By Ronald J. Hedges, JD, and Gail L. Gottehrer, JD
As long as HIPAA has been the law of the land, the Covered Entities (CEs) that comply with it have always had to consider state privacy laws—which often are more stringent—and operate in concert with both. With the passage of the California Consumer Privacy Act (CCPA) and the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) in New York, CEs would be wise to consider how this new legislation, HIPAA, and existing state cybersecurity and privacy frameworks interact.
The California Consumer Privacy Act
The California legislature passed the CCPA in 2018 and enforcement of the law by the attorney general begins on July 1, 2020. The CCPA defines “personal information” broadly, as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” Personal information includes:1
- Personal identifiers, such as a real name, alias, postal address, unique personal identifier, IP address, email address, account name, Social Security number (SSN), driver’s license number, passport number, or other similar identifiers
- Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies
- Internet or other electronic network activity information, including but not limited to browsing history, search history, and information regarding a California resident’s interaction with an internet website, application, or advertisement
- Geolocation data
- Biometric information
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
The CCPA confers various rights on California “consumers,” who are defined broadly to be persons who are California residents, including individuals who are in the state for something other than a temporary or transitory purpose, and individuals who are domiciled in California who are outside the state for a temporary or transitory purpose. California consumers have the right to:
- Know what personal information is being collected about them
- Know whether their personal information is sold or disclosed and to whom
- Say no to the sale of personal information
- Access their personal information
- Equal service and price, even if they exercise their privacy rights
According to the CCPA, a business is subject to the CCPA if it is a legal entity (sole proprietorship, partnership, limited liability company, corporation, association) organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California, and that satisfies one or more of the following criteria:2
- Has annual gross revenues in excess of $25 million
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information
Given the breadth of these definitions, at least some healthcare providers or business associates should expect to be subject to the CCPA. The CCPA, however, has a HIPAA-related exception that appears to take any protected health information (PHI) governed by HIPAA outside the scope of the CCPA. In other words, given HIPPA’s comprehensive approach to PHI, the CCPA has deferred to federal enforcement of HIPAA for any PHI that is governed by it. So, for example, although the CCPA would not apply to a data breach of PHI held by a healthcare provider, it would apply to a breach of personal information of its employees (unless that breach involved an employee’s PHI). The text of the exception is as follows:
“This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of ‘medical information’ in Section 56.05 shall apply and the definitions of ‘protected health information’ and ‘covered entity’ from the federal privacy rule shall apply.”3
The New York SHIELD Act
The SHIELD Act, which went into effect in 2019, defines “private information” broadly, to include either personal information (explained in the next paragraph) or a username or email address “in combination with a password or security question and answer that would permit access to an online account.”4
The SHIELD Act outlines several forms of personal information that would be considered private information. In this context, personal information consists of any information in combination with any one or more of several data elements, where either the data element of combination of personal information and data element is not encrypted—or is encrypted with an encryption key that has been accessed or acquired. These data elements include:5
- A SSN
- A driver’s license number or non-driver ID number
- An account number, credit or debit card number, in combination with any required code or information that would permit access to an individual’s financial account
- Account number, credit or debit card number, if circumstances exist wherein the number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password
- Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics (e.g., fingerprint, voice print, retina or iris image) used to authenticate or ascertain the individual’s identity
The SHIELD Act applies to any person or business that owns or licenses private information of a New York resident. Given the breadth of these definitions, at least some healthcare providers or business associates should expect to be subject to the SHIELD Act. See the last section of this article for discussion of what this might look like for providers.
The SHIELD Act expands the notification requirement for the entities it regulates regarding breach notification following the unauthorized access to, or acquisition of, computerized data that compromises the security, confidentiality, or integrity of private information maintained by a covered entity. Moreover, covered entities must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including a data security program that has reasonable administrative, technical, and physical safeguards. Unlike the CCPA, the SHIELD Act does not have “minimum” criteria for it to be applicable to a business—it applies regardless of the volume of information collected or the amount of revenue derived from the use or licensing of data of New York residents.
The SHIELD Act contains an exemption for the reporting of data breaches for HIPAA-related personal information (although notice of the breach must be reported to the New York attorney general).
The SHIELD Act also provides that a business that falls within its scope is deemed compliant with the Act’s reasonable security requirements if it is subject to and in compliance with HIPAA and HITECH regulations. This exception would appear to take any PHI that is subject to a data breach and is governed by HIPAA outside the scope of the SHIELD Act.
Relationship of the CCPA and SHIELD Act with HIPPA
Notably, both the CCPA and the SHIELD Act reference HIPAA and establish exemptions from their reach for data that is subject to HIPAA. The data that is subject to HIPAA is referred to as PHI, or health information that can be tied to an individual. Under HIPAA, PHI is information that includes one or more of the following 18 identifiers:6
- Names (full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a ZIP code if, according to the current publicly available data from the US Bureau of the Census, the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone numbers
- Fax numbers
- Email addresses
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers
- Web uniform resource locators (URLs)
- Internet protocol (IP) address numbers
- Biometric identifiers (e.g., finger, retinal, and voice prints)
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
If these identifiers are removed, the information is then considered de-identified PHI and thus not subject to the restrictions of the HIPAA Privacy Rule.
The categories of identifiers listed in the definition of PHI are not identical to the types of information contained in the definitions of personal or private information in the CCPA or the SHIELD Act, respectively. Accordingly, healthcare providers and business associates will want to conduct an analysis of the types of information they collect to see what falls within and outside the scope of HIPAA and may, or may not, be excluded from the CCPA and the SHIELD Act. Those entities will want to consider that may mean in terms of their compliance programs and activities.
The US is in the early stages of data privacy and cybersecurity legislation at the state level, and the discussion about possible federal legislation on these subjects continues. Healthcare providers and business associates would do well to investigate what data privacy and security laws might apply to them and to consider how to respond to those laws. x
The views expressed in this column are those of the authors alone and should not be interpreted otherwise or as advice.
- California Consumer Privacy Act, 2018 Cal. Legis. Serv. Ch. 55. Section 3, Title 1.81.5 of the CCPA, added to Part 4 of Division 3 of the California Civil Code. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.140.
- California Consumer Privacy Act, 2018 Cal. Legis. Serv. Ch. 55 (A.B. 375) (WEST). https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
- Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT), 2019 NY Legis. https://legislation.nysenate.gov/pdf/bills/2019/S5575B.
- UC Berkeley. “HIPAA PHI: List of 18 Identifiers and Definition of PHI.” https://cphs.berkeley.edu/hipaa/hipaa18.html.
Ron Hedges (firstname.lastname@example.org) is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant. He is a senior counsel with Dentons US LLP. Gail Gottehrer (email@example.com) is the founder of the Law Office of Gail Gottehrer LLC.Leave a comment