Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
It seems like there’s a report of another data breach almost every day. In response to such breaches, a number of proposals for legislation related to breaches and personal privacy have been made at both the federal and state levels. Some proposals are pending and others have been enacted into law. In this month’s post, I’m taking a look at what California has done and how healthcare providers might be impacted.
In June of 2018, California enacted the California Consumer Privacy Act (CCPA). Here is the declared purpose of the CCPA:
“*** the bill would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified. The bill would grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed. The bill would require a business to provide this information in response to a verifiable consumer request. The bill would authorize a consumer to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. The bill would authorize businesses to offer financial incentives for collection of personal information. The bill would prohibit a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. The bill would prescribe requirements for receiving, processing, and satisfying these requests from consumers. The bill would prescribe various definitions for its purposes and would define ‘personal information’ with reference to a broad list of characteristics and behaviors, personal and commercial, as well as inferences drawn from this information. The bill would prohibit the provisions described above from restricting the ability of the business to comply with federal, state, or local laws, among other things.”
“Personal information” is defined very broadly. It includes, among other things, “biometric information,” which is itself defined to mean:
“an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”
However, the CCPA does NOT apply to, among other things:
“This act shall not apply to protected or health information that is *** governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services *** established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of ‘medical information’ in *** shall apply and the definitions of ‘protected health information’ and ‘covered entity’ from the federal privacy rule shall apply.”
This translates into a simple proposition: “protected health information,” whether electronic or paper, is not within the scope of the CCPA. Or so it seems.
In my post on January 16, 2019, “When an Employer Fails to Protect Employee Personal Information,” I discuss how the information at issue in the judicial decision was “personal” in nature and had been collected by the defendant from its employees. That employment information presumably includes at least medical information not collected for treatment purposes. Such information is presumably outside the scope of HIPAA and the CCPA will apply.
The CCPA (which will go into effect in 2020) imposes what might be onerous obligations on healthcare entities within its scope and establishes a number of rights for California residents. Moreover, it can be applicable to healthcare entities outside California if those entities derive sufficient revenue from contacts with California residents.
Using the CCPA as an example of any law that addresses privacy rights and/or data breaches, what questions might arise whenever a healthcare provider is faced with such a law? First, does the law apply to the healthcare provider? Second, how does the law address information subject to HIPAA? Third, assuming that the law exempts information subject to HIPAA, what other information does the law apply to? These are only a few of the many questions that should come to mind.
**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.