If you're a healthcare provider or a business associate in California, you've probably heard of the California Consumer Privacy Act (CCPA), a state-level privacy law designed to give California residents more control over their personal data. However, if you’re already in compliance with HIPAA (Health Insurance Portability and Accountability Act), you might be wondering: does the CCPA apply to your healthcare organization?

The good news is, for healthcare providers and their business associates following HIPAA regulations, the CCPA does not apply. Let’s explore why that is, what the exemption entails, and how being HIPAA-compliant protects your healthcare organization under both laws.

What is the CCPA?

The California Consumer Privacy Act (CCPA), effective since January 2020, is a comprehensive privacy law that enhances privacy rights for residents of California. The CCPA applies to businesses that collect, process, or share personal data and meet certain revenue thresholds. It gives California consumers several rights, including the ability to access, delete, and opt-out of the sale of their personal information.

However, the CCPA doesn’t apply to all businesses, and healthcare providers and organizations already regulated by HIPAA benefit from an important exemption.

CCPA Exemption for Healthcare Providers and Business Associates

HIPAA is a federal law focused on the protection and privacy of Protected Health Information (PHI) in the healthcare industry. Healthcare providers, health plans, and business associates that handle PHI are required to comply with HIPAA’s privacy, security, and breach notification rules.

According to the CCPA, there is a specific exemption for organizations that are subject to HIPAA. The California Civil Code Section 1798.145 outlines these exemptions, including the following key provisions:

• Section 1798.145(c)(1)(A): Exempts certain healthcare providers and entities that are already subject to HIPAA, as their activities related to the use and sharing of health information are governed by federal law.
• Section 1798.145(c)(1)(B): Specifically states that if a covered entity or business associate follows HIPAA rules, then the CCPA will not apply to the health data they process, store, or share.

These provisions mean that if you're a covered entity (like a doctor, hospital, or health insurer) or a business associate (a company that handles health data on behalf of a covered entity, such as a billing company or IT service provider), and you’re already following HIPAA’s strict requirements for privacy and security, the CCPA does not impose additional obligations on your organization regarding the health data you manage.

Why HIPAA Compliance Means You're "Good to Go"

The CCPA and HIPAA serve different purposes but share a common goal: to protect personal information. While HIPAA is specifically focused on healthcare data, the CCPA protects a broader range of personal data. The HIPAA exemption under the CCPA exists because HIPAA already has extensive safeguards in place to protect health information.

Here’s why this exemption makes sense:

• HIPAA Already Sets the Standard: HIPAA has stringent rules around privacy, security, and the sharing of PHI. It ensures that healthcare providers and their business associates take comprehensive measures to protect health data, which aligns with the privacy goals of the CCPA.
• Avoiding Overlap: The exemption prevents unnecessary overlap between HIPAA and the CCPA. If healthcare organizations had to comply with both laws for the same data, it would create confusion and burden healthcare providers without adding meaningful additional protection for health information.
• PHI Is Protected Under HIPAA: The CCPA provides California residents with the right to access, delete, and opt-out of the sale of personal information. However, healthcare data governed by HIPAA is treated differently under the CCPA due to the specialized protections already offered by HIPAA, including strict access controls, encryption, and audit trails.

Key Takeaways

• CCPA Does Not Apply to HIPAA-Compliant Healthcare Providers: If your organization is a covered entity or business associate under HIPAA and complies with HIPAA’s privacy and security rules, the CCPA exemption applies to you.
• Healthcare Providers Are Not Required to Comply with CCPA for PHI: Since HIPAA already protects Protected Health Information (PHI), the CCPA’s provisions related to consumer data access, deletion, and opt-out do not apply to PHI.
• Compliance with HIPAA Is Sufficient: As long as you’re following HIPAA regulations for data privacy and security, you don’t need to worry about additional CCPA requirements for your healthcare data.
• Other Data Not Covered by HIPAA Still Needs CCPA Compliance: While healthcare data is exempt, keep in mind that any other non-health-related personal information your organization collects (like employee data, for instance) may still be subject to CCPA rules.

Conclusion

If you're a healthcare provider or business associate in California, the CCPA exemption means that your HIPAA-compliant practices protect you from additional privacy regulations under the CCPA. As long as you're adhering to HIPAA’s strict standards for the security and privacy of Protected Health Information (PHI), you're already in compliance with California’s privacy laws regarding health data.

For more information, refer to the California Civil Code Section 1798.145 to confirm the specific exemptions, or consult with legal counsel to ensure your organization remains compliant with both HIPAA and CCPA requirements.