Editor’s Note: The California Consumer Privacy Act (CCPA)—the strictest consumer privacy and data protection law in the country—goes into effect on January 1, 2020. The CCPA exempts nonprofit entities that handle healthcare information, as well as providers and businesses already covered by the Health Insurance Portability and Accountability Act (HIPAA). The law could, however, have an enormous impact on a wide range of consumer-directed healthcare organizations, including those working with pharmaceutical and medical device manufacturers, digital health organizations, healthcare technology companies, wearables manufacturers, and mHealth app developers.
In a recent interview with Healthcare Innovation, summarized below, Manatt’s Brandon Reilly discusses the CCPA’s requirements, exemptions and potential effects.
Health Systems and Insurers Could Be Impacted (Even Non-Profits)
Most health insurers and providers assume that their personal health information (PHI) is exempt, since they are covered by HIPAA. But that assumption needs to be carefully tested, because HIPAA’s definition of PHI is so context-specific. Healthcare organizations need to be very sure about how they are collecting information to figure out whether the CCPA applies.
How, why and with whom entities are sharing information also come into play when determining if the CCPA applies. For example, telehealth and other health-adjacent tech companies are likely to be collecting nonexempt data, such as data purchased from data brokers, non-health-related entities or profiling companies whose data is used for market intelligence in a way that is not sufficiently related to providing healthcare or insurance services.
Even if the data that a health insurer purchases is about its own members, that does not mean it is automatically exempt. If the data was originally created for providing healthcare services, it might be exempt. If, however, it is simply a data set of demographic profiles, then it may not be.
Even nonprofits need to be cautious. It’s true that the CCPA only applies to for-profit entities. There are some circumstances, however, where a nonprofit organization could be pulled into scope based on an affiliation with a for-profit entity somewhere in its governance structure.
In addition, even though the CCPA exceptions might be comforting to healthcare companies, they need to take a hard look at the law. As it is currently written, the CCPA also applies to employee data, and personal information collected during employment or about potential employment is in scope. There are amendments seeking to address the issue, but right now the definition of “consumer” in the CCPA is any California resident.
Differences and Similarities Between the CCPA and Europe’s General Data Protection Regulation (GDPR)
A major difference between the CCPA and the GDPR is that the GDPR applies to all entities—for-profit and nonprofit. Europeans believe privacy is an issue whether or not entities are making money off of the data. California is focused only on the business of data.
The GDPR and the CCPA also differ in that the GDPR is prescriptive, telling businesses how to process data, while the CCPA is proscriptive, allowing businesses to process data however they want—but requiring them to stop if a consumer tells them to stop. In addition, the CCPA requires entities to disclose what they are doing.
The GDPR and the CCPA also have many similarities. Both allow consumers to learn about their personal data, delete personal data and opt out of certain activities. The GDPR also includes some additional rights, such as the right to correct certain information and an expanded right of portability.
Are Out-of-State and Wearable Tech Companies Affected?
A company based in any state might as well be based in California as far as the CCPA is concerned. As long as companies meet the CCPA’s parameters (earn $25 million in annual revenue and process data of California residents), they must comply with the CCPA.
The issue of whether the CCPA applies is murkier for wearable tech companies, with the question of why they collected the data an important deciding factor. If the data was collected to provide healthcare and the business is a covered entity or business associate under HIPAA, then it is most likely exempt. A broader, consumer-facing company that collects data for a variety of reasons (such as Fitbit), however, is going to have a much harder time concluding that it is exempt from the CCPA.