Where Do Business Associates Stand under the California Consumer Privacy Act?
Since the California legislature passed the California Consumer Privacy Act, more commonly referred to as the CCPA, back in September of 2018, businesses and their legal counsel have been working to ensure that they comply with the statute. In basic terms, the CCPA gives California residents the right to know the data that organizations are collecting about them, the right to tell companies not to share or sell their personally identifiable information (PII), and the right to protection against corporations that fail to keep their PII secure.
For some, the CCPA is not a sweeping piece of legislation they need to worry about in the short term. You must comply with the CCPA if you’re a for profit company that meets any of the following requirements: has annual gross revenues (a) in excess of twenty-five million dollars ($25,000,000) (b) Handles data of more than 50,000 people or devices; or (c) Has 50% or more of revenue coming from selling personal information. The statute also applies to Businesses that “control” or are “controlled by” or have “common branding” with a business that satisfies the above. If you do not meet this criteria, you do not need to comply with the CCPA for now.
But where does that leave business associates of covered entities, such as health technology companies, IT companies and other business associates subject to HIPAA and HITEC regulations, that might otherwise be covered by the CCPA? What changes do they need to make? Do they need to make any changes at all? Subsection (c)(1)(A) of the CCPA exempts a certain kind of information: "protected health information" (PHI) collected by a "covered entity" or "business associate", which is defined by HIPAA. HIPAA defines PHI as information relating to the physical or mental health or condition of an individual, or the provision of or payment for health care to an individual, for which there is a reasonable basis to believe it can be used to identify the individual.
So does that mean business associates are exempt? No, not exactly. The operative question becomes whether there is data that a business associate collects that does not constitute PHI under HIPAA. According to the CCPA, business associates are exempt from the collection of PHI under HIPAA. That exemption, however, doesn’t expand to other personal information. For instance, personal information (not regulated by HIPAA) collected through websites, health apps, health portals, and other digital technology or connected devices is likely subject to the CCPA. There is a potential myriad of data that is not exempt from the CCPA that business associates should be weary of.
It is in any business associates’ best interest to adopt a proactive attitude when addressing the CCPA. For initial steps, business associates should first examine what data it collects from California residents, why it collects this data and what, if any, 3rd parties it shares the data with. Business associates might also want to perform a formal data assessment of all of the data the company collects, stores and processes, so they can determine if there is any data subject to the CCPA. That’s a good start.