If you’re operating in the digital healthcare technology space, privacy and security of healthcare information is one of your highest priorities. For this reason, you probably already know that California has the most stringent (and some would say most burdensome) privacy and security protections in the country. They eclipse HIPAA and actually share more in common with the new EU General Data Protection Regulation (GDPR). On June 28th this year, the new California Consumer Privacy Act (CCPA) became law. This law expands the privacy protections for certain types of data in California law, ratcheting up the obligations of companies that collect data about California residents.
Many digital health technology companies have customers from multiple, or even all, states accessing their software and services. If these health tech companies have California customers, then starting in January 2020, they will likely need to abide by the CCPA. Because it is administratively burdensome for companies to maintain multiple privacy standards covering each state in which they operate, this means that, in practice, the CCPA will become the de facto standard for health information privacy for these companies.
In the coming months, the California Attorney General (the enforcement body for the CCPA) will issue regulations to implement the law, and digital health companies will need to pay close attention to these new regs!
Will the California Consumer Privacy Act apply to my company?
CCPA applies to companies that collect personal information from California residents AND (1) have annual gross revenues in excess of $25 million, adjusted for inflation; OR (2) derive 50 percent or more of their annual revenues from selling consumers’ personal information; OR (3) annually buy, receive for a commercial purpose, sell or share the personal information of 50,000 or more consumers, households or devices.
What kind of information does the California Consumer Privacy Act protect?
The CCPA does not apply to medical information, which is governed by the Confidentiality of Medical Information Act, and does not apply to protected health information ("PHI"), which Is governed by HIPAA. However, it does apply to information not traditionally kept in a medical record. For instance, it applies to ANY information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This could include information about an individual’s education, finances, employment, internet use, household members, and consumer activity (unless such information is available publicly).
As we make the shift to value-based payment and many providers and payers are focused on social determinants of health, many digital healthcare technology companies are gathering non-traditional data for healthcare purposes. For this reason, it may still be necessary for digital healthcare companies to abide by CCPA.
What new requirements does the CCPA impose?
Opt out. Under the CCPA, customers have the right to “opt out” of the sale of personal information. The opt out must last at least 12 months, at which the company can request the customer reconsider their choice. Companies will be expected to have a “clear and conspicuous” link on their web sites titled “Do Not Sell My Personal Information”. For children under 16, the customer must opt in to the sale of information. **GDPR already requires that individuals opt in to any use of their data.
Access. Companies are obligated to provide information upon request by a customer. They must provide at least 2 methods for customers to request a copy of their information (e.g., toll free number). To adequately respond, companies will need to capture (1) the types of information; (2) the source of the information; (3) the purpose for which the information was collected; and (4) third parties who have received this information. Companies are required to provide information in a readily useable format.
Deletion. Unless an exception applies, if a customer requests deletion of their data, the company must comply. In addition, the company must direct third parties to delete the customer’s data.
Nondiscrimination. Companies may not discriminate against customers for exercising their CCPA rights, with a few fairly broad exceptions. For example, companies can offer customers financial incentives for collection of personal information.
What are the penalties for non-compliance with the CCPA?
Violations of the CCPA carry statutory damages of up to $7,500 per violation, if violations are intentional. In the event of a data breach, customers could institute a civil action to recover damages or obtain an injunction. Under the CCPA, the customer would NOT need to show proof of harm resulting from the breach, which significantly increases the potential liability for companies subject to the law.
In the next year, it’s likely that the law will shift and change, given the tremendous industry push back. Nixon Law Group will continue to monitor changes and implementation timelines and bring you the Latest!