December 1, 2020

Volume X, Number 336

Advertisement

November 30, 2020

Subscribe to Latest Legal News and Analysis

Complying with the California Consumer Privacy Act: Are Health Care Organizations "Home Free"?

On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground and imposes consumer protections that are comparable to the European Union’s General Data Protection Regulation (GDPR).  As companies are preparing for the January 1, 2020 CCPA compliance date, there remains a great deal of confusion over CCPA requirements.  Some of this confusion relates to the exemptions for health information.  One common misperception is that all health information is exempt under the CCPA. While the CCPA does provide for an exemption for protected health information (PHI) under Section 1798.145(c)(1)(A) [1] of the Amendment, many companies – including health care providers – maintain health information that is not PHI. An example of this would be health information embedded in employment records. For instance, there is medical information in an employee’s employment record when a request has been made for short-term disability.

When health information does not fall within the definition of PHI under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CCPA requirements apply. However, there is a CCPA exception for health information, whether it’s PHI or not, that is maintained by a health care provider or HIPAA covered entity in the same manner as PHI. This exception is set forth in Section 1798.145(c)(1)(B). [2] Applying HIPAA protections to non-PHI would have a variety of administrative impacts on companies, including having to re-train the company’s entire workforce as to the broadened scope of HIPAA compliance measures. Additionally, if a company elected to treat all health information as PHI, would that mean that an employee would have the right to access and amend employment records or that the company would have to account for disclosures of employment information as is required under HIPAA?  These answers have not yet been determined.

It is not entirely clear as to what will be considered full and functional compliance come January 1. As that date is quickly approaching, we will be on the lookout for more guidance from California regulators.


[1] Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

[2] A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 94
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Kristen A. Marotta Associate  Hospitals & Health Systems Physician Organizations
Associate

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

Prior to joining Mintz, Kristen was an associate...

212-692-6246
Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's...

(617) 348-1614
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement