How Does the New California Consumer Privacy Act Impact Healthcare?

The new California Consumer Privacy Act is now law. The new legislation was enacted to fill in the gaps of data privacy laws. Previously, healthcare data privacy laws were regulated through HIPAA; however, HIPAA only applies to “covered entities” holding protected health information (PHI). So how will the new California Consumer Privacy Act impact healthcare?

New Laws Will Significantly Impact Healthcare Data

The California Consumer Privacy Act applies to all for-profit organizations that operate in California above a specific revenue and data processing threshold. The Act exempts personal data protected by HIPAA and California’s Confidentiality of Medical Information Act (CMIA). Thus, some types of personal healthcare data will continue to be covered by existing rules. The new law will now pertain to most other personal data that the healthcare industry uses.

How Will the Act Change the Game in Healthcare?

The California Consumer Privacy Act will alter the rules of the game for personal data in the healthcare ecosystem. Here are what the changes mean and how to prepare.

All individuals within healthcare organizations will have their data privacy protected.

Prior to the new law, individuals who are not patients did not enjoy data privacy protection via HIPAA. Now, the personal data of clinicians and staff will also be protected. All the personal data of nonpatients engaging with HIPAA-covered organizations must now establish policies and processes to protect employee personal data. This includes any data shared with third parties.

Other organizations that handle personal healthcare data must put protections in place.

Many organizations do not have to abide by HIPAA but do collect healthcare data. This can include everything from a wearable that captures health stats to pharmaceutical companies. Now all these entities will have to comply with data privacy regulations. They will now need to institute new processes that focus on data security. Further, they must communicate these new practices to users. What’s interesting is that most individuals are not aware that their personal healthcare data is not legally protected. Organizations will have to bear this in mind and consider how they present the message so that it builds trust instead of suspicion.

Healthcare organizations that do business in California will need to apply the changes issued by the new law to their entire company in the U.S.

In many situations in healthcare, entities operate in state silos, as the laws can be different from region to region. The new law breaks these silos and calls for consistency across the board. An organization will need to ensure that data privacy protections are in place for every California resident. Ultimately, this is the perfect storm for compliance challenges.

California Law Is Just the Beginning

California is known for implementing protective laws first, but they aren’t alone. Washington state and New York are also working on similar legislation. At the federal level, a new data privacy law has bipartisan support.

Any impacted organization needs to develop a strategy for the short and long-term in complying with data privacy regulations. Being proactive and thinking enterprise-wide will be critical. It’s an opportunity to improve data privacy and security, building more trust with patients and customers.