E-News Exclusive

California’s New Privacy Law Will Impact Health Care Across the Country

By David Holtzman, JD, CIPP/G

The California Consumer Privacy Act of 2018 (CaCPA) will affect almost all health care companies processing personal information of California residents beginning January 1, 2020. Conceived and signed into law in about one week’s time under threat of the certification of a well-financed and popular ballot initiative, CaCPA had little public debate and is poorly drafted to the extent that many key terms were left undefined or appear to have contradictory applications within the statute. However, CaCPA also creates new enforcement mechanisms whose penalties could cripple many businesses.

CaCPA requires “businesses” that have some role in the “processing” of California “consumers’” “personal information” to provide a long list of privacy rights, including a notice of privacy policies, the right to request an accounting of disclosures, the right of access to their personal information, and the right to have their personal information deleted. Legal experts agree that CaCPA defines these terms very broadly and that the act will apply to organizations across health care that are processing these data throughout the United States and the world.

Understanding the scope of organizations to which CaCPA will apply and the personal data to which it protects is complicated. CaCPA defines a “business” as any organization that is formed to make a profit for its owners or shareholders. Legal experts cannot agree if this will apply to some organizations assumed to be not-for-profits like a public benefit corporation.

The law applies to any business that “collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California” and satisfies one of the following three requirements:

• annual gross revenues of $25 million;
• “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices”; or
• receives 50% or more of its revenues from selling consumer data.

Parent companies and subsidiaries using the same branding are covered in the definition of “business,” even if they themselves do not exceed a specific threshold.

Among its many provisions, CaCPA puts strict limits on the sale of personal information and the need to provide consumers the opportunity to opt out. The expansive definitions applied to “sale” and “personal information” will force many businesses in the health care industry to create new processes to communicate the option to opt-out and track the choices consumers make if they elect to exercise their rights under CaCPA.

CaCPA carves out an exclusion for protected health information (PHI) collected by a covered entity subject to the California Confidentiality of Medical Information Act (CMIA) or HIPAA. However, many companies will find that CaCPA’s exemption for PHI does not cover large swaths of the data processed in the health care industry. Examples where CaCPA might apply include the following:

• data about employees except in connection with a health plan that is a HIPAA-covered entity;
• personal information held by a HIPAA business associate because they are not provided an exemption from CaCPA and they also may receive information from health care organizations that are not covered entities;
• information collected by HIPAA-covered entities from consumers that is not PHI; and
• businesses that are not covered by HIPAA or the CMIA (eg, genetic testing providers, medical device monitoring companies, vendors of wearables, cloud-based EHR companies, pharmaceutical manufacturers, health and wellness product retailers, and for-profit assisted living facilities).

CaCPA excludes the collection or sale of “a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California, if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.”

The exceptions to the exclusion seem to mean that even if the business’ information collection took place while the California consumer was standing in Iowa, CaCPA’s provisions would apply to a later “sale” of that personal information if made while the consumer had their feet planted in the Golden State.

Although many believe that CaCPA was meant to concern itself only to businesses that collect information online, it clearly applies also to the nonelectronic information collected by brick and mortar businesses. CaCPA’s provisions state it is “not limited to information collected electronically or over the internet, but [applies] to the collection and sale of all personal information collected by a business from consumers.”

A fair reading of CaCPA would conclude that the law applies to almost any business enterprise, large or small, whether it conducts its activities online or through in-person interaction (eg, an office setting or retail storefront).

All eyes are on California for what’s next. Will the California legislature amend CaCPA or delay its effective date? How will the California attorney general fashion regulations concerning how the law will be applied and to whom? Will companies that do not have a California presence bring legal challenges that CaCPA violates the US Constitution? Will Congress step in to preempt the law?

A 19th-century New York jurist once wrote, “No [person’s] life, liberty, or property are safe while the Legislature is in session.” CaCPA is a 21st-century example of a state legislature that has run amok.

— David Holtzman, JD, CIPP/G, is vice president for compliance strategies at CynergisTek.

Update: The leaders of the California legislature have agreed on a package of technical corrections for CaCPA to be passed in the coming weeks. Among the amendments is an expansion of the exemption for information that is subject to HIPAA. The bill will clarify that CaCPA will exempt PHI collected by a covered entity or business associate governed by the privacy, security, or breach notification rules. Without this amendment, the exemption in CaCPA would apply only to PHI collected by HIPAA covered entities.