CCPA and HIPAA: Important Intersections
February 11, 2020
What is CCPA?
CCPA is a California state law that establishes new consumer rights relating to the access of personal information that is held by businesses. CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes Social Security numbers, demographic information, financial account information, and biometric data, as well as Internet browsing and search history.
Now that we’ve broadly defined CCPA, let’s take a look at how it intersects with HIPAA and applies to Covered Entities.
Who does CCPA apply to?
CCPA applies to all companies that serve California residents, whether they are based in California or not, which take in at least $25 million in annual revenue. This applies to total revenue, not just revenue in California. Companies of any size that have personal data from at least 50,000 people or that collect over half of their revenue from the sale of personal data must also comply with the law.
Despite its broad scope, the law does create certain exemptions designed around HIPAA. For example, CCPA does not apply to “medical information” as defined in the California Confidentiality of Medical Information Act (CCMIA) or “Protected Health Information” (PHI) as defined in HIPAA, which is collected by a Covered Entity or business associate.
What this means for HIPAA compliant businesses?
CCPA’s HIPAA exemption is meant to allow Covered Entities and Business Associates to continue following the privacy regulations laid out in HIPAA without interference from an additional law.
CCPA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA.
Until we see differently, healthcare providers and insurance agents may assume that the law’s HIPAA exemption will cover PHI and other client information. Good news! If you’re following HIPAA regulations, you aren’t required to do more to protect your patients’ and clients’ information.
Want an easy way to navigate HIPAA and state regulations? Try HIPAA Prime, our all-in-one compliance solution. You provide your information and we do the rest. To learn more, email email@example.com.
May 18, 2020
With the onset of COVID-19, many employers have had to face the possibility of the virus entering the workplace. Normally, under the Americans with Disabilities Act (ADA), employers are prohibited… Read More ›Read More
May 6, 2020
On March 13, President Donald Trump declared a national emergency in response to the rapid spread of COVID-19. Two days following this statement, the U.S. Department of Health and Human… Read More ›Read More