What Does the California Consumer Privacy Act Mean for Healthcare Companies?

July 18, 2019
Manatt, Phelps & Phillips’ Brandon Reilly discusses requirements, exemptions of nation’s strictest consumer privacy and data protection measure

In June 2018, California Gov. Jerry Brown signed A.B. 375, the California Consumer Privacy Act of 2018 (CCPA), into law. The CCPA, the nation’s strictest consumer privacy and data protection measure, goes into effect Jan. 1, 2020. Although nonprofit healthcare providers and those handling medical information as defined by HIPAA are exempt, the law could have a significant impact on for-profit healthcare companies and those providing health or lifestyle-related services directly to consumers.

Healthcare Innovation’s David Raths recently interviewed Brandon Reilly, an attorney in the privacy and data security practice of Manatt, Phelps and Phillips LLP, about the potential impact of the new law.

Healthcare Innovation: Were the authors of the legislation targeting companies in the healthcare space or were they more concerned about “big tech” companies such as Google, Amazon and Facebook?

Reilly: It is pretty clear from the intent all the way back to the original ballot initiative that the target of the law was big tech and big data. It was spurred by revelations of what Facebook and Google might be doing with personal information. That was carried over to the legislation.

HI: Was there opposition from the big tech companies?

Reilly: Initially most of the big tech firms were gearing up to oppose the ballot initiative. When it became clear that backers were going to easily gather the required signatures, they backed down a little bit as a matter of public relations calculus. Then industry interests realized that if the law is subject to the legislative process rather than the ballot initiative process, it would be easier to control and obtain practical limitations on.

HI: How could health systems and insurers be impacted?

Reilly: It is a bit complicated. The first task for health companies is to verify the extent to which the exemption for HIPAA-related data applies to them. Most healthcare insurers and providers typically will start with the assumption that all their personal data is exempt from the CCPA, but you really have to test it, because the HIPAA definition of PHI is so context-specific. You have to be really confident about how you are collecting information to be able to figure out whether CCPA applies. The benefit for healthcare companies is that they are used to heavy regulation, so they should have a lot of controls in place so they know how much of their data ecosystem is PHI.

HI: Does the CCPA relate to whether I am sharing that data with third parties, how I am sharing it and for what purposes?

Reilly: It does. A good example is telehealth companies or other health-adjacent tech companies. There is a much greater likelihood that those companies are collecting non-exempt data. This could be data purchased from data brokers, non-health-related entities, or behavioral  or profiling data that could be used for market intelligence or advertising in a way that is not sufficiently tied to the provision of healthcare or insurance.

HI: If a health insurer is buying that kind of data about their members, would that be exempt?

Reilly: It would depend on where the purchased data originated. If the data was originally created for providing healthcare services, then it might be exempt. But if it is simply a data set of consumer shopping or demographic profiles, then it may not be.

HI: Does it matter if the organization is nonprofit or for-profit?

Reilly: Yes, it does. The CCPA only applies to for-profit entities. But there are some circumstances where nonprofit entities could be pulled into scope based on an affiliation with a for-profit entity. In other words, if there is a for-profit entity somewhere in the corporate governance structure, and it achieves the required revenue threshold of $25 million annually on its own, there may be nonprofit entities sufficiently related that would be pulled in scope.

HI: So we could look at two businesses side by side, one nonprofit and the other for-profit, doing basically the same thing, and the CCPA would apply to one and not the other?

Reilly: Yes. That is one of the major differences between the European GDPR [General Data Protection Regulation] and CCPA. The GDPR is broadly applicable to any entity, even if it is nonprofit. It does reflect a difference in philosophy behind privacy rights. Those in Europe argue that it doesn’t matter if you are making money off of what you are doing with data or not. Privacy is still an issue, no matter what. In California they are saying they are interested in the business of data. 

HI: Are the rights and responsibilities laid out in the CCPA similar to the European GDPR? In what ways are they alike or different? Are some of the provisions such as “right of access” or “right of deletion” new to the U.S.?

Reilly: Yes, the core rights are very similar. Both regimes allow consumers, as a general matter, to learn about their personal data, to delete the personal data and in some instances to opt out of certain activities. The GDPR has a few rights not present in the CCPA, such as the right to correct certain information and an expanded right to portability. I would say that they do reflect different philosophies. The GDPR is what I would call a prescriptive law, meaning that it is telling you how you have to process data. The CCPA is proscriptive. It says you can process data however you like, but if the consumer tells you to stop, you have to do so and you have to disclose what you are doing.

HI: It seems like creating the infrastructure to respond to those kinds of requests from consumers would be difficult to set up.

Reilly: It could be very challenging. Even understanding what data you have, which is the very first task, is a major endeavor — particularly because the CCPA introduced a new definition of personal information that is much broader than what we have considered to be PII or even PHI. Even if a company has existing data inventory controls and feels like it has a good handle on what data it has, the CCPA comes along and says in addition to all of that, this whole other data set is also in scope. After you know what you have, you have to make the right decisions about how you are going to respond to a data access request or data deletion request and how that is going to impact the rest of your business.

HI: What about a company that is headquartered in Minnesota but that might have data sets on California citizens?

Reilly: That Minnesota-based business might as well be based in California as far as the CCPA is concerned. As long as you meet the threshold of processing $25 million in annual revenue, and you process data of California residents, then you are going to be expected to comply.

HI: So are California provider organizations putting effort into figuring this out or do they think the exclusions will make them exempt? Are they not sweating about this?

Reilly: Certainly the exclusions give a large degree of comfort to healthcare companies, but given that the business of health is increasingly data-driven, you have to take a hard look at it. The other major gap for health companies is that as currently written the CCPA also applies to employee data, and personal information collected during employment or about potential employment is in scope right now. There are amendments seeking to address that problem. It certainly doesn’t seem like it was the legislators’ intent to include employee data. It is called the consumer privacy act, but the definition of consumer is California resident, nothing more restrictive than that.

HI: What about commercial wearable tech companies such as Fitbit?

Reilly: The exercise of asking what is the context of why we collect the data is important. If it is defensible to say the data was collected in order to provide healthcare, and the entity is a covered entity or business associate under HIPAA, then you are pretty confident, but if you are a company like Fitbit that is a broader, consumer-facing company that collects data for a whole set of different reasons, it is going to be much harder to make that conclusion.

HI: California often leads the country in privacy regulations. Could other states follow their lead?

Reilly: We are seeing that happen already. There are versions with different flavors of the CCPA working their way through legislatures right now, so I think it is only a matter of time before we see similar laws in other states.

Sponsored Recommendations

Shield your health system against cyber threats

You won't want to miss out on this imperative April 4th webinar about how you can protect your healthcare organization. Join us to learn how to fortify your health system against...

Healthcare Trends 2024: Trends & Strategies for Future Success

Explore the future of healthcare in 2024 with insights from the Healthcare Industry Trends Report. Stay ahead of the curve as we delve into the latest industry developments and...

Trailblazing Technologies: Looking at the Top Technologies for the Emerging U.S. Healthcare System

Register for the first session of the Healthcare Innovation Spotlight Series today to learn more about 'Healthcare's New Promise: Generative AI', the latest technology that is...

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...