Where HIPAA Stops, CCPA BeginsMay 21, 2019
Why Covered Entities and Business Associates Cannot Ignore the New California Data Privacy Law
The California Consumer Privacy Act (CCPA) applies to a wide range of for-profit businesses that collect the personal information of California residents. However, CCPA includes a convenient carve-out for HIPAA-covered entities and business associates: it doesn’t apply to protected health information, or PHI, as that term is defined under HIPAA. CCPA also carves out covered entities (but not business associates) that maintain "patient information" (a term not defined in CCPA) in the same manner as PHI. As discussed below, though, it is unlikely any covered entity maintains all of the information it collects from patients in the same manner as it maintains PHI
These carve-outs are not as broad as they appear. Covered entities and business associates that are otherwise in scope for CCPA (see our prior alert) should still figure out where and how they handle “personal information” that isn’t PHI. They should also note that some types of PHI (or former PHI) may be subject to CCPA despite these carve-outs.
Personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA if it falls into one of the following five categories:
1 – It is not created or collected as part of the payment, treatment or health care operations trifecta
A covered entity deals with personal information in its day-to-day operations when paying or processing health care claims, treating patients or engaging in activities related to or designed to improve these functions. However, many covered entities also engage in activities that involve the collection of personal information from individuals who are not patients or individuals covered by a health plan. For example, a covered entity may collect personal information from a member of the public for marketing purposes or as part of its community engagement activities. It may collect cookies or device IDs on its website, geolocation information from employee devices or equipment not related to patient care, or track general consumer purchase behavior.
2 – It was never PHI (or is excluded from the definition of PHI) under HIPAA
3 – It was once PHI, but has been de-identified under HIPAA
PHI that has been de-identified in accordance with HIPAA is no longer considered PHI, and, thus, is no longer subject to the CCPA carve-out for PHI. In addition, because the requirements for de-identification under HIPAA are different than those under CCPA, de-identified PHI under HIPAA may still constitute Personal Information under CCPA and be subject to all obligations under CCPA.
4 – It is not PHI, but is derived from PHI
Even when you start with PHI, if you draw inferences from the PHI and use it to create new a new information set that contains no PHI, CCPA may apply to this new information set. That is because the definition of “personal information” is very broad and includes even “inferences” drawn from information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to” a California resident or household. For example, if inferences are drawn from PHI and used to create a new data set that is used for enhancing customer experience, fraud detection or marketing activities, CCPA may apply to this new data set.
5 – It is PHI that is used for research purposes in accordance with HIPAA
Even the use or disclosure of PHI for research purposes must meet the more stringent research standards of CCPA. CCPA defines “research” as, in part: “scientific, systematic study and observation, including basic research and or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws…. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes” must meet specific additional safeguards. By way of example, the research must be “[c]ompatible with the business purpose for which the information was collected," the data must be subsequently “pseudonymized and deidentified,” or “deidentified in the aggregate” (terms more stringently defined under CCPA than HIPAA), and the data may “[n]ot be used for any commercial purposes.” CCPA exempts information collected as part of a clinical trial subject to the Common Rule, clinical practice guidelines issued by the International Council for Harmonisation, or pursuant to human subject protection requirements of the FDA, but not all data used in research meets these standards.
In short, if you are a covered entity or business associate under HIPAA and have been resting on the laurels of the “CCPA HIPAA Carve out” – think again. Some of the information you handle (including even information derived from PHI and de-identified PHI) may actually be personal information under CCPA and subject to all of CCPA’s additional obligations.