions:

The law does not apply to non-profit businesses, so this excludes many healthcare organizations like hospitals and health systems. Healthcare organizations on the for-profit side, such as those in life science categories and payers, are subject to the terms of CCPA for any non-health data collections.

Since it applies to all California residents, the law goes across borders, not just within the country but globally. This international aspect makes it similar to GDPR, which U.S. companies must abide by for their EU customers.

What Is Personal Information?

The law defines personal information as "information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household."

From that definition, the term is very broad. You can infer that this would include Social Security numbers, dates of birth, certain demographic information, financial account data, and biometrics.

Personal information is not de-identified or aggregated data that would not specifically identify an individual or household.

Is it the same as protected health information (PHI)? PHI, as described by the Health Insurance Portability and Accountability Act (HIPAA), is any individually identifiable health information, so there is overlap, but the law does make exclusions for health data.

Health Data Exclusions Under the CCPA

The CCPA has an exclusionary clause regarding health information already covered by HIPAA or California’s health privacy law, the Confidentiality of Medical Information Act (CMIA).

Further, data from clinical trials, which is pertinent to life sciences organizations, will continue to fall under previously established regulations, including Federal Drug Administration (FDA) requirements, Good Clinical Practice (GCP) guidelines, or the Common Rule.

Health Data Exclusions Under the CCPA

The CCPA has an exclusionary clause regarding health information already covered by HIPAA or California’s health privacy law, the Confidentiality of Medical Information Act (CMIA).

Further, data from clinical trials, which is pertinent to life sciences organizations, will continue to fall under previously established regulations, including Federal Drug Administration (FDA) requirements, Good Clinical Practice (GCP) guidelines, or the Common Rule.

CCPA’s Impact on Healthcare Compliance for California Companies and Those Serving the State's Residents

Even though these exclusions exist, it’s not as if there is no impact on healthcare organizations that meet the standards described above. Organizations in this realm often gather information that exceeds PHI's bounds, such as payment information or other identifiable data. Additionally, every healthcare organization, including life sciences, has public-facing websites that collect visitors' data for marketing reasons. That would certainly fall into the CCPA bucket.

Also, since this law is new, there is still room for clarity and the probability that the CCPA may inject a higher criterion for data management practices than those within HIPAA. Such a scenario could be data sharing by organizations that are more about profit than patient care. Legal pundits provide the example of Google's Project Nightingale. The gist of this controversy is that Google amassed health records from 21 healthcare facilities to better position itself in the healthcare vertical. It did so without patient consent or knowledge.

Practical Steps for Healthcare Entities to Take to Ensure Compliance

There are some immediate things you can do to ensure CCPA compliance, including:

California Is Likely Only the Start

California is no stranger to unique regulations, but they are likely only the start. Both New York and Washington have similar bills on their agenda. A federal-level law could also come up as legislators attempt to give consumers back power over their own data.

Feel Confident About Healthcare Compliance

Healthcare compliance is a complex area. New regulations only complicate it further, especially with overlap and exclusions. Having an effective Compliance & Business Ethics program is mandatory.

If you’re struggling with compliance regarding CCPA or other laws, MedCompli’s consultants can help. Our Compliance Program Assessment is a great first step. Contact us today to learn more.