I Wish They All Could Be California (Data Privacy) Laws
Editor’s Note: This is part of a shared blog series between Trifecta General Counsel and Moxe, chronicling the journey to research and understand the interactions between state-based privacy laws and HIPAA. See the first in the series here.
Trifecta General Counsel provides next-gen legal services for tech-focused companies. Moxe facilitates bidirectional sharing of medical records between health plans and health systems, enabling faster claims data and more comprehensive population health insights.
We’re diving in to state #3 in our comparison of state-based data privacy laws and HIPAA. As a refresher, HIPAA applies at the federal level to the following events in the life cycle of protected health information:
- Use of PHI (data privacy – who is accessing PHI)
- Protection of PHI (data security – how PHI is safeguarded)
- Planning for the loss of PHI (breach notification – how an uh-oh moment is communicated)
How extensive are the California laws? Pretty extensive.
As a state with almost 40 million residents, adhering to data privacy regulations for California is a big deal. Not only does California specify health data laws that apply to each of the HIPAA, they will be going big soon. As of 1/1/2020, the California Consumer Privacy Act (CCPA) takes effect and will impact a wide swath of personal data outside of the PHI governed by HIPAA. Take a look here for a deeper dive into the CCPA. Meanwhile, let’s walk through the California-specific regulations that do affect PHI.
CA Data Privacy
Similar to Virginia, California law specifically regulates the use and disclosure of medical information by Health Care Providers:
- Disclosure of protected health information is allowed for specific purposes, including:
- To providers of health care, health care service plans, or other health care professionals or facilities for purposes of diagnosis and treatment
- To an insurer, employer, plan, or other entity responsible for paying for health care services, to the extent necessary to allow responsibility for payment to be determined and payment made
- To a person or entity that provides billing, claims management, or other administrative services to conduct operations
California regulations then go on to say that the recipient of information may further disclose the information they receive without patient authorization, if the disclosure is for one of the specific purposes listed in the regulations. Those recipients are also required to follow those requirements. Selling patient information or disclosing it for marketing purposes is never allowed without the consent of the patient.
CA Data Security
Any business that owns, licenses, or maintains personal information about CA residents must implement and maintain reasonable and appropriate security procedures and practices, including creation, storage, use, and destruction of medical information. Compliance with a law that provides greater protection to personal information, such as HIPAA, would apply to this scenario.
CA Breach Notification
California laws have a lot to say about Breach notifications for the loss of personal information about California residents by an entity operating in California. To start, the statutes dictate that notice must be provided without unreasonable delay, and they provide a form to follow for any Breach notification. It includes data such as:
- Name and contact information for the entity that was breached
- Types of information reasonably believed to have been breached
- Date of breach (actual, estimated, or time range)
- If there were any delays in providing notification at the request of law enforcement
- General description of the incident that caused the breach
- Contact information for credit reporting agencies if Social Security Number or State ID Number was involved in the breach
- Note that if SSN or State ID is involved, the breached entity must offer all breached individuals with 12 months of identity theft protection
At a large scale (more than $250,000 or more than 500,000 people), substitute notice steps may be taken, and they must include:
- Notice by email, if email is available
- 30 days of conspicuous notice on the website of the breached entity
- Notification to major statewide media
At both Trifecta and Moxe, we are passionate about data privacy. Even if HIPAA isn’t in your daily vocabulary, it can be a great excuse to learn more about laws designed to protect your PHI. Let us know if you have questions about HIPAA and stay tuned for our next state-based analysis of data privacy, security, and breach management!