As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids. In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA.
A post this past summer warned that compliance with HIPAA or California’s Confidentiality of Medical Information Act (CMIA) does not give a free pass for HIPAA-regulated covered entities, business associates, or subcontractors or CMIA-regulated providers to ignore CCPA. CCPA does not apply to protected health information governed by HIPAA or to medical information governed by CMIA. CCPA also does not apply to a covered entity subject to HIPAA or a provider of health care subject to CMIA, but there’s a caveat: the covered entity or provider must maintain “patient information in the same manner as medical information [maintained under CMIA] or protected health information [maintained under HIPAA].”
This exclusion leaves HIPAA business associates and subcontractors that are otherwise in scope for CCPA out in the cold. It also forces covered entities and CMIA providers to make sure they maintain all personal information that might also be “patient information” in the same manner as they maintain protected health information and medical information.
For example, if a consumer (who also happens to be a patient or who later becomes a patient) checks out a health care facility’s website to see if a particular type of care is offered or to get directions to the facility, it is unlikely that the data collected as a result of the consumer’s use of the website is maintained “in the same manner” as protected health information. If the facility sells this data (say, perhaps, hits on a sleep center page to a mattress or sleep aid manufacturer) and the AG views the data as sensitive health data, the fact that the facility complies with HIPAA with respect to its maintenance of protected health information is likely not going to impress the AG.
Although the California AG will not commence enforcement activities until July 2020, entities subject to HIPAA or CMIA should take note of the AG’s comments and evaluate the need for CCPA compliance now.