Where HIPAA Stops, CCPA Begins

May 21, 2019

Why Covered Entities and Business Associates Cannot Ignore the New California Data Privacy Law

The California Consumer Privacy Act (CCPA) applies to a wide range of for-profit businesses that collect the personal information of California residents. However, CCPA includes a convenient carve-out for HIPAA-covered entities and business associates: it doesn’t apply to protected health information, or PHI, as that term is defined under HIPAA.

This carve-out is not as broad as it appears, though, and covered entities and business associates that are otherwise in scope for CCPA (see our prior alert) must still figure out where and how they handle “personal information” that isn’t PHI. They should also note that some types of PHI (or former PHI) may be subject to CCPA despite the carve-out.

Personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA if it falls into one of the following five categories:

1  It is not created or collected as part of the payment, treatment or health care operations trifecta

A covered entity deals with personal information in its day-to-day operations when paying or processing health care claims, treating patients, or engaging in activities related to or designed to improve these functions. However, many covered entities also engage in activities that involve the collection of personal information from individuals who are not patients or individuals covered by a health plan. For example, a covered entity may collect personal information from a member of the public for marketing purposes or as part of its community engagement activities. It may collect cookies or device IDs on its website, geolocation information from employee devices or equipment not related to patient care, or track general consumer purchase behavior.

2 – It was never PHI (or is excluded from the definition of PHI) under HIPAA

Information that identifies an individual and relates to the individual’s health is generally not PHI unless is it created or received by a health care provider or a health plan. For example, health-related information created by a workers compensation carrier is not PHI, since the carrier is not a “health plan” under the HIPAA definition. Health-related information collected directly from an individual on an app is also not PHI, as long as it’s not also created or received by or on behalf of a health care provider or health plan. HIPAA also specifically excludes employment records held by a health plan, health care provider or health care clearinghouse in its role as an employer and information regarding a person who has been deceased for more than 50 years from the definition of PHI.

3 – It was once PHI, but has been de-identified under HIPAA

PHI that has been de-identified in accordance with HIPAA is no longer considered PHI, and, thus, is no longer subject to the CCPA carve-out for PHI. In addition, because the requirements for de-identification under HIPAA are different than those under CCPA, de-identified PHI under HIPAA may still constitute Personal Information under CCPA and be subject to all obligations under CCPA.

4 – It is not PHI, but is derived from PHI

Even when you start with PHI, if you draw inferences from the PHI and use it to create new a new information set that contains no PHI, CCPA may apply this new information set. That is because the definition of “personal information” is very broad and includes even “inferences” drawn from information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to” a California resident or household. For example, if inferences are drawn from PHI and used to create a new data set that is used for enhancing customer experience, fraud detection or marketing activities, CCPA may apply to this new data set.

5 – It is PHI that is used for research purposes in accordance with HIPAA

Even the use or disclosure of PHI for research purposes must meet the more stringent research standards of CCPA. CCPA defines “research” as, in part: “scientific, systematic study and observation, including basic research and or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws…. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes” must meet specific additional safeguards. By way of example, the research must be “[c]ompatible with the business purpose for which the information was collected”, the data must be subsequently “pseudonymized and deidentified,” or “deidentified in the aggregate” (terms more stringently defined under CCPA than HIPAA), and the data may “[n]ot be used for any commercial purposes.”


In short, if you are a covered entity or business associate under HIPAA and have been resting on the laurels of the “CCPA HIPAA Carve out” – think again. Some of the information you handle (including even information derived from PHI and de-identified PHI) may actually be personal information under CCPA and subject to all of CCPA’s additional obligations.

Further Reading:

Does the California Consumer Privacy Act Apply to Me?

If at First You GDPR, CCPA, CCPA Again

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

20 Questions (and Short Answers) on the California Consumer Privacy Act (CCPA)