A recent study published in this month’s issue of Health Policy and Technology included these key findings: healthcare companies think the CCPA lacks regulatory clarity and has a low risk of enforcement. If Europe’s GDPR and California’s enforcement activities thus far are any guide, healthcare companies that fall into complacency about CCPA enforcement will be in for a rude awakening.
Among data privacy considerations that are particular to the healthcare industry are the following:
- Some healthcare companies are non-profits, and non-profits are exempt from CCPA compliance.
- Many healthcare companies feel compliance with the Health Insurance Portability and Accountability Act (HIPAA) is sufficient to cover CCPA compliance needs.
- De-identification of individuals in healthcare data is enough to satisfy CCPA requirements.
As explained below, healthcare companies would do well to think deeper about these data privacy considerations. Let’s take a look at each of these.
It is true that non-profit organizations are exempt from the CCPA, at least for now. However, in a statement by Pavankumar Mulgund, the study’s lead author anda clinical assistant professor of management science and systems at the University of Buffalo, he noted that “given the law’s broad definition of ‘business’ and ‘consumer,’ companies across the U.S. that collect user data and deploy cookies must comply with the CCPA.” The line between collecting information related to a healthcare company’s sale of products and services and personal health information about a consumer can get blurry inside the complex data ecosystems of hospitals, health insurance providers, and other industry players. As Mulgund indicates, the California AG’s office has made a point of targeting cookies as part of CCPA enforcement. From this perspective, a healthcare company’s non-profit status may shield it from many, but not all, of CCPA’s compliance requirements.
Onto the second point about HIPAA compliance vs. CCPA compliance. Mulgund’s study, which is titled The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences, finds that the interplay of the two laws creates confusion (and headaches) for healthcare companies. As reported on Healthcare IT News, the study’s researchers explained that “several types of data collected by HIPAA-compliant healthcare organizations potentially fall within the jurisdiction of the CCPA, but there is significant regulatory ambiguity around such data.” The ambiguity is understandable, as healthcare companies already expend lots of resources in complying with HIPAA, and may not understand what personal information falls under HIPAA compliance, and what information falls under CCPA compliance.
Other industries have similar complaints about ambiguity. Financial services companies, for instance, face compliance requirements about how to handle sensitive financial information under the Grahm-Leach-Bliley-Act (GBLA). As the Privacy Lock Blog explains, CCPA compliance requirements extend well beyond the GLBA and the California Financial Information Privacy Act…In practice, this means that financial institutions that collect personal data unrelated to providing financial products or services must have a process in place to identify what information is subject to the GLBA and what information they have that otherwise would be covered by the CCPA. This will require them to map their data, make sure they can identify what data they collect and for what purpose, and perhaps reassess their privacy policies and practices to account for the interaction between the GLBA and the CCPA (link to article). The lesson here is the same for healthcare companies. It is likely that healthcare companies will need to adopt some form of data inventory management and data mapping strategies to implement both HIPAA and CCPA compliance.
Third on the list is avoiding CCPA compliance by virtue of de-indentifying information about patients and healthcare recipients. This is indeed a gray area that deserves greater clarity from both HIPAA and CCPA regulators. De-identification means removing the name and personally identifying information from healthcare records that might allow someone to tie information back to the individual who provided the data. CCPA does not restrict a business from collecting, using, retaining, selling, or disclosing consumer information that is de-identified or aggregated. However, the CCPA establishes a high bar for claiming data is de-identified. Another problem with de-identification is that de-identification does not always work. Sophisticated hackers and data specialists can often reverse engineer datasets and figure out the individual from whom the data was collected. This scenario is a real problem that healthcare companies face, and it is possible regulators could hold companies responsible for a privacy breach resulting from this type of failed de-identification.
Mulgund’s study concludes that “healthcare organizations may be subject to CCPA, primarily when they collect personally identifiable information that is not protected health information. Such organizations may need to comply with both regulations. Furthermore, it is in their best interest to develop compliance plans proactively rather than being caught in the quandary of last-minute implementation or expensive litigation.”
Said another way, better to take preventive medicine now than wait for CCPA violations to target healthcare providers for non-compliance. After all, healthcare information is among the most sensitive and potentially damaging to consumers if breached by nefarious actors.