The ways in which businesses collect and use consumer data have been a cause for concern for many people. The sale of personal information has been largely unregulated, causing many states to implement their own privacy laws to better protect the personal information of their residents. 

The California Consumer Privacy Act (CCPA) enacted on June 28, 2018, established four rights in regards to personal information. This includes:

  1. The right to know what personal information a business has collected about them, where they obtained the information, what its used for, if its being sold or disclosed, and who is its being sold to.
  2. The right to “opt out” of allowing businesses to disclose or sell their personal information to third-parties. 
  3. The right to have their personal information deleted from a business.
  4. The right to be treated equally by the business in terms of pricing and service if they choose to “opt out.”

However, the CCPA doesn’t apply to protected health information (PHI), leading many business associates (BAs) and covered entities (CEs) to believe that they aren’t subject to the law. Healthcare entities subject to HIPAA law may also be held to CCPA law in the following areas:

  • Personal information that has not been collected as part of the treatment, operations, or payment

Some covered entities (CEs) collect personal information from individuals who are not patients for the purpose of community engagement or marketing. This can be through individuals accessing the CEs website. They may use geolocation, cookies, or track consumer purchase behavior. 

  • Personal information that is excluded from the HIPAA definition of PHI

Information that identifies an individual by was not created or received by a health plan or healthcare provider. This can be information collected by an app directly for an individual or health information provided to a workers’ compensation carrier. 

  • Personal information that was considered PHI but has since been de-identified under HIPAA

Requirements for de-identification of personal information are different under HIPAA and CCPA. Therefore, information de-identified under HIPAA can still be considered personal information under CCPA.

  • Personal information that was derived from PHI but is not considered PHI

Since the definition of personal information under CCPA is very broad it covers inferences made from PHI.

  • PHI used for research in accordance with HIPAA 

There are specific safeguards set forth by CCPA in regards to disclosure of PHI for research purposes. PHI must be de-identified and it cannot be used for commercial use.