The CCPA and the Iffy Territory of the “HIPAA exemption”

A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to be affected.

The CCPA was amended in September 2018 to include an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to HIPAA (aka the “HIPAA exemption”).  At the same time, the Act was amended to also exempt  “Medical Information” already covered by the state’s Confidentiality of Medical Information Act (CMIA).  Medical information as defined in the CMIA is identifiable information about a patient’s medical history or condition that is held by a healthcare provider, healthcare service plan, pharmaceutical company, or contractor.  This is not your garden variety “contractor” that’s also a business associate under HIPAA. It’s a much narrower definition, and essentially equals a health-related organization that is not a service plan or provider.

Before you celebrate being “HIPAA exempt…”

Where’s the problem?  Well – the CCPA regulates the types of personal information that are to be protected, and not the types of businesses to be regulated.  The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.  Examples of personal information provided in the text of the law include:

  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.

On the other hand, to the extent that PHI is actually defined in HIPAA, it’s defined as “individually identifiable health information” that’s maintained or transmitted electronically or in any other form or medium. Individually identifiable health information (IIHI) is information that a covered entity creates or receives. IIHI relates to the past, present, or future physical or mental health or condition of an individual; treatment of the individual; or the past, present, or future payment for health care to an individual. IIHI also can be used to identify the individual.

Still wondering “what’s the issue?”  Let’s say that you’re a large health system that collects information from people who access your web sites in order to gauge what those visitors use your website(s) to do.  Let’s say that you’re a business associate that provides services to a health plan – and its members – through a mobile app.  In both of those cases, you’re collecting personal information as the CCPA defines it.  And in both cases, you may be hard pressed to make the argument that the information you are collecting is PHI.

What can you do? What should you do?

  1. Pay attention to California’s General Assembly and Attorney General. The California General Assembly is considering a number of bills that make clarifying changes to CCPA text. To date, none of them address the issue identified above. The California Office of the Attorney General is engaged in a rule-making process, with an initial notice of proposed rule-making anticipated in Fall 2019.
  2. Start developing an inventory of personal information that you collect that isn’t protected health information.

Check in here for the next CCPA-related post, a more in-depth discussion of personal data and other unexpected challenges the regulation brings.

Talk to Julia Huddleston, CIPP, CIPM about your data privacy concerns, including regulations like the CCPA. You can reach Julia at 503-384-2538.