Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance
Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543
The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used.
The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA.
The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19 digital privacy and information system experts. The researchers found there to be perceived legal and technological challenges for healthcare organizations trying to comply with the CCPA.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
The CCPA is mostly concerned with the use of individuals’ personal data by large consumer-facing technology companies, but the CCPA has had a significant impact on healthcare organizations. HIPAA-eligible information is exempt from the CCPA, but the researchers explained that there are some types of data which are collected by HIPAA regulated entities that potentially fall within the jurisdiction of the CCPA. For those types of data there is regulatory ambiguity, which could result in legal issues for healthcare organizations that do business with California residents.
“A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern,” explained the researchers. “Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance.”
There is confusion due to the CCPA’s broad definition of business and consumer companies that collect user data and deploy cookies, and the interplay between HIPAA and the CCPA creates some unintentional hurdles when it comes to compliance. One of the key issues covers healthcare data collected by healthcare organizations that is not classed as protected health information and is therefore not subject to the HIPAA Rules. In such cases, healthcare organizations may need to comply with the requirements of the CCPA.
“From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish,” wrote the researchers. “However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor.”
A considerable amount of additional data is also now being captured and collected due to the COVID-19 pandemic, and the speed at which systems had to be developed to record, store, and share that information for contact tracing and COVID-19 testing meant there was little time to ensure adequate privacy safeguards were implemented. For healthcare organizations, it is unclear in many cases whether these types of data falls under the CCPA.
The advice of the researchers for healthcare organizations doing business in California is to ensure they develop compliance plans proactively. If discovered not to be compliant they could be forced to make last-minute implementations to avoid financial penalties and could face expensive litigation.