Open Nav Close Nav

News / Blog

CCPA vs. HIPAA Compliance Requirements

In 2021, many healthcare organizations faced record-high losses from data breaches. Each of these incidents cost around $9.23 million, or $2 million higher than the previous year’s costs. In March 2022 alone, there were 3,083,988 healthcare records stolen, exposed, or illegally disclosed across 43 data breaches.

Safety regulations are necessary as the industry deals with a staggering amount of protected health information. To that end, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established.

However, on January 1, 2020, the California Consumer Privacy Act (CCPA) took effect in California. While the law contains certain exceptions for healthcare data, it still affects how healthcare organizations should handle data. This article will cover the intersection of the CCPA and California HIPAA laws and what it means for maintaining compliance.

What Is the CCPA?

The CCPA was signed into law on June 28, 2018. Its origins can be linked to the Facebook–Cambridge Analytica data scandal, where users’ data was collected without consent for political advertising. As a result, public outcry demanded stricter data privacy laws.

The CCPA is currently the strictest consumer data privacy law in the U.S., mirroring the EU’s Global Data Privacy Regulation (GDPR). The GDPR, which took effect in 2019, is known as the world’s toughest consumer data privacy law.

Under the CCPA, California residents (called “consumers” in the law’s text) have the right to know the “specific pieces” of personal information businesses collect from them. Other key requirements found in the CCPA are:

  • Businesses must inform consumers what information they are collecting and what purpose they are collecting it for. This must be done before collecting any data. Additional pieces of information cannot be collected, and existing information cannot be used for other purposes.
  • Businesses must inform consumers of their data-sharing practices. Should they sell or share any consumer data, they must identify the third party receiving the data.
  • Businesses are not allowed to sell the personal data of consumers under the age of 16 unless given explicit consent.
  • Businesses should readily comply with consumers’ requests to access their personal data.
  • Businesses cannot deny consumers goods or services when they exercise their rights under the CCPA.
  • Consumers have the right to request the deletion of their personal data.
  • Consumers have the right to refuse the sale or sharing of their personal data.

Regardless of where a business is situated, it must comply with these requirements when handling information of California residents. Failure to comply with these requirements will result in administrative fines and civil penalties from the State of California. A single violation can cost up to $2,500 (or up to $7,500 if the consumer is a minor). In addition, affected consumers can take civil action against the business under the CCPA.

Personal Information Defined Under the CCPA

The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples given include (but are not limited to) the following:

  • Identifiers (e.g., real names, email addresses, IP addresses, Social Security numbers, passport numbers, etc.),
  • Geolocation data,
  • Biometric information,
  • Professional or employment-related information,
  • Internet information (e.g., browsing history, search history, etc.)
  • Commercial information (e.g., personal property records, purchase history, etc.),
  • Educational information (if not publicly accessible),
  • And more.

Aggregated (i.e., about a group of people instead of an individual) and de-identified information is not considered personal information. As long as the information cannot identify a specific individual or household, it does not fall under the CCPA’s scope.

CCPA vs. HIPAA

While the CCPA is a welcome addition for California residents, the personal data handled by the healthcare industry is already subject to HIPAA. The CCPA HIPAA exemption exists to help navigate the overlap between the two laws.

If your healthcare organization handles information on over 50,000 customers or generates over $25 million in gross annual revenue, you may not be subject to CCPA requirements.

The CCPA HIPAA exemption consists of two parts. The first concerns protected health information (PHI) collected by covered entities or business associates. The second concern covered entities that maintain PHI in certain ways.

  • California Civil Code 1798.145(c)(1)(A) — Exempts PHI collected for the treatment of health conditions and payment of healthcare operations. However, PHI collected for other purposes is still subject to the CCPA.
  • California Civil Code 1798.145(c)(1)(B) — Exempts healthcare providers in compliance with HIPAA’s privacy, security, and breach notification rules. The exemption is valid as long as the provider safeguards PHI in compliance with HIPAA standards. If the entity becomes non-compliant with HIPAA regulations, they become non-compliant with the CCPA.

Health Data Exclusions Under the CCPA

Health data exclusions do not extend solely to the HIPAA. For example, the CCPA also excludes health information governed by other data privacy laws, such as California’s Confidentiality of Medical Information Act (CMIA). In addition, data collected through clinical trials are also exempt, as it is already governed by the Common Rule, Good Clinical Practice (GCP) guidelines, or Food and Drug Administration (FDA) requirements.

For-profit healthcare organizations cannot ignore the CCPA. They regularly collect personally-identifiable data (e.g., credit card information) that does not fall under the PHI exemption. Most healthcare organizations possess websites that collect visitor data. This data is still subject to the CCPA.

Lastly, the CCPA sets a stricter standard than the HIPAA in certain circumstances. A good example is Google’s controversial Project Nightingale. Millions of health records were obtained by Google without the knowledge of patients or doctors. It was found to be permissible under HIPAA, as the law states PHI can be shared with business associates “to help the covered entity carry out its health care functions.” The data was meant to be used for designing new software. Under the CCPA, this form of data-sharing may not be as permissible.

Legal Risks of Aggregating Data

As mentioned, aggregated and de-identified data does not fall under the CCPA. However, there are certain risks involved with this type of data. For example, it may still be personally identifiable even after aggregated data (e.g., analytics for business metrics, high-level trends, or other insights) is collected.

Under the first part of HIPAA exemptions, data collected for treatment and payment is exempt if used for healthcare activities. However, most organizations also use this data for other purposes (i.e., analytics for other business needs). To that end, they use data aggregation systems to compile and de-identify data. Thus, the resulting data may not be as anonymized as expected and can still be traced back to an individual depending on the system used.

Additional complications can arise due to other consumer rights under the CCPA. For example, if consumers request that their data be deleted, organizations are obliged to comply. If used in an aggregated data set, it would need to be located and extracted. This will not only affect the accuracy of the analytics, but it will also prove to be a difficult task.

As the CCPA (unlike the HIPAA) allows consumers to take civil action against businesses, improper aggregation brings legal risk. Any healthcare organization that depends heavily on aggregated data needs to work with experts that can ensure proper de-identification. Tools and processes that provide data cannot be re-identified but can easily be extracted upon consumer request will be necessary.

Ensure HIPAA and CCPA Compliance for Your Organization Today

HIPAA compliance does not guarantee CCPA compliance. It could be disastrous for your organization if any violations occur due to misunderstood exemptions or unforeseen loopholes.
Ensure that your systems and procedures are compliant on all fronts by seeking the advice of an experienced legal team. At Fenton Jurkowitz Law Group, we provide superior legal services to the healthcare industry. Feel free to reach out to us for assistance regarding CCPA vs. HIPAA compliance requirements.