What is the CCPA HIPAA Exemption?
The CCPA HIPAA exemption consists of two clauses in the California Consumer Protection Act that exempts HIPAA covered entities from complying with the Act and subsequent amendments enacted by the California Privacy Rights Act. The CCPA HIPAA exemption also applies to business associates in respect of Protected Health Information created, received, maintained, or transmitted by a business associate on behalf of a covered entity.
The California Consumer Privacy Act (CCPA) is a state law that enhances the privacy rights of Californian residents. The CCPA applies to all businesses that collect California residents’ personal information that have gross revenues in excess of $25 million per year, that buys, receives, or sells the personal information of 100,000 or more Californian residents or households, or that earns more than half of its annual revenue from selling California residents’ personal information.
The CCPA gives California residents the right to know what information is being collected from them and how it is used or shared. It also gives California residents the rights to delete personal information collected from them and to opt out of the sale or sharing of personal information. Since January 2023, California residents also have the rights to correct inaccurate personal information and limit uses and disclosures of sensitive personal information (i.e., Social Security Numbers, etc.).
The CCPA HIPAA Exemption
The CCPA HIPAA exemption appears in two places in §1798.145(c)(1) of the California Civil Code. Subparagraph A of the Section exempts “Protected Health Information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations”.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Via subparagraph B, the CCPA HIPAA exemption also applies to “a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations […] to the extent the covered entity maintains patient information in the same manner as Protected Health Information as described in subparagraph A of this section”.
What these two subparagraphs mean is that any information that qualifies as Protected Health Information is always exempted by the CCPA HIPAA exemption. However, personally identifiable information that is maintained outside of a designated record set (i.e., for marketing or fundraising purposes), and that is not protected in the same manner as Protected Health Information is not exempted by the CCPA HIPAA exemption.
How The Exemption Can Create HIPAA Compliance Challenges
The distinction between exempted Protected Health Information and non-exempted personally identifiable information can create HIPAA compliance challenges. These occur when different members of the workforce are assigned different access permissions to comply with the Administrative Safeguards of the HIPAA Security Rule relating to workforce security and information access management.
In could be the case that workforce members engaged in (for example) marketing activities have access to databases of personally identifiable information that do not qualify as Protected Health Information because the information does not relate to an individual’s health condition, treatment for the health condition, or payment for the treatment. These databases would not be covered by the CCPA HIPAA exception unless they are protected in the same manner as Protected Health Information.
Protecting a marketing database in the same manner as Protected Health Information involves applying all the standards and implementation specifications of the HIPAA Security Rule to the marketing database. This could include processes not normally associated with non-health information such as log-in monitoring, audit logs, and disaster recovery plans. If marketing activities are outsourced, it will also mean it is necessary to enter into a Business Associate Agreement with the marketing company.
While these are good best practices to adopt, they may limit user access to information workforce members need to do their jobs. This can lead to shortcuts being taken (i.e., impermissibly sharing login credentials) and a culture of non-compliance developing. For this reason, covered entities that might be covered by both HIPAA and CCPA are advised to seek independent compliance advice on how best to resolve potential challenges and best protect non-health information.
