California Consumer Privacy Act can cause headaches for healthcare orgs
A recent study suggests that healthcare organizations can face legal and technological challenges when it comes to complying with the regulation.
The California Consumer Privacy Act, passed in 2018, aims to give consumers more control over their online personal information.
A new study published in this month’s issue of Health Policy and Technology found, however, that healthcare organizations may face obstacles when it comes to complying with the law.
“It’s critical for organizations to proactively comply with CCPA regulations, rather than face expensive legal battles,” said Raj Sharman, professor of management science and systems at the University of Buffalo School of Management, in a statement.
“But especially for smaller healthcare organizations, it can be challenging to understand the law’s jurisdiction and develop technology infrastructure that’s sophisticated enough to protect against data breaches,” said Sharman, who co-authored the study.
WHY IT MATTERS
After interviewing 19 digital privacy and information system experts, researchers found that professionals perceived legal and technological challenges for healthcare organizations in complying with CCPA.
Part of the issue, say researchers, stems from the combination of CCPA and HIPAA.
Although the law does not apply to nonprofits, “given the law’s broad definition of ‘business’ and ‘consumer,’ companies across the U.S. that collect user data and deploy cookies must comply with the CCPA,” said the study’s lead author Pavankumar Mulgund, clinical assistant professor of management science and systems in the UB School of Management, in a statement.
“But healthcare organizations have an additional burden of complying with HIPAA – and we found the interplay of the two laws creates some unintended hurdles,” Mulgund said.
CCPA allows state residents to access the personal information that companies collect on them, request to delete their data and seek legal options for data misuse or a breach. The law explicitly exempts HIPAA-eligible information.
“However … several types of data collected by HIPAA-compliant healthcare organizations potentially fall within the jurisdiction of the CCPA, but there is significant regulatory ambiguity around such data,” wrote the researchers.
They argue that, in general, healthcare organizations face a lack of regulatory clarity and uncertain likelihood around reinforcement. In addition to those legal issues, technology-related challenges emerged from interviews with experts:
- Challenges of data discovery and inventory.
- Lack of sophisticated and robust digital infrastructure.
- Coordination between technical and privacy professionals.
- The high cost of compliance without an equitable ROI.
“From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish,” read the study.
“However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor,” it continued.
THE LARGER TREND
It’s no surprise that federal and state regulatory compliance, particularly where information sharing is concerned, can present challenges for healthcare organizations.
Sometimes failing to comply can carry a big price tag: The U.S. Department of Health and Human Services’ Office of Civil Rights has settled more than a dozen HIPAA-related cases over the past few years, often related to the so-called right of access rule.
“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino in 2019, in a statement about the first of such settlements. We aim to hold the healthcare industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”
ON THE RECORD
“The COVID-19 pandemic really exacerbated the confusion, as organizations make enhanced use of technology to capture personal and health-related information – like temperature scans, contact tracing and test results – without establishing adequate privacy safeguards,” said Mulgund in a statement.
“It’s unclear whether these data points fall under the CCPA, and as other states debate similar legislation, this issue will only become more complex,” he added.
