California’s landmark privacy law will have ‘subtle’ effect on hospitals

A landmark state privacy regulation that goes into effect in January will have a “subtle” effect on hospitals, despite significantly altering how other businesses treat consumer data in California, privacy experts say.

The new law, dubbed the California Consumer Privacy Act, has a number of carve-outs for healthcare organizations, though it may change data practices for some for-profit health systems.

“There’s no question that this law is a huge, huge advancement for consumer privacy, and data privacy in general,” with clear changes for many businesses, said Dr. Mason Marks, a visiting fellow at Yale Law School’s information society project and an assistant professor of law at Spokane,Wash.-based Gonzaga University School of Law.

But changes for hospitals and health systems are more “subtle” and “difficult to anticipate,” as healthcare providers are already covered under existing privacy laws, he said.

The CCPA only applies to for-profit companies that do business in California, but it could play a role in raising protections for consumer data across the U.S., Marks added. Companies that operate nationwide or in multiple regions often apply principles from the most restrictive state requirements across their business, since it can be difficult to manage separate data processes for different states.

The CCPA is meant to provide California residents with “control over the use of our personal data,” California Attorney General Xavier Becerra said in a statement earlier this year. It requires companies with more than $25 million in annual gross revenue or that hold a significant amount of consumer data to notify consumers about what information the company is collecting and their data-sharing practices.

Notably, consumers will also be allowed to ask businesses to delete information that a company has collected on them and to opt out from their data being sold to third parties.

But the law, despite being signed in June 2018, is still unsettled, said David Holtzman, an executive advisor at cybersecurity consulting firm CynergisTek. The details yet to be ironed out might affect health systems looking to comply with the regulation.

“Our understanding of this law is evolving,” Holtzman said.

Although the law goes into effect Jan. 1, 2020, the state Legislature passed new amendments in September and California’s attorney general has yet to finalize regulations—which were proposed late this year—on how his office plans to implement the CCPA.

That means it’s “likely that the implementing regulations will not be finalized until the law takes effect,” Holtzman said, adding that under the law, CCPA enforcement may not begin until July.

Many hospitals and health systems in California will be exempt from the CCPA because they are not-for-profit organizations. Only large, investor-owned hospitals will fall under its purview, according to Lois Richardson, the California Hospital Association’s vice president and legal counsel.

The law also includes carve-outs for healthcare data and won’t change patient privacy protections. The CCPA doesn’t apply to protected health information collected by organizations covered by existing privacy laws, such as HIPAA and California’s Confidentiality of Medical Information Act.

The exemptions also mean that it wouldn’t apply to data sharing that’s performed as part of business associate agreements between health systems and other companies, including tech giants like Google. The law was designed to target companies whose “business model is to collect and sell consumer information” rather than healthcare organizations, according to Richardson.

But for-profit health systems aren’t off the hook. It may require litigation to clarify the boundary between “data that’s considered health information, and data that’s considered personal information, but not health information,” Marks said.

Large, for-profit health systems will need to pay most attention to data they collect from employees and job applicants after 2021, since the CCPA treats employees as consumers, according to Holtzman.

Other types of data collected by for-profit providers, such as information used for marketing, fundraising or at gift shops, could also fall under the CCPA. The CCPA also covers digital data, which could affect for-profit providers with websites that collect IP addresses or tracking cookies from online visitors in California.

Health systems “need to evaluate what data they’re collecting in order to really determine whether, and to what extent, their data is exempt from the law,” said Kim Gold, a partner with Reed Smith who co-leads the law firm’s HIPAA and health privacy practice.

Non-provider health and wellness companies, such as fitness apps and wearables that traffic in user data not covered by HIPAA, will more acutely feel the effects of the law.

“Particularly a lot of the wearables are going to have to make some pretty substantial changes, because this is very different than the way they’ve been dealing with data so far,” said Anne Kimbol, chief privacy officer at HITRUST, a security standards development and certification organization. “They’ll have to interact with customers when it comes to their data.”

But even hospitals that are exempt from the law should prepare for possible patient confusion, Richardson said. Patients who are aware of the CCPA might not understand the carve-outs for not-for-profit organizations or HIPAA information, and could ask for their data to be deleted—putting hospitals in a position where they have to explain details of the law.

“We might have to straighten out some confused consumers,” she said.