The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This law increases privacy protections for California residents. However, larger organizations, with more than $25 million in gross annual revenue or organizations with information on 50,000 consumers, may be subject to a HIPAA exemption, meaning they may not be subject to the requirements of the CCPA. The CCPA HIPAA exemption is discussed in further detail below.
What is the CCPA HIPAA Exemption?
The CCPA HIPAA exemption is two-fold, with the first part dealing with the protected health information (PHI) that is collected by a covered entity or business associate. The second part is less clear, dealing with covered entities that maintain PHI in a certain way.
- Part 1 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(A)): PHI collected for the treatment, payment, or healthcare operations would qualify for the CCPA HIPAA exemption. However, health information that is collected for other purposes would not fall under the CCPA HIPAA exemptions, and would be subject to the stricter privacy laws set forth by the CCPA.
- Part 2 of the CCPA HIPAA exemption (California Civil Code 1798.145(c)(1)(B)): A covered entity may qualify for the CCPA HIPAA exemption under part 2. Part 1 exempts PHI, while Part 2 exempts providers, under certain circumstances.. A covered entity governed by the the HIPAA privacy, security, and breach notification rules, is exempt from the CCPA to the extent the covered entity properly safeguards PHI under HIPAA. This means that if a covered entity is not compliant with one or more HIPAA regulations, the covered entity is not in complete compliance with the CCPA.
For a detailed look at CCPA please click here.
What Else May the CCPA HIPAA Exemption Apply to?
There are other types of information covered by the exemption, such as de-identified information, some information collected for clinical trials, and aggregate consumer information. Additionally, medical information already covered under California’s Confidentiality of Medical Information Act, is also exempt.
Health Apps and CCPA
The data collected by health apps, in many cases, is medical in nature. However, unless the app was developed by a covered entity or business associate with the purpose of allowing patients to monitor their health, the data would not be considered PHI. As such, the data collected by health apps is subject to the strict privacy laws set forth by CCPA.
Marketing Data and CCPA
Much like the data collected by health apps, data collected strictly for marketing purposes would be subject to CCPA. Marketing data is data that is collected from consumers by entities that are not covered entities or business associates.