CCPA and HIPAA: Important Intersections

What is CCPA?

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. This prompted many to ask: how does CCPA impact Covered Entities who comply with the HIPAA law?

CCPA is a California state law that establishes new consumer rights relating to the access of personal information that is held by businesses. CCPA defines personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes Social Security numbers, demographic information, financial account information, and biometric data, as well as Internet browsing and search history.

Now that we’ve broadly defined CCPA, let’s take a look at how it intersects with HIPAA and applies to Covered Entities.

Who does CCPA apply to?

CCPA applies to all companies that serve California residents, whether they are based in California or not, which take in at least $25 million in annual revenue. This applies to total revenue, not just revenue in California. Companies of any size that have personal data from at least 50,000 people or that collect over half of their revenue from the sale of personal data must also comply with the law.

Despite its broad scope, the law does create certain exemptions designed around HIPAA. For example, CCPA does not apply to “medical information” as defined in the California Confidentiality of Medical Information Act (CCMIA) or “Protected Health Information” (PHI) as defined in HIPAA, which is collected by a Covered Entity or business associate.¹

What does this mean for HIPAA compliant businesses?

CCPA’s HIPAA exemption is meant to allow Covered Entities and Business Associates to continue following the privacy regulations laid out in HIPAA without interference from an additional law.

CCPA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA.

Until we see differently, healthcare providers and insurance agents may assume that the law’s HIPAA exemption will cover PHI and other client information. Good news! If you’re following HIPAA regulations, you aren’t required to do more to protect your patients’ and clients’ information.

Want an easy way to navigate HIPAA and state regulations? Try HIPAA Prime, our all-in-one compliance solution. You provide your information and we do the rest. To learn more, email info@totalhipaa.com.

  1. California Civil Code 1798.145(c)(1)(A)

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

In today's digital world, protecting sensitive data is paramount. This is especially true for organizations that handle electronic Protected Health Information (ePHI), whether you're a healthcare...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)