October 22, 2019

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

Complying with the California Consumer Privacy Act: Are Health Care Organizations "Home Free"?

On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground and imposes consumer protections that are comparable to the European Union’s General Data Protection Regulation (GDPR).  As companies are preparing for the January 1, 2020 CCPA compliance date, there remains a great deal of confusion over CCPA requirements.  Some of this confusion relates to the exemptions for health information.  One common misperception is that all health information is exempt under the CCPA. While the CCPA does provide for an exemption for protected health information (PHI) under Section 1798.145(c)(1)(A) [1] of the Amendment, many companies – including health care providers – maintain health information that is not PHI. An example of this would be health information embedded in employment records. For instance, there is medical information in an employee’s employment record when a request has been made for short-term disability.

When health information does not fall within the definition of PHI under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CCPA requirements apply. However, there is a CCPA exception for health information, whether it’s PHI or not, that is maintained by a health care provider or HIPAA covered entity in the same manner as PHI. This exception is set forth in Section 1798.145(c)(1)(B). [2] Applying HIPAA protections to non-PHI would have a variety of administrative impacts on companies, including having to re-train the company’s entire workforce as to the broadened scope of HIPAA compliance measures. Additionally, if a company elected to treat all health information as PHI, would that mean that an employee would have the right to access and amend employment records or that the company would have to account for disclosures of employment information as is required under HIPAA?  These answers have not yet been determined.

It is not entirely clear as to what will be considered full and functional compliance come January 1. As that date is quickly approaching, we will be on the lookout for more guidance from California regulators.


[1] Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

[2] A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Associate

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

 

Prior to joining Mintz...

212-692-6246
Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's Health Care Reform Education Task Force.

She also counsels health care clients and other business entities on a broad range of privacy and data security issues, including the HIPAA Privacy Rule and Security Standards, including requirements under HITECH and the HIPAA Omnibus Rule, 42 CFR Part 2, and state-imposed medical privacy laws. She regularly assists clients with data breach response and mitigation, the implementation of HIPAA-mandated policies and procedures, privacy audits, third-party requests for information, and review of HIPAA-related contracts and forms. She has successfully defended clients in both civil and criminal HIPAA enforcement actions and regularly assists clients with the management of data breaches and other losses of protected health information.

Before joining Mintz, Dianne was an associate staff attorney at the Lahey Clinic, where she provided general counsel services to medical, professional, and administrative staff. She also served as counsel to the Institutional Review Board, the Ethics Committee, the Intellectual Property and Technology Transfer Committee, and the Genetics Advisory Board. Before joining the Lahey Clinic’s legal staff, she worked in the research administration department. Her responsibilities included drafting a regulatory compliance manual detailing laws of concern in basic, clinical, and animal research, continually reviewing relevant regulations to ensure compliance for institutional programs, and researching and advising clients on a broad range of regulatory matters.

Dianne was the first Suffolk University law student to graduate with a concentration in Health Care and Biomedical Law. She formerly served as an adjunct professor at Stonehill College, teaching an undergraduate Health Care Law course.

 

(617) 348-1614
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732