February 11, 2020

CCPA: What Healthcare Organizations Need to Know

On January 1, 2020, the California Consumer Privacy Act (CCPA) went into effect, introducing new privacy regulations for California consumers. The CCPA protects the non-public personal information (NPPI) of consumers by granting the following rights:

  • The right to know what personal information an organization collects and how it will use it.
  • The right to delete information from the databases of a business or its service provider.
  • The right to opt-out or opt-in to the sale of personal information.
  • The right to non-discrimination when exercising consumer privacy rights.

As a result of the CCPA going into effect, other states in the US have begun introducing their own regulations, further amplifying the need for organizations to pay close attention to the ever-changing regulatory landscape.

Within the healthcare industry, regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Confidentiality of Medical Information Act (CMIA) have been in place for years. Organizations currently governed by those regulations should continue to follow those specific guidelines. Although these regulations protect personal health information (PHI) and medical information, the CCPA is more comprehensive.

All information that can be described as “information that could reasonably be linked to a consumer, including but not limited to personal identifiers, commercial information, biometric information, internet activity information and employment information,”1 is now considered protected, and organizations will have to adjust accordingly.

There are some exceptions included in the CCPA. Organizations that meet the following criteria will not be subject to CCPA regulations:

  • Nonprofit organizations
  • Less than $25 million in annual gross revenue
  • Collects less than 50,000 California residents’ PI
  • Derives less than half of its revenue from PI sales

Before businesses that are subject to CCPA proceed to collect personal information, consumers must now be provided with a notice. In addition, these businesses are required to include a “do not sell my information” link on its website. When a consumer requests that their information not be sold, the business must respond to the request within a specified timeframe — making sure to verify the identity of the person before taking action regarding any requests. Finally, organizations are required to maintain consumer requests for privacy records for at least two years after the request was made.

In the healthcare space, patients may not understand the distinction between health information protected by HIPAA and personal information covered by CCPA. If consumers request the deletion of data from a health organization, staff members will need to be prepared to explain the distinction and take the appropriate actions.

In order to prepare for additional regulations and to ensure CCPA compliance, healthcare organizations should evaluate current data collection activities and determine whether that information is subject to CCPA regulations. Each intentional violation can cost up to $7,500, and the affected party does not have to prove any harm resulted from the breach. Therefore, organizations should take critical measures to safeguard themselves from potential litigation, especially in such a rapidly-evolving regulatory environment.

For a company to ensure that it is adequately prepared for these new regulations, it should have a complete understanding of how CCPA differs or adds to existing policies. For example, data privacy protection is now extended to all individuals within healthcare organizations, not just its patients. This includes doctors, nurses, and other employees whose information is encompassed within the database of the organization.

Another important detail to note is that the protections provided under the CCPA may extend outside of the California state line. Organizations that operate outside of California that treat patients who are California residents will also be subject to CCPA regulations.

Implementing the CCPA will affect non-healthcare and healthcare organizations differently. Although the differences may be subtle, the consequences of not being fully prepared to implement CCPA regulations can be dire. Not only is the CCPA already in effect, but other similar regulations are also in progress — some of which may be implemented at the federal level.

If your healthcare organization operates in California or if you serve Californian patients, being prepared to comply with the regulations of the CCPA that protect the privacy of your patients and staff is crucial. Preparedness will prevent future violations and allow you to continue to focus on providing a higher quality of care.


  1. https://www.manatt.com/insights/newsletters/health-update/what-californias-new-consumer-privacy-bill-means

Quality. Commitment.

Whether you want to advance your business or your career, Oxford is here to help. With nearly 40 years’ experience, we know that a great partnership is key to success. Start a conversation today.