The number of digital health companies has grown exponentially in the past few years, increasing data privacy and security concerns among users. These companies collect a ton of personal information and sell it to make money. CCPA compliance is a regulation that gives users the right to access their data and how it can be used.
This article details how CCPA compliance in healthcare gives you the right to your data.
What is CCPA?
California Consumer Privacy Act (CCPA) is the strictest consumer data protection law in the US. It came into effect in January 2020 to protect California residents from businesses that sell their data without consent. The law establishes standards for businesses collecting or selling the personal information of California residents.
What is personal information under CCPA?
- Identifiers like name, email, IP address, social security number, driver’s licence number, postal address, and other similar identifiers
- Biometric information
- Demographic and location information
- Commercial information related to personal property purchased, services availed, or purchase histories and tendencies.
- Online information like browsing history, website interactions, or other internet activities
- Education, profession or employment-related information
- Audio, visual, thermal, virtual or similar information
Note – Publicly available deidentified data does not fall under personal information under the CCPA.
Who needs to abide by CCPA compliance?
CCPA applies to all for-profit organisations based in California or elsewhere collecting and processing personal data from California residents and
- Having a gross annual revenue of more than $25 million
- Collecting personal information from more than 50,000 California residents, households and devices every year
- Generating 50% or more of its annual revenue by selling personal information
Note – Non-profit organisations are exempt from the CCPA.
What is unique about CCPA compliance?
CCPA gives users the right to their data being collected by companies and also the right to take legal action against the company.
They have the right to
- Non-discriminated access to personal data
- Know what information companies collect about them
- From where the information is collected
- How the information is processed, used or shared
- To whom it is sold
They also have the right to
- Stop or limit companies from collecting, using or selling their data
- Delete their data stored with the company
- Take civil action against the company for misusing the data
When and what legal actions can users take under the CCPA?
CCPA is one of its kind laws where the user has the right to take civil action against the company under certain circumstances.
If a user’s unencrypted and non-redacted personal information is stolen as a part of a data breach, the user can file statutory damages against the company; As it is the company’s failure to maintain security procedures to protect the data.
Once such data is stolen, the user must write to the company about it and give it 30 days to cure such violations. If the company cures the violation and gives a written statement about it, the user cannot take legal action. If not, the company is liable to pay $100 to $750 per consumer per incident, or actual damages, whichever is greater.
What happens if companies violate the CCPA?
If companies violate CCPA, they are liable to a penalty of $7500 per violation.
What is HIPAA exemption under CCPA compliance?
Health information—medical and PHI—governed by federal and state privacy laws like HIPAA, CMIA, etc., are excluded from CCPA compliance. This means if a company collects personal health information as per HIPAA compliance, it need not adhere to CCPA. However, non-health data collected by such companies, like payment information, website interactions, etc., are subject to CCPA.
Other key provisions in CCPA
- CCPA allows companies to incentivise users to provide personal information.
- Companies must use the personal information of users only with their consent.
- For users below the age of 16, companies need to obtain parents’ consent for collecting and processing personal data.
- Users can ask the companies about the use of their data, and they have 45 days to provide complete information to the user.
Challenges of CCPA compliance in healthcare companies
CCPA compliance means healthcare companies will need to keep track of how every single user’s information is being used. It will also have to aggregate all the information when asked by users. This can become a challenge as information is stored in different files, devices and the cloud. Extracting single user information from such a huge amount of data is difficult. Also, once the data is fed to algorithms, deleting the data of a single user upon request is difficult.
Companies will have to work on their IT infrastructure and other technological processes to ensure compliance with CCPA.
Bottomline of CCPA compliance in healthcare
Though healthcare companies are not strangers to data protection and regulations, CCPA compliance may present a new challenge as they try to understand multiple points of contact.
Governments are now becoming aware of how personal data usage is handled by companies and are on a path to crafting privacy regulations. It is high time healthcare companies not dealing with US or UK citizens take active measures to comply with international regulations like GDPR, HIPAA, CCPA and others to protect the privacy and security of user data. This will also reduce future costs for the company.
