healthcare compliance
section class=”dark-background”>
HealtWhat the CCPA Means for Healthcare Compliance
Healthcare compliance is never static. There are always changes, whether that be in the technology or with regulations. Now, there’s a new statute that has healthcare organizations rethinking privacy. The California Consumer Privacy Act (CCPA), which became effective in 2020, sets new standards and requirements for businesses collecting, sharing, or selling California residents’ personal information.
The impact of this law may not be as significant for healthcare as other industries. However, it still changes the game, and not just for California companies. It applies to the personal information of any Californian. For life sciences organizations to understand its effect and how to ensure compliance, we’re offering an overview of the law and best practices to take.
The CCPA: An Overview
Legal pundits call the CCPA the strictest consumer data protection law in the U.S. Its focus is to protect consumers from companies selling their data. Many see it as a consequence of the Facebook/Cambridge Analytica scandal. This bombshell revealed little regulation regarding how businesses collect and use personal information when there’s no user intent. It also follows the footsteps of the European Union’s Global Data Privacy Regulation (GDPR).
The statute provides California consumers the right to know what data businesses collect on them, where the information originates, how companies use it, and if it’s shared. The critical requirements include:
- A business must disclose its data collection and sharing practices and why it’s collecting it with consumers.
- Consumers may request for the information to be deleted.
- Consumers can opt-out of the sale or sharing of their information.
- Businesses may not sell any information of consumers under age 16 without explicit consent.
- If the business does sell consumer data, it must identify the third party.
For companies that violate the law, the attorney general can levy civil penalties of $2,500 for each violation or $7,500 for each intentional violation.
What Business Must Comply?
The CCPA applies to all for-profit businesses that collect and process personal data from California residents. It must also meet one of these additional conditions:
- Gross a revenue of $25 million annually
- Obtain personal information from more than 50,000 Californian residents, households, or devices each year
- Generate more than 50 percent of its company’s revenue from the sale of personal consumer information
The law does not apply to non-profit businesses, so this excludes many healthcare organizations like hospitals and health systems. Healthcare organizations on the for-profit side, such as those in life science categories and payers, are subject to the terms of CCPA for any non-health data collections.
Since it applies to all California residents, the law goes across borders, not just within the country but globally. This international aspect makes it similar to GDPR, which U.S. companies must abide by for their EU customers.
What Is Personal Information?
The law defines personal information as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
From that definition, the term is very broad. You can infer that this would include Social Security numbers, dates of birth, certain demographic information, financial account data, and biometrics.
Personal information is not de-identified or aggregated data that would not specifically identify an individual or household.
Is it the same as protected health information (PHI)? PHI, as described by the Health Insurance Portability and Accountability Act (HIPAA), is any individually identifiable health information, so there is overlap, but the law does make exclusions for health data.
Health Data Exclusions Under the CCPA
The CCPA has an exclusionary clause regarding health information already covered by HIPAA or California’s health privacy law, the Confidentiality of Medical Information Act (CMIA).
Further, data from clinical trials, which is pertinent to life sciences organizations, will continue to fall under previously established regulations, including Federal Drug Administration (FDA) requirements, Good Clinical Practice (GCP) guidelines, or the Common Rule.
Health Data Exclusions Under the CCPA
The CCPA has an exclusionary clause regarding health information already covered by HIPAA or California’s health privacy law, the Confidentiality of Medical Information Act (CMIA).
Further, data from clinical trials, which is pertinent to life sciences organizations, will continue to fall under previously established regulations, including Federal Drug Administration (FDA) requirements, Good Clinical Practice (GCP) guidelines, or the Common Rule.
CCPA’s Impact on Healthcare Compliance for California Companies and Those Serving the State’s Residents
Even though these exclusions exist, it’s not as if there is no impact on healthcare organizations that meet the standards described above. Organizations in this realm often gather information that exceeds PHI’s bounds, such as payment information or other identifiable data. Additionally, every healthcare organization, including life sciences, has public-facing websites that collect visitors’ data for marketing reasons. That would certainly fall into the CCPA bucket.
Also, since this law is new, there is still room for clarity and the probability that the CCPA may inject a higher criterion for data management practices than those within HIPAA. Such a scenario could be data sharing by organizations that are more about profit than patient care. Legal pundits provide the example of Google’s Project Nightingale. The gist of this controversy is that Google amassed health records from 21 healthcare facilities to better position itself in the healthcare vertical. It did so without patient consent or knowledge.
Practical Steps for Healthcare Entities to Take to Ensure Compliance
There are some immediate things you can do to ensure CCPA compliance, including:
- Notifying consumers prior to or at the time of data collection on which information you’ll obtain and how you’ll use it
- Inserting a link on your website for consumers to opt-out of having any personal information sold
- Updating your privacy policy to include the rights of California consumers under CCPA
- Providing multiple methods for consumers to contact you about their personal information, such as a phone number, email address, or form
- Ensuring that your employees understand the requirements under the law and can respond to consumers
California Is Likely Only the Start
California is no stranger to unique regulations, but they are likely only the start. Both New York and Washington have similar bills on their agenda. A federal-level law could also come up as legislators attempt to give consumers back power over their own data.
Feel Confident About Healthcare Compliance
Healthcare compliance is a complex area. New regulations only complicate it further, especially with overlap and exclusions. Having an effective Compliance & Business Ethics program is mandatory.
If you’re struggling with compliance regarding CCPA or other laws, MedCompli’s consultants can help. Our Compliance Program Assessment is a great first step. Contact us today to learn more.