Healthcare Entities Must Still Comply with 2023 Privacy Laws

As we head into the fourth quarter, US businesses need to assess their progress in preparing for sweeping changes to the California Consumer Privacy Act (“CCPA”) that become effective January 1, 2023, and with compliance with four new state consumer privacy laws (in Colorado, Connecticut, Utah and Virginia) that become effective throughout 2023 (collectively, “2023 Privacy Laws”).  To help businesses prepare for the requirements of the 2023 Privacy Laws, Team SPB prepared guidance materials, including high level workstreams, covering the following topics: (1) Preparing for 2023 State Privacy Laws; (2) HR and B-to-B Data CCPA/CPRA Compliance Primer; (3) Lessons from the First CCPA Civil Penalty Case; and (4) Takeaways from the First Draft of Revised CCPA/CPRA Regulations.

The 2023 Privacy Laws have carve-outs directly applicable to businesses that must comply with the Health Insurance Portability and Accountability Act (“HIPAA”) (i.e., covered entities and business associates).  For instance, at a high level, as directly related to HIPAA:

Nevertheless, businesses that must comply with HIPAA must still comply, to some extent, with the requirements of the 2023 Privacy Laws, particularly with regard to data that is not PHI.  For example, the employee information maintained by covered entities for Human Resources purposes is not PHI.  Likewise, certain health-related information collected from employees, such as information regarding maternity status for purposes of administering leave benefits or COVID-19 status for workplace safety, are also likely not PHI, and therefore, are outside the bounds of exemptions of the 2023 Privacy Laws for information maintained in accordance with HIPAA requirements.  As a starting point, healthcare entities should do the following with regard to health-related information that is not PHI:

Although healthcare entities benefit from carve-outs under the 2023 Privacy Laws for PHI, they still have obligations as to information that is not PHI.  It will be interesting to see how healthcare entities will balance their HIPAA obligations the requirements of the 2023 Privacy Laws for information that is not PHI.

© Copyright 2024 Squire Patton Boggs (US) LLP
National Law Review, Volumess XII, Number 266