The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020 and regulates most entities that collect personal information of California residents.  CCPA was patterned after the European Union’s General Data Protection Regulation (GDPR) which went online on May 28, 2018 and has been called “GDPR-Lite.”  In May, Fox Rothschild partner Odia Kagan described when CCPA applies in an Alert that listed the categories of entities who are affected: generally,  for-profit businesses who do business in California, collect California consumers’ personal information and determine the purposes and means of processing that information, and have at least $25 million in annual gross revenues, buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year, or derive at least 50 percent of their annual revenue from selling California consumers’ personal information, as wells as entities that control or are controlled by such businesses and share common branding.  Each of those terms has a technical definition that should be carefully reviewed.   But isn’t there a HIPAA exception?

Yes, CCPA contains a carve-out for HIPAA covered entities, but it is not as broad as you may have heard.  In a recent alert entitled  Where HIPAA Stops, CCPA Begins – Why Covered Entities and Business Associates Cannot Ignore the New California Data Privacy Law, Fox Rothshchild partners Odia Kagen and Elizabeth Litten explain when information that appears to be exempt PHI may fall under the new CCPA:

Personal information created, received, maintained or transmitted by companies subject to HIPAA is likely subject to CCPA if it falls into one of the following five categories:

  1. It is not created or collected as part of the payment, treatment or health care operations trifecta
  2. It was never PHI (or is excluded from the definition of PHI) under HIPAA
  3. It was once PHI, but has been de-identified under HIPAA
  4. It is not PHI, but is derived from PHI
  5. It is PHI that is used for research purposes in accordance with HIPAA

The bottom line is that what you think is PHI and exempt from CCPA may not be covered by the carve-out after all. For details, see the Alert.