Healthcare Providers Face Legal and Technological Issues Getting CCPA Compliance

Healthcare companies that need to comply with the California Consumer Privacy Act (CCPA) are having difficulties getting compliance, as per a new study shared in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543

The CCPA was made into law on June 28, 2018 and enforced on January 1, 2020. The purpose of the CCPA was to offer California locals more control over their personal records and how their usage.

The CCPA provided the residents of California the right to get information with regards to their personal information that will be collected, whether their records may be sold or exposed, to whom disclosures could be made, and to not allow the sale of their personal files. They were furthermore given the right to check the personal information stored by a firm covered by the CCPA, to request the deletion of their personal information, and not to be discriminated against for using their rights according to the CCPA.

The researchers performed the study to take a look at any probable problems linked to CCPA compliance for healthcare providers, which involved interviewing 19 digital privacy and data system professionals. The researchers determined there are observed legal and technological issues for healthcare companies seeking to comply with the CCPA.

The CCPA is primarily associated with the use of individuals’ personal records by big consumer-facing technology firms, nevertheless, the CCPA has acquired a major impact on healthcare institutions. HIPAA-eligible information is excused from the CCPA, nonetheless, the researchers pointed out that there are several types of data that are obtained by HIPAA-regulated entities that probably fall within the control of the CCPA. For those types of information, there is regulatory vagueness, which may end in legal issues for healthcare companies that conduct business with residents of California.

A deficiency of regulatory understanding and a low chance of enforcement appeared as two key subjects of legal concern, revealed by the researchers. Inadequate data discovery and inventory process, deficiency of improved digital infrastructure, the interaction between technology and privacy experts, and the expensive cost of compliance appeared as important technological obstacles to CCPA compliance.

There is bafflement caused by the CCPA’s broad definition of business and consumer organizations that accumulate user information and utilize cookies, and the interaction between HIPAA and the CCPA generates some accidental challenges in relation to compliance. One of the critical problems covers healthcare information compiled by healthcare companies that are not classified as protected health information (PHI) and are for that reason not fall under the HIPAA Rules. In such instances, healthcare firms may have to comply with the prerequisites of the CCPA.

From the perspective of implementation, the study reveals that the more noticeable parts of CCPA compliance, like making a website or establishing a helpline service for individuals to increase data access requests, are simple to achieve. However, the job of making certain an exact inventory of all the consumer records gathered and stored in the firm will be a demanding undertaking.

Because of the big amount of supplemental data is furthermore now being captured and compiled as a result of the COVID-19 pandemic, and the quickness at which systems must be made to document, store, and share that info for use in contact tracing and COVID-19 testing, there was little time to make sure enough privacy safeguards were enforced. For healthcare institutions, it is ambiguous in lots of cases if these types of data are covered by the CCPA.

The recommendation of the researchers for healthcare providers based in California is to make certain they create compliance plans proactively. If identified not to be compliant they can be compelled to make rushed implementations to prevent financial penalties and may face pricey litigation.