Health care providers are familiar with their obligations regarding protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) and medical information under the California Confidentiality of Medical Information Act (the “CMIA”). However, new privacy legislation, the California Consumer Privacy Act (the “CCPA”), sets additional, broad privacy protections for personal information. Although the CCPA goes into effect on January 1, 2020, enforcement will not begin until July 1, 2020.
The CCPA exempts certain patient information from its requirements, but it does not provide categorical exemptions for health care providers or the health care industry. Businesses operating in the health care industry – facilities, providers, and their business associates and contractors – should know the CCPA’s health care-related exemptions and the applicability of the CCPA’s requirements to certain data.
The CCPA grants California-resident consumers new rights with respect to the collection and sale of their personal information by certain businesses. Under the CCPA, personal information (“PI”) is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and includes names, addresses, IP addresses, email addresses, and unique personal identifiers.
For purposes of the CCPA, a “business” is defined as a for-profit entity doing business in California that collects PI and either (1) receives more than $25 million in total annual gross revenue, not only revenue from California sources; (2) engages in transactions involving the PI of at least 50,000 consumers, households, or devices; or (3) derives fifty percent (50%) or more of its annual revenues from selling PI. The CCPA only applies to for-profit entities. Nonprofit and governmental entities are exempt from the CCPA’s requirements, but nonprofit entities should be aware that certain joint ventures with for-profit entities might be subject to the CCPA.
The CCPA references terms from both HIPAA and the CMIA in its health care-specific exemptions. HIPAA and the CMIA use similar, but not identical, terminology in defining who and what information is subject to each law.
For reference, here are the HIPAA and CMIA defined terms that appear in the CCPA:
||A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA standard transaction.
||Provider of Health Care
||Any person licensed or certified pursuant to Division 2 the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 of the Health and Safety Code; any licensed clinic, health dispensary, or health facility.
||A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.
||Any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care.
|Protected Health Information (“PHI”)
||Individually identifiable health information transmitted or maintained in any form or medium.
||Any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.
CCPA Does Not Apply To Patient Information of Covered Entities and Providers of Health Care
If you are a covered entity or provider of health care, the vast majority of your data, i.e., data that is related to patients, will not be subject to the CCPA.
“Patient information” of HIPAA covered entities and CMIA providers of health care is not subject to the CCPA. The CCPA does not define patient information, but the term would encompass all PHI and medical information – i.e., all individually identifiable information maintained or transmitted by a covered entity or provider of health care – and arguably any other data related to patients and protected with the same level of security required to protect PHI under HIPAA and medical information under the CMIA.
However, you will be required to comply with the CCPA to the extent you collect, use, or share data other than patient information (e.g., website tracking data, non-patient payment data, or marketing or advertising data).
CCPA Does Not Apply to Business Associates’ and CMIA Contractors’ PHI and Medical Information
Additionally, if you are a business associate or a CMIA contractor that is not a HIPAA covered entity, the CCPA’s requirements do not apply to medical information or PHI you collect, use, or share. This exemption is narrower than the broad exclusion of all patient information from the CCPA’s coverage that covered entities and providers of health care can rely on.
However, you will be required to comply with the CCPA to the extent you collect, use, or share data, including patient information, that does not fall within the narrower definition of PHI or medical information.
Applicability to Other Health-Related Businesses
Health-related businesses that are not covered entities, providers of health care, business associates, or CMIA contractors may be subject to the CCPA’s requirements regarding all PI, without exception. These businesses might include joint ventures, unlicensed wellness providers, mobile health applications, hybrid entities, and other health- or wellness-related enterprises that offer services other than clinical services.
Preemption of CCPA by HIPAA?
Generally, if a state law is contrary to HIPAA, that contrary requirement will be preempted. For a law to be contrary to HIPAA, it must be impossible to comply with both the state and the federal requirements. A state law will not be preempted, however, if it provides greater privacy protections or privacy rights than HIPAA.
No court or the Secretary of the U.S. Department of Health and Human Services has determined whether any provisions of the CCPA are contrary to HIPAA. The California legislature, by excluding PHI from coverage, attempted to avoid a conflict with HIPAA.
Nevertheless, covered entities, business associates, providers of health care, and CMIA contractors who meet the CCPA’s definition of a business should be prepared to comply with HIPAA with respect to PHI and the CMIA with respect to medical information and to comply separately with the CCPA with respect to PI that is not patient information, PHI, or medical information. Further, even if the CCPA is preempted by HIPAA, providers of health care and contractors will still be subject to the CMIA’s requirement for medical information, since the CMIA has not been preempted by HIPAA.
The HIPAA- and CMIA-related exemptions from the CCPA are limited in scope. Health care providers and businesses operating in the health care industry should carefully examine the information they collect, consider whether the CCPA applies to specific categories of data, and implement the required consumer protections, if applicable, prior to the enforcement date.
Contact the authors or your Buchalter attorney to discuss the applicability of the CCPA to your business’s data. For more information on how to comply with the CCPA, click here.
Does the CCPA Apply to Information Collected, Used, or Shared by HIPAA Covered Entities and Business Associates and CMIA Providers of Health Care and Contractors?
 Cal. Civ. Code § 1798.140(o).
 Cal. Civ. Code § 1798.140(c).
 45 CFR § 160.103.
 Cal. Civ. Code § 56.05(m).
 45 CFR § 160.103.
 Cal. Civ. Code § 56.05(d).
 45 CFR § 160.103.
 Cal. Civ. Code § 56.05(j).
 Cal. Civ. Code § 1798.145(c)(1)(B).
 Cal. Civ. Code § 1798.145(c)(1)(A).
 45 CFR § 160.203.
 45 CFR § 160.202.