California Consumer Privacy Act: How will it impact healthcare?

Rebecca Slisz
Nov 12, 2018

On June 28, 2018, California Governor Jerry Brown signed A.B. 375, the California Consumer Privacy Act (CCPA) into law, just one week after it was introduced. The California legislature moved swiftly to pass this bill in order to reduce duplicate legislation that was slated to appear on the November midterm elections ballot. Considered the strictest consumer privacy and data protection law in the U.S., the law will take effect January 1, 2020. Some businesses regulated under the CCPA may also be subject to provisions of the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018.3

Consumer rights under CCPA

Under this Act, California residents/consumers have the right to:

  1. Know, through a general privacy policy (with more specifics available upon request):
    1. What personal information a business has collected about them
    2. Where it was sourced from
    3. What it is being used for
    4. Whether it is being disclosed or sold
    5. To whom it is being disclosed or sold
  1. “Opt out” of allowing a business to sell their personal information to third parties; consumers younger than age 16 have the right to not have their personal information sold, unless they or their parents opt-in for them
  1. Receive equal service and pricing from a business, even if they exercise their privacy rights under the Act
  1. Request that any collected personal information is deleted, except when it is needed to complete requested transactions or services

What constitutes personal information is broader under CCPA than the definition under U.S. state data breach laws. Unlike the GDPR, information legally available through public government records is excluded.

What businesses are impacted by CCPA?

CCPA applies to any for profit businesses in California that collect California residents’ personal information solely or jointly with others and meet or exceed one of the following3 minimum parameters:

  • $25 million in annual gross revenues
  • Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers
  • Derives 50% or more of annual revenue from selling consumers’ personal information

What CCPA means for the healthcare industry

CCPA states that it “shall not apply to protected or health information that is collected by a covered entity governed by the [California] Confidentiality of Medical Information Act [the CMIA]…or governed by the privacy, security, and breach notification rules…established pursuant to the Health Insurance Portability and Accountability Act of 1996.2 This exemption holds true for both for profit and nonprofit healthcare organizations. So while protected health information (PHI) falls under HIPAA and CMIA regulations, any additional personal information collected by for-profit healthcare organizations in California may still be under the purview of the CCPA.

The CCPA allows consumers, under certain circumstances, to litigate when their non-encrypted or non-redacted personal information has been subjected to unauthorized access, exfiltration, theft, or disclosure as a result of a business violating its duty to implement and maintain reasonable security procedures. Under this provision, every California consumer affected by a data breach can collect up to $750 per incident or actual damages, whichever is greater.2,4

The high cost of unauthorized access and data breaches

Healthcare security can be compromised for many reasons, including unauthorized access, patient identification errors, data breaches, and carelessness. Many compliance violations simply involve an unauthorized employee accessing patient records and PHI, which includes personal information and much more. Although many incidents are unintentional, they can result in fines, reputational damage, and lawsuits. Considering thousands of records can be compromised in one incident, a data breach could put a health care organization out of business, especially in combination with other regulatory fines.

Organizations need to realize that personal data covered under this law is identity data. With legislation such as CCPA and other regulatory requirements, healthcare organizations should consider robust and automated provisioning solutions to manage identity governance processes.

Imprivata can help you stay compliant

With so much at stake, healthcare organizations can no longer rely on manual processes to grant personnel access to systems, applications, and records. Imprivata Identity GovernanceTM, the leading identity governance and compliance management solution for healthcare, integrates with the Imprivata authentication platform to provide a holistic view of access risk vulnerabilities, including excessive or abnormal access rights and un-provisioned access. The end-to-end healthcare solution features precise role-based access controls, automated provisioning and de-provisioning, streamlined auditing processes, and analytics that enable faster threat evaluation and remediation. By automating identity management processes, IT costs decrease, data security and compliance increases, and the focus shifts to quality patient care.

Featured resources

Complex IT, simple approach: Ensuring security in an era of digital transformation: Explore ways to ensure data security in an increasingly complex IT environment.