Last year, California passed the California Consumer Privacy Act (CCPA), which will go into effect in 2020. Widely seen as a “GDPR-light,” the law could have many implications on the healthcare industry, even though the law excludes certain types of health data. This article is an overview of some of the impacts.
The CCPA, which goes into effect in January 2020, requires businesses to support consumer’s (new!) information rights when their data is collected, used, and sold. The combination of its many prescriptive requirements with its broad definitions (for example, “personal information,” “collecting”, and “selling”) has significant operational implications for the businesses covered by the CCPA, which is why the question of applicability has been as heavily discussed as the law’s actual requirements.
Many health companies assume that the presence of health information exceptions in the CCPA are enough to exempt them from compliance. However, most of these companies have at least some data that falls squarely in the purview of the CCPA, and they should be prepared to implement compliance programs to manage it in accordance with the new rights granted to California consumers.
Specifically, health companies should ask themselves two questions:
- Does my organization meet the definition of a business under the law?
- Does my organization have personal information that is not otherwise captured by the exemptions?
If the answers to both of these are yes, then the organization will need to implement CCPA compliance mechanisms.
Here’s how to answer these questions and a few gray areas to watch out for.
Establishing applicability for health organizations
An organization under the CCPA is one that is:
- Operating in California;
- Collecting personal information; and that
- Satisfies one or more of the following: a) has annual gross revenues in excess of $25 million dollars, b) derives 50% or more of its annual revenues from selling personal information, and/or c) handles the personal information of 50,000 or more consumers, households, or devices.
The definition covers a broad swath of the healthcare industry. Think healthcare providers and insurance companies, their business associates, health analytics companies, aggregators of health information for the secondary market, pharmaceutical companies, direct-to-consumer health resources (genetic testing, wearables, lifestyle apps, personal health record vendors), mental health and assisted living facilities, biotechnology companies. The list goes on. The few who aren’t covered include non-profit organizations, small start-up ventures, and any health organization that does not interact with California consumers.
What health data is exempt
CCPA explicitly does not apply to three types of health information:
- “Medical Information” already covered by the state’s Confidentiality of Medical Information Act (CMIA) is exempt from CCPA. Medical information as defined in the CMIA is identifiable information about a patient’s medical history or condition that is held by a healthcare provider, healthcare service plan, pharmaceutical company, or contractor. (Note that the definition of a contractor in the CMIA is narrower than the definition of a “business associate” in HIPAA, and is essentially a health-related organization that is not a service plan or provider.)
- “Protected Health Information” (PHI) already covered by the Health Insurance Portability & Accountability Act (HIPAA) is exempt from CCPA. PHI is defined in HIPAA as individually identifiable health information that is created or received by a HIPAA-covered entity, relates to the physical or mental health of an individual or the provision for or payment of health care to the individual, and either identifies the individual or could reasonably be used to identify the individual.
- Information collected as part of a clinical trial that is already subject to the Common Rule, GCP guidelines, or FDA requirements, is also exempt from CCPA.
CCPA also does not apply to aggregate consumer information or de-identified information.
- CCPA defines aggregate consumer information as information about a group or category of individuals that does not refer to or identify any specific individual, household, or device.
- De-identified information is “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer”. In addition to the de-identification processing, the business must do all of the following: a) implement technical safeguards to prohibit re-identification of the consumer; b) implement business processes that prohibit re-identification and prevent inadvertent release of de-identified information; and c) make no attempt to re-identify the information.
These exemptions create a safe harbor for much of the information health organizations collect, use, and share. This is true even for some unexpected organizations (think patient portals collating health records and pharmaceutical companies receiving clinical trial data). But remember that the CCPA is framed around the protection of specific types of data, not specific types of companies. This means that some information (we’ll call it “non-exempt information”) collected by organizations in the healthcare space is subject to CCPA’s compliance requirements regardless of the organization’s status as a covered or regulated entity under CMIA, HIPAA, or the FDA.
What is not exempt
Non-exempt information is a surprising amount of a health organization’s information. It includes marketing data, patient or customer service call center information, social media and app data, and data licensed from a third party. Health companies from payers to providers (the traditional HIPAA-covered entities), pharma companies to medical device manufacturers, and academic research institutions to direct-consumer-products retain information that is subject to CCPA compliance.
More specifically, non-protected information includes the email addresses, advertising identifiers (cookies and mobile device IDs), and IP addresses collected via the websites of every health-related organization. It includes, for example, the information collected on patients and consumers about their interests and concerns for marketing purposes, which health-related organizations use to improve their community initiatives, patient engagement, and the quality of their patient care. It also includes geolocation information, biometric information (an individual’s physiological, biological, or behavioral characteristics), consumer purchase behavior, and third party demographic information that is used by both healthcare and non-health organizations for everything from enhancing consumer experience and research to user authentication or fraud prevention.
Some companies look to the “research exemption” as their safe harbor. However, this only applies to personal information used for “public or peer-reviewed” research in the public interest. There’s a litany of specific requirements for what qualifies. The most significant of these additional requirements is that the personal information used for research may not be used for any commercial purpose.
What may or may not be exempt
For organizations in the health space, there are three gray areas related to non-exempt information worth highlighting:
1. The definition of de-identified information in the CCPA and in HIPAA are not the same. HIPAA has two approved methods of de-identification: Safe Harbor and Expert Determination, neither of which align perfectly with the CCPA’s requirements. Safe Harbor fits more easily into the CCPA’s definition, but most companies use the Expert Determination method. In either case, it is possible that adequately de-identified data under HIPAA (which is no longer PHI covered by CCPA’s PHI exemption) may not be adequately de-identified under CCPA, which has stricter additional requirements, and would consequently be subject to CCPA obligations.
2. Due to ambiguous wording, there is some debate over how the CCPA’s exemption (b), which is directed at both health organizations and patient information more generally, should be interpreted. The exclusion could be read to suggest either that “providers of healthcare” under the CMIA and “covered entities” under HIPAA are organizationally excluded or that any information these organizations have on patients is excluded as long as they maintain it in the same manner as medical information (CMIA) or PHI (HIPAA). Given the way the CCPA’s applicability is structured, it seems unlikely that it applies wholesale to the organization and instead applies to a covered entity’s treatment of non-protected patient information.
3. There is also debate over whether the CCPA applies to employee data. The definition of personal information expressly includes “professional or employment-related information”, which suggests that it will at minimum apply to applicant information but will likely be interpreted to apply to all employee data. In the act, a consumer is defined as a “natural person who is a California resident”, and the definition is not further qualified.
Compliance requirements for non-exempt information
Businesses subject to the CCPA’s requirements will need to update their compliance programs to ensure they are respecting the information rights of California consumers. Some of the requirements are more prescriptive than others (on the bright side, this means companies know exactly what they need to do!). At a high level, they include:
- Revising privacy policies, website homepages, consent forms, and consumer-facing notices to inform consumers of their rights, the types of personal information being collected, how the information will be used, and whether the information will be sold to third parties.
- Creating mechanisms to receive and authenticate consumer requests for information; to opt out of the collection, use, or sale of their personal information; to access and correct their personal information; to delete their personal information; and to port their personal information to another organization.
- Maintaining a data inventory to trace what information has been collected, retained, processed, disseminated, and sold about a person so that a report can be produced for the consumer.
While it’s true that the CCPA was written with the online advertising and retail industries in mind, it doesn’t restrict itself to a particular industry or a particular type or use of data. It covers personal information quite broadly and carves out exceptions for particular types or uses of data that are already regulated. This approach creates areas of ambiguity, as well as cases where the new requirements do not sync with existing rules.
As part of a heavily regulated industry, healthcare organizations are no strangers to legislative ambiguity. We all hope the CCPA’s ambiguities will be resolved before it goes into effect next year. In the meantime, it’s not too late to begin addressing the compliance obligations that do apply.