Compliance with the California Consumer Privacy Act: 9 Considerations for Healthcare Organizations


By Wes Morris

Enacted as a direct result of the March 2018 case of data misuse by data mining firm Cambridge Analytica, the California Consumer Privacy Act (CCPA) of 2018 has been in effect for nearly 60 days; however, the act continues to undergo modifications to clarify certain requirements and terms.  Although it is in force, the State Attorney General cannot bring an enforcement action until July 1 of this year. 

The CCPA creates new consumer rights related to accessing, deleting and sharing of personal information that is collected by commercial businesses. Businesses are subject to the CCPA if they meet certain thresholds related to their revenue, and the amount of personal information the business buys, receives or sells.  Rather than enumerate all of the requirements here, our focus in on how this legislation affects those in the healthcare industry. 

Although many consider the CCPA to be modeled around the requirements of the European Union’s GDPR, these are separate legal frameworks with different requirements.  A business that is subject to GDPR must still consider their obligations under the CCPA, as there are distinctions between the two frameworks.  

California businesses already required to be HIPAA compliant are exempt from the CCPA, but the exemption only applies to protected health information (PHI). If there is personally identifiable information collected through other means and purposes, that information must be considered under CCPA. 

Below are nine areas for healthcare organizations to consider when seeking to comply with the CCPA’s requirements. 

Failure to recognize changes to the legislation as they are enacted

There have been two Notices of Modification to Text of Proposed Regulations on February 7 and 10, 2020, with written comment deadlines of February 25, 2020, giving both consumers and affected entities limited time to review, consider and respond.  

Healthcare is exempted for data that is covered under another regulatory requirement, such as HIPAA, but: 

Information gathered from sources or purposes other than HIPAA is in-scope.Example – A health plan offers a “get to know your options” seminar free to the public that requires registering with personal information. Such information would likely not be protected under HIPAA but may be considered covered under the CCPA. 

Using individual consumer names as the only way to validate the number of residents in order to determine the applicability

Example – A consumer has three devices by which they have provided information, a tablet, a laptop and a phone. Each of these devices likely counts toward the total. 

Failing to understand the different Opt-in and Opt-out provisions

The law is written so that some personal information gathering may require an Opt-out, but other information requires an Opt-in.

Failing to provide a notice prior to, or at the time of information collection that is clear, accessible (including to those with disabilities), in the languages commonly used by expected consumers and in a format that is readable on smaller screens

Proposed modifications:

  • When collecting personal over the phone or in-person, provide oral notice only. 
  • For mobile devices, for purposes a consumer would not ordinarily expect, provide just-in-time notice containing the summary of categories, with a link to the full notice. The illustrative example is a flashlight application that collects geo-location information. 

Failing to provide at least two ways for consumers to receive more information. Specifically called out are a toll-free phone number and web address if a website is used

Proposed modification: Businesses that operate exclusively on-line with a direct relationship to the consumer can provide only an email address for “Requests to Know” and “Requests to Delete”.  

Not carefully considering the definition of “personal information” in determining the applicability

The definition in use is very broad and includes “indirect” identification of a person. 

Failing to confirm receipt of a “Request to Know” or “Request to Delete” within 10 days, and/or responding to such requests within 45 days

An optional 45-day extension can be made, but only with notice to the requestor within the original 45 days.

Secondary use of information beyond the categories or purpose(s) for which the consumer was given notice

Additional notice is required. Example – The health plan offering the “get to know your options” seminar states that it will collect only the minimum identifiers of name and email address, but in the sign-up process seeks information such as current health conditions, current health plan provider, or health plan number, and also captures static IP addresses associated with the consumer. 

Wes Morris is a Managing Principal Consultant with Clearwater, the leading provider of Enterprise Cyber Risk Management, HIPAA compliance software and consulting services for the healthcare industry. Its solutions enable organizations to gain enterprise-wide visibility into cybersecurity risks and more effectively prioritize and manage them, ensuring compliance with industry regulations.