The Interaction of HIPAA and CCPA
In 2018, the state of California passed privacy legislation known as the California Consumer Privacy Act (CCPA). The CCPA is a comprehensive data protection legislation. Under the CCPA, entities that handle the personal information of California residents are subject to restrictions as to how the information may be used. HIPAA and CCPA interact clearly: The CCPA, by its terms, does not apply to HIPAA-covered entities and business associates.
To Whom Does the California Consumer Privacy Act Apply?
The coverage of the California Consumer Privacy Act is broad. The following entities must comply with the California Consumer Privacy Act:
◈ Entities that collect consumer personal information
◈ Entities that determine the purposes and means of processing that personal information
◈ Entities that do business in California, and that meet one of the following thresholds:
◆ Have an annual gross revenue that exceeds $25 million;
◆ Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information relating to 50,000 or more consumers, households, or devices; or
◆ Derive more than 50% of their annual revenue from selling consumers’ personal information.
What is “Personal Information” Under the CCPA?
Under the CCPA, personal information includes any information that:
◈ Relates to;
◈ Is capable of being associated with; or
◈ Could reasonably be linked to, directly or indirectly,
A particular consumer or household.
The CCPA grants consumers (i.e., California residents) specific rights. These rights include:
◈ The right to request deletion of personal information
◈ The right to access personal information
◈ The right to opt out of the sale of personal information
◈ The right to be free from discrimination
How Do HIPAA and CCPA Interact?
HIPAA and CCPA directly interact. The CCPA “carves out,” or excludes, “HIPAA covered entities” and “business associates” from its requirements; the CCPA does not apply to protected health information (PHI), as that term is defined under HIPAA.
How Else Do HIPAA and CCPA Interact?
Despite the existence of these carve-outs, personal information (as that term is defined under the CCPA) created, received, maintained, or transmitted by entities subject to HIPAA, is likely to also be subject to the CCPA, under a number of circumstances. These are discussed below.
Collection of personal information from non-patients and non-plan members
Covered entities, as that term is defined by HIPAA, perform activities that involve the collection of personal information, as the term “personal information” is defined under the CCPA. Such personal information is often collected from individuals who are neither patients nor enrollees in a health plan. For example, covered entities, in the course of their business, may collect geolocation from employee smartphones. This personal information does not constitute PHI, but falls under the definition of CCPA “personal information,” and as such, is protected under the CCPA. Therefore, covered entities ARE subject to the requirements of the CCPA, if the information the covered entities collect is personal information.
PHI That Has Been De-Identified Under HIPAA
Under the HIPAA Privacy Rule, once PHI has been properly de-identified, it is no longer considered PHI. Therefore, the de-identified information is no longer subject to the HIPAA Privacy Rule. Since the CCPA “carves out” PHI from its terms, once the information is no longer PHI, it is no longer subject to the carve out. Therefore, de-identified PHI under HIPAA may nonetheless still constitute personal information under the CCPA. Covered entities must observe CCPA requirements with respect to personal information.
- Information that is not PHI, but is derived from PHI
- The CCPA definition of personal information is extremely broad. One of the eleven types of information that constitutes “personal information” under the CCPA, is “inferences” – specifically, “inferences drawn from…. [information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
The CCPA (not particularly helpfully) defines the term inference as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information of data.”
With the CCPA now in effect as of January 1, 2020, court challenges to the law may result in clarity with respect to the phrases “derive” and “inference.” Until then, common sense can be used to determine what type of inference constitutes “personal information.” For example, if inferences are drawn from protected health information, and that information is then used to create new data that in turn is used for marketing activities, the new data is likely “derived” from PHI, or drawn from PHI. As such, the information is personal information, subject to the CCPA.