How Does CCPA Affect Healthcare Privacy?

Author: Ethan Heilig

For the last two decades, the Healthcare Insurance Portability and Accountability Act (HIPPA) has been the policy that regulated healthcare data in the U.S by making it illegal to share medical information with people or organizations that the patient did not preapprove. However, the scope of data protected by HIPPA is limited. According to Sateyender Goel, an adjunct professor at the University of Chicago, HIPPA only applies to 'covered entities' with 'protected health information' (PHI). Covered entities are people or organizations responsible for administering health care, including doctors, nurses, company healthcare plans, health insurance companies, and health care clearinghouses. According to the HIPPA Journal, PHI 'is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity.'

The California Consumer Protection Act (CCPA), which will take effect in January 2020, expands HIPPA. Data currently protected by HIPPA will not fall under the CCPA it's HIPPA exemption. The CCPA will, however, expand the scope of protected data to include information that does not fall under the definition of 'covered entities' or PHI. Specifically, the CCPA applies to all Californian for-profit companies that operate above a particular data processing and revenue benchmark. The CCPA fills in the gaps in healthcare data regulation, which will have three main impacts.

First, under the CCPA, all individuals interacting with healthcare organizations will have their data protected. Under CCPA, data from patients and employees will be safeguarded alike, not just the identifiable medical information of patients. The CCPA will protect healthcare data, as HIPPA did. But it also includes personal information that is not necessarily medical in nature (i.e., home address, payment information, who is in your family).

Second, the CCPA requires data to be protected by all large (as defined by revenue and volume of data processed), for-profit California companies, not just 'covered entities.' Previously, organizations that held identifiable medical information but were not 'covered entities' were not expected to comply with HIPPA standards. For example, the famous watch FitBit collects PHI like heart rate, height, weight, activity, and glucose levels, but it does not comply with HIPPA because it is not a covered entity. The CCPA will change this scenario, companies that collect personal information of any kind, including PHI, are required to protect that data. 

Third, though the CCPA only applies to companies that 'operate' in California, healthcare companies doing business in California will have to apply CCPA standards to their entire U.S. practice. Previously, healthcare corporations were governed by a patchwork of state and federal laws. Data regulation laws depended on the laws of the state where the organization practiced, which meant that two hospitals that were part of the same company but operated in different states could have two entirely distinct data regulation laws. The CCPA breaks down this state-level silo. Any healthcare corporation that does business in California must apply the same rigorous data collection and protection standards to all of its locations, regardless of the state.