A new era in data privacy has dawned in most parts of the world. Private citizens have more rights and control over their personal information, and companies face heightened risk and operational burden to comply. Now is the time for companies to evaluate their data footprint to ensure adherence to the new consumer privacy regulations. For certain industries—specifically financial services and healthcare—that are already governed by federal regulations touching on data privacy or providing for corrective actions from consumers for specific types of data, compliance with these new laws may seem like standard process. But that isn’t necessarily the case.
Focusing on the healthcare industry, organizations are aware of their obligations under HIPAA for electronically protected health information (ePHI). However, state-based data privacy laws bring a new set of obligations to the forefront, some of which will require healthcare organizations to implement fresh policies and procedures that supplement existing HIPAA practices. The California Consumer Privacy Act (CCPA), which will go into effect in January, is the most notable and imminent U.S.-based regulation healthcare companies need to address. There are likely gaps healthcare companies should be aware of and evaluate between HIPAA compliance and the remainder of personal data not covered by HIPAA but in scope per definitions in the CCPA. A few key areas to examine and consider include the following.
What Is and Isn’t Covered
Covered activities for entities and business associates collecting and using data include medical information governed by the Confidentiality of Medical Information Act (part 2.6 (commencing with Section 56) of Division 1), or protected health information that is collected by a covered entity or business associate subject to HIPAA (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (HITECH). In these cases, data is exempt and not subject to CCPA.
However, this leaves some potential gaps of information, both medical and non-medical, that may be used by healthcare organizations that would be subject to CCPA. Healthcare companies should consider non-medical information attached to the medical file, medical information used for marketing purposes and/or medical information used for research and development purposes without authorization/consent.
The issue of de-identified and aggregated data that contains personally identifiable information (PII) further complicates what is and isn’t covered by the CCPA’s HIPAA exceptions. This type of information—data that is aggregated into analytics systems to show high-level trends, business metrics or other non-personally identifiable insights—may be potentially identifiable as personal data. Many organizations do use HIPAA regulated information in their large-scale analytics and industry benchmarking. Now, that information may slip into the realm of CCPA protected data, introducing new complexities for how it can be used in aggregated analytics systems—and how it can be accessed, reviewed or removed from those systems in response to a data subject request. While de-identified data is exempt from CCPA, ensuring that data is truly de-identified becomes an important process to undertake. This process includes both implementing technical safeguards and procedural safeguards to ensure the data is specifically prohibited from being re-identified.
Nuances in Breach Notification Rules
There are also some new considerations for healthcare organizations regarding notice of a data breach event. HIPAA requires governed entities to notify patients when their unsecured personal health information (PHI) is accessed or disclosed outside of any authorizations the patients may have signed. HIPAA includes several exceptions to this rule. The first applies to unintentional acquisition, access or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if it was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of PHI by an authorized party to another authorized party or organized healthcare arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the privacy rule. The final exception applies in the event that a good faith belief exists that the unauthorized person to whom the disclosure was made would not have been able to retain the information.
The issue becomes murkier if a breach falls within one of the above exceptions, but to data also under the jurisdiction of other privacy laws. Such an event may trigger additional notification requirements. In its current form, the CCPA does not expand on any obligations under existing general data breach notification sections of the California Civil Code and Health and Safety Code.
The CCPA follows California’s existing data breach notification law, in which notification obligations are only triggered for breaches involving “personal information.” This is currently defined as a first name or initial and last name in conjunction with a social security number, driver’s license number, California identification card number, account number or financial card number in combination with a password, medical information, health insurance information or information collected through an automated license plate recognition system. AB-1130, The Notification Bill, which passed in October, expands the definition of personal information by adding, “other government-issued identification numbers” and “unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data.”
Private Rights of Action
While HIPAA does not include a private right of action for citizens (some states may provide rights of action for a violation), the CCPA does. Individuals or classes may pursue legal recourse against healthcare organizations for violations involving data stolen or improperly accessed in the unencrypted and unredacted form if the breached data is not subject to the caveats for exemption under HIPAA or other laws.
For data covered under HIPAA, organizations are not required to alert customers to use of a third party where that party executes a Business Associate Agreement (BAA). This will change under CCPA. Healthcare companies will need to notify customers and obtain informed consent in order to allow any third parties to access, receive, process, use or store personal data. Like the breach notification requirements, there will be some exceptions to this rule, for information covered under other regulations.
Healthcare organizations subject to CCPA cannot rely on HIPAA as a failsafe for CCPA compliance. These organizations must ensure that existing procedures are aligned with new requirements for data that is not covered and exempt by other regulations. Businesses, led by legal and compliance, must be proactive and seek support from data privacy experts that can identify the gaps, advise on pitfalls and provide best practices. Investing in a strong data privacy posture now will better position companies as new state and/or federal laws emerge.