CCPA and HIPAA: Important Intersections

What is CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This prompted many to ask: how does CCPA impact Covered Entities who comply with the HIPAA law?

CCPA is a California state law that establishes new consumer rights relating to the access of personal information that is held by businesses. CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes Social Security numbers, demographic information, financial account information, and biometric data, as well as Internet browsing and search history.

Now that we’ve broadly defined CCPA, let’s take a look at how it intersects with HIPAA and applies to Covered Entities.

Who does CCPA apply to?

CCPA applies to all companies that serve California residents, whether they are based in California or not, which take in at least $25 million in annual revenue. This applies to total revenue, not just revenue in California. Companies of any size that have personal data from at least 50,000 people or that collect over half of their revenue from the sale of personal data must also comply with the law.

Despite its broad scope, the law does create certain exemptions designed around HIPAA. For example, CCPA does not apply to “medical information” as defined in the California Confidentiality of Medical Information Act (CCMIA) or “Protected Health Information” (PHI) as defined in HIPAA, which is collected by a Covered Entity or business associate.

What this means for HIPAA compliant businesses?

CCPA’s HIPAA exemption is meant to allow Covered Entities and Business Associates to continue following the privacy regulations laid out in HIPAA without interference from an additional law.

CCPA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA.

Until we see differently, healthcare providers and insurance agents may assume that the law’s HIPAA exemption will cover PHI and other client information. Good news! If you’re following HIPAA regulations, you aren’t required to do more to protect your patients’ and clients’ information.

Want an easy way to navigate HIPAA and state regulations? Try HIPAA Prime, our all-in-one compliance solution. You provide your information and we do the rest. To learn more, email info@totalhipaa.com.

Sharing is caring!