Where HIPAA Stops, CCPA Begins

May 21, 2019Alerts

Why Covered Entities and Business Associates Cannot Ignore the New California Data Privacy Law

The California Consumer Privacy Act (CCPA) applies to a wide range of for-profit businesses that collect the personal information of California residents. However, CCPA includes a convenient carve-out for HIPAA-covered entities and business associates: it doesn’t apply to protected health information, or PHI, as that term is defined under HIPAA. CCPA also carves out covered entities (but not business associates) that maintain "patient information" (a term not defined in CCPA) in the same manner as PHI. As discussed below, though, it is unlikely any covered entity maintains all of the information it collects from patients in the same manner as it maintains PHI

These carve-outs are not as broad as they appear. Covered entities and business associates that are otherwise in scope for CCPA (see our prior alert) should still figure out where and how they handle “personal information” that isn’t PHI. They should also note that some types of PHI (or former PHI) may be subject to CCPA despite these carve-outs.

Personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA if it falls into one of the following five categories:

1  It is not created or collected as part of the payment, treatment or health care operations trifecta

A covered entity deals with personal information in its day-to-day operations when paying or processing health care claims, treating patients or engaging in activities related to or designed to improve these functions. However, many covered entities also engage in activities that involve the collection of personal information from individuals who are not patients or individuals covered by a health plan. For example, a covered entity may collect personal information from a member of the public for marketing purposes or as part of its community engagement activities. It may collect cookies or device IDs on its website, geolocation information from employee devices or equipment not related to patient care, or track general consumer purchase behavior.

2 – It was never PHI (or is excluded from the definition of PHI) under HIPAA

Information that identifies an individual and relates to the individual’s health is generally not PHI unless is it created or received by a health care provider or a health plan. For example, health-related information created by a workers' compensation carrier is not PHI, since the carrier is not a “health plan” under the HIPAA definition. Health-related information collected directly from an individual on an app is also not PHI, as long as it’s not also created or received by or on behalf of a health care provider or health plan. HIPAA also specifically excludes employment records held by a health plan, health care provider or health care clearinghouse in its role as an employer and information regarding a person who has been deceased for more than 50 years from the definition of PHI. It is unclear if the carve-out for covered entities that maintain "patient information" in the same manner as PHI will be exempt from CCPA with respect to data that is not PHI. In addition, a hospital that operates a fitness center and collects membership information is unlikely to maintain that information in the same manner that it maintains PHI, despite the fact that fitness center members may also be patients. The same scenario applies to hospitals that use cookies to collect information from website users, many of which are likely to be patients. Unless that hospital maintained all of the data it collects about patients as though it was PHI, the hospital would not qualify for the "patient information" carve-out.

3 – It was once PHI, but has been de-identified under HIPAA

PHI that has been de-identified in accordance with HIPAA is no longer considered PHI, and, thus, is no longer subject to the CCPA carve-out for PHI. In addition, because the requirements for de-identification under HIPAA are different than those under CCPA, de-identified PHI under HIPAA may still constitute Personal Information under CCPA and be subject to all obligations under CCPA.

4 – It is not PHI, but is derived from PHI

Even when you start with PHI, if you draw inferences from the PHI and use it to create new a new information set that contains no PHI, CCPA may apply to this new information set. That is because the definition of “personal information” is very broad and includes even “inferences” drawn from information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to” a California resident or household. For example, if inferences are drawn from PHI and used to create a new data set that is used for enhancing customer experience, fraud detection or marketing activities, CCPA may apply to this new data set.

5 – It is PHI that is used for research purposes in accordance with HIPAA

Even the use or disclosure of PHI for research purposes must meet the more stringent research standards of CCPA. CCPA defines “research” as, in part: “scientific, systematic study and observation, including basic research and or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws…. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes” must meet specific additional safeguards. By way of example, the research must be “[c]ompatible with the business purpose for which the information was collected," the data must be subsequently “pseudonymized and deidentified,” or “deidentified in the aggregate” (terms more stringently defined under CCPA than HIPAA), and the data may “[n]ot be used for any commercial purposes.” CCPA exempts information collected as part of a clinical trial subject to the Common Rule, clinical practice guidelines issued by the International Council for Harmonisation, or pursuant to human subject protection requirements of the FDA, but not all data used in research meets these standards.


In short, if you are a covered entity or business associate under HIPAA and have been resting on the laurels of the “CCPA HIPAA Carve out” – think again. Some of the information you handle (including even information derived from PHI and de-identified PHI) may actually be personal information under CCPA and subject to all of CCPA’s additional obligations.

Further Reading:

Does the California Consumer Privacy Act Apply to Me?

If at First You GDPR, CCPA, CCPA Again

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

20 Questions (and Short Answers) on the California Consumer Privacy Act (CCPA)