The foundation of much of the privacy law in the United States is sectoral in nature – HIPAA for healthcare, Gramm-Leach-Bliley for banking, etc. In both these examples, privacy is not the central component, but is part of a much larger construct. As regards healthcare privacy, HIPAA sets the floor below which you may not go, but it allows plenty of room for states to take higher-level actions. California is one state that has done quite a bit to go beyond the protections provided under HIPAA, as reflected by the California Consumer Privacy Act (CCPA) that is now in force in the state.
In this blog, I will start there but move beyond that legislation to address the potential further evolution of privacy law in the state through the California Privacy Rights Act (CPRA). The CPRA is being presented as a “red-line” to the CCPA, and it will be on the ballot for consideration by California voters this November.
The ramifications of the CCPA and this new potential expansion of the law on the healthcare industry are significant, impacting not only those organizations based in California but also those doing business in California, regardless of their physical location. Commercial health plans and healthcare start-ups may be especially affected.
A Brief Review of the CCPA
I have heard people refer to the CCPA as California’s version of the General Data Protection Regulation (GDPR) of the European Union. It does have some similarities to the GDPR, but it leaves out a few major things such as requiring companies to have a valid reason for processing data and minimizing the amount of data that they actually collect. Those stipulations were put in place by the GDPR, but the CCPA doesn’t address them.
What the CCPA does focus on is consumer rights. It gives consumers the right to know about the information that a business collects on them and how that information is used and how it is shared. It also gives consumers the right to ask that you delete personal information that is collected about them, but there are some exceptions to that particular right. Requests to delete personal information do not need to be honored if the information is needed:
- To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
- For certain business security practices
- For certain internal uses that are compatible with reasonable consumer expectations
- To comply with legal obligations, exercise legal claims or rights, or defend legal claims
Requests to delete also do not need to be honored if the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.
I have heard others state that this law does not apply to covered entities under HIPAA. That’s a slight misstatement. It does not apply to protected health information (PHI) created or maintained by a covered entity. Personal information that is not PHI is likely protected under CCPA. Considerations include:
Information that was not collected as part of treatment, payment or healthcare operations
- Data purchased or received from Consumer Reporting Agencies
- Marketing or community engagement data
Not all health information is PHI
- Depends on who created it and why (think workers’ compensation carriers)
- Health info collected from an individual on an app (think Apple Health)
- Employment records
It was once PHI but has been de-identified
- Data de-identified under HIPAA may still be personal information under CCPA
Using PHI to create new data sets that are not PHI
- Inferences drawn from information that can be reasonably linked to an individual
It is important to be careful and not to think, “We’re a covered entity and therefore completely exempt from the CCPA”. The data you’re holding that is PHI certainly is carved out, but other information may still apply.
It is also important to note that your organization does not have to be based in California to fall under the auspices of the CCPA. For-profit organizations that do business in California and meet any of the following criteria must abide by the law:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of your annual revenue from selling California residents’ personal information
How the CPRA Revises and Expands on the CCPA
As I stated earlier, the CPRA is a red-line to the CCPA. Therefore, it’s a revision and expansion of the original legislation, not a new law. If approved by a simple majority of California voters this November, the CPRA would become effective in January of 2023, with enforcement beginning in July of that year. However, it is important to understand that there would be a one year look back, meaning the CPRA would apply to personal information collected after January 1st of 2022.
One of the more interesting aspects of this particular act is that it would create a new entity – the California Privacy Protection Agency – that would assume the CPRA’s rulemaking and enforcement powers. In addition, the thresholds I noted earlier change slightly with the CPRA:
- Business with adjusted gross revenue in the previous year of $25 million;
- Annually buys, sells or shares the personal information of 100,000 California residents or households;
- Derives 50% or more of annual revenues from selling or sharing personal information
Note that I emphasized the word “sharing” in both of the last two bullets. The addition of that word in the CPRA essentially eliminates the argument of “We didn’t sell it to anybody, we gave it to them.” Enforcement parameters of the CPRA enforcement would be similar to the CCPA with one addition:
- $2,500 for each violation
- $7,500 for each intentional violation
- $7,500 for each violation where there is knowledge the consumer is under 16 years of age (added to the CPRA)
Some other key points of the CPRA to note:
- No private right of action, except for damages for security breaches
- General definition of personal data is similar, but with inclusion of “Sensitive Personal Information” which aligns more closely to the “Special Categories” of data under the GDPR and refers to things such as health data, government issued identifiers, geolocation data, account login credentials, financial account data, racial or ethnic origin, religious beliefs
- Consumer has a right to limit the way business use their personal information to only to providing the service or goods requested by the consumer
- Ability to perform global opt-out where consumers can limit use of personal information
Protected health information would still be carved out but other health data that is not under the banner of HIPAA would not be removed from CPRA protection so important to know that it really depends on who owns it, where it came from, and how it was created as to whether it would fall within this particular rule or not.
In terms of new provisions, the CPRA provides for the following:
- Automated decision making – Businesses will have to provide meaningful information regarding the logic involved in decision making processes and the likely outcome of the process with respect to the consumer as part of a response to access requests.
- Profiling – Automated processing to evaluate certain personal aspects related to a natural person; in particular, to analyze or predict the person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location and movements.
- Data correction – A new consumer right.
- Data retention – Business shall not retain the information for longer than is reasonable.
- Breach liability – Will now include email and password or security question combinations that would permit account access.
- Service providers and contractors – The purposes and protection of the data have to follow the contract, similar to HIPAA Business Associate Agreement Chain of Trust. Service providers and contractors must cooperate with the business in responding to consumer requests to delete personal information retained by the provider or contractor as part of the business arrangement, and will follow the same path with regard to their own subcontractors or service providers.
The Movement Toward Expanded Privacy Law Across the Country
What happens in California often is ends up being reflected in other parts of the United States. So even if you’re not doing business in California, you are likely to see some of this legislation adopted by some other organizations or some other states and it may even go further than what I’ve outlined above.
For example, Maine and Nevada have both expanded their privacy laws as well. Maine’s law applies to Internet Service Providers, and Nevada’s law applies to data collected from consumers through the internet.
As of this writing, eleven other states are considering privacy bills. Washington’s latest bill died in 2019, but if reintroduced this year as some expect, it would include provisions for:
- Non-profits in addition to for-profit businesses
- Businesses to justify their data collection by either user consent or being able to show a valid reason for collection
Now may not be the appropriate time for something to happen at the national level, but many expect there will be increased pressure on the federal government to develop a comprehensive federal privacy law that sets floor beneath which no one can go. Bipartisan support for such a law has been seen as recently as last month.
For a deeper dive on this subject, I invite you to review my on-demand webinar presentation here, and as always, we invite you to reach out to Clearwater with your questions and concerns at firstname.lastname@example.org. https://www.natlawreview.com/article/californians-will-vote-whether-to-expand-state-s-consumer-privacy-act. Accessed August 24, 2020. https://www.natlawreview.com/article/washington-state-considers-consumer-privacy-bill-controversial-enforcement-provision. Accessed August 24, 2020. https://iapp.org/news/a/bipartisan-calls-to-resume-work-on-federal-privacy-law/. Accessed August 24, 2020.