On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground and imposes consumer protections that are comparable to the European Union’s General Data Protection Regulation (GDPR). As companies are preparing for the January 1, 2020 CCPA compliance date, there remains a great deal of confusion over CCPA requirements. Some of this confusion relates to the exemptions for health information. One common misperception is that all health information is exempt under the CCPA. While the CCPA does provide for an exemption for protected health information (PHI) under Section 1798.145(c)(1)(A) [1] of the Amendment, many companies – including health care providers – maintain health information that is not PHI. An example of this would be health information embedded in employment records. For instance, there is medical information in an employee’s employment record when a request has been made for short-term disability.
When health information does not fall within the definition of PHI under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CCPA requirements apply. However, there is a CCPA exception for health information, whether it’s PHI or not, that is maintained by a health care provider or HIPAA covered entity in the same manner as PHI. This exception is set forth in Section 1798.145(c)(1)(B). [2] Applying HIPAA protections to non-PHI would have a variety of administrative impacts on companies, including having to re-train the company’s entire workforce as to the broadened scope of HIPAA compliance measures. Additionally, if a company elected to treat all health information as PHI, would that mean that an employee would have the right to access and amend employment records or that the company would have to account for disclosures of employment information as is required under HIPAA? These answers have not yet been determined.
It is not entirely clear as to what will be considered full and functional compliance come January 1. As that date is quickly approaching, we will be on the lookout for more guidance from California regulators.
[1] Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
[2] A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.