Compliance with the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) of 2018 is sweeping in its coverage. For-profit hospitals, medical practices, and medical companies need to understand when the act applies to their business. Two of the three main tests (for deciding which companies must comply with CCPA) may only apply to a limited number of businesses. One of the tests is fairly sweeping. That test provides that companies are subject to the CCPA if the company:
“Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
In today’s current healthcare market, many practices rely directly or indirectly on consumer and household data. Medical devices often track thousands of patients and consumers.
Companies that fail to comply with the CCPA can be sued by each and every consumer for damages – either directly or as part of a class action lawsuit. Consumers can also seek to enjoin the data practices of the company until the business shows it is in compliance with the CCPA. If the failure to comply is intentional, the financial penalties can increase exponentially. The Attorney General of California can also seek to enforce the new law.
The Corporate Practice of Medicine (CPM) doctrine continues to befuddle, beleaguer, and bewilder healthcare companies seeking to venture with physicians and non-physician entrepreneurs.
Consumers who wish to file a claim must generally must give the business 30 days to comply with the law – if they wish to claim statutory damages. If the consumer is just claiming actual damages, then 30 days’ notice is likely not required. Consumers who file a CCPA action must generally give the state Attorney General timely notice. The Attorney General may decide to:
- Proceed with the case itself
- May inform the consumer not to pursue the claim
- May let the consumer proceed on his/her own
Skilled California CCPA lawyers explain whether your practice needs to comply with the CCPA. They then help your medical business prepare the necessary steps to best comply with the law. The necessary steps will involve many safeguards – not just a simple step such as providing notice on the company website.
As we wrote previously
“The CCPA broadens the definition of personal information to include many different types of healthcare and consumer information. The law also expands the rights of consumers to demand disclosure of the information that is being collected, to demand that personal information be deleted, and to file claims against healthcare and other companies that breach the provisions of the CCPA.”
When reviewing compliance with the CCPA, your California healthcare lawyer will also review your compliance with related laws including:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The Confidentiality of Medical Information Act (CMIA)
- Europe’s General Data Protection Regulation
- Other California laws such as the Online Privacy Protection Act
General compliance duties of medical providers to inform and protect consumers about their personal information
As we also explained in our first article on the CPPA, the new law covers many issues such as:
- Disclosure. The duty to disclose to consumers that the hospital, medical practice, or Health Company has collected their personal information. This includes informing the consumer about the sources of the data, the purpose for collecting or selling the data, who else has access to the personal information, and what data has been collected.
- Deletion. The right of the consumer to request that the consumer data be deleted
- Opt-out. The right of the consumer to know what data is being sold and the right of the consumer to order that no further data be sold (known as the right to opt out).
- The right to be free from discrimination. This means the health practice, business, or hospital can’t punish the consumer for asserting his/her rights in any way – such as charging different rates or providing different services – for the same type of medical problem.
Compliance issues for minors
As with most laws, the trouble and confusion often rest in the details. The CCPA is fairly precise as to what steps must be taken to inform and protect consumers. There are some additional compliance issues when consumers and patients under 18 are involved.
If a consumer is under 16, then instead of an opt-out provision for selling patient information, there is an opt-in provision. This means the patient information of minors under the age of 16 should not be sold unless the minor who is 16 or older or a parent opts-in – agrees to allow the company to sell the information. For minors under 13, only the parent can opt-in – not the minor child.
What is “Personal information?”
Personal information is essentially information that can link to a consumer or household. It includes (but is not limited to):
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Geolocation data.
- Professional or employment-related information.
The form of disclosure
Consumers should be informed of their rights. Health companies and other business need to prepare a form that is reasonably accessible to consumers. This means the business shall:
(1) Make available to consumers two or more designated methods for submitting requests for information, including:
- A toll-free telephone number
- If the business maintains an Internet Web site, a Web site address.
(2) The information requested by the consumer should be made available within 45 days of a verifiable request. Some additional time may be allowed – provided the consumer is informed of the extension. Companies will need to have a plan in place, which they can review with their California healthcare lawyer, so that they can process requests in a 45 day period. If there are hundreds or thousands of requests, there should generally be a reliable software program in place to handle the requests.
The disclosure should cover the previous year, should be in writing, and should be
- delivered through the consumer’s account with the business, if the consumer maintains an account with the business
- by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business
Companies can’t require that consumers create an account just to make a verifiable request.
Generally, the disclosure should identify the consumer and associate the information provided by the consumer in the request – to any personal information previously collected by the business about the consumer.
In addition to disclosing the consumer’s rights on the website, the company should disclose as part of its online privacy polices – if it has online policies, the following information:
- The consumer’s rights under the CCPA
- The designated method for consumers to submit requests to the company
- Where required, a list of the categories of personal information the company has collected during the last 12 months about its consumers. These lists, generally, should include:
- The categories of personal information it has sold about consumers in the prior year
- The categories of personal information it has disclosed about consumers in the prior year
- Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all the relevant requirements of the California Consumer Privacy Act – including how to direct consumers to exercise their rights.
Information that the health company or business collects from the consumer for verification purposes should be used only for verification purposes. A company can’t collect verification information and then sell it or use it for additional purposes.
Generally, businesses need only provide the information set forth in the CCPA to consumers twice a year
More details on what should be in the CCPA disclosure form
The CCPA requires that any business that must comply with the law should use forms that consumers can reasonably access. The forms should:
(1) Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information.” The links should connect “to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.”
(2) If consumers assert their opt-out right, the company should then stop selling that consumer’s personal information that was collected by the health practice or business about the consumer
Health companies, instead of setting up the links and text on its homepage, can use a separate homepage if that homepage is dedicated to California consumers – and that dedicated homepage incudes all the necessary information. The company must take reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
Consumers can choose someone to act on their behalf to opt out of the sale of their personal information.
Health companies and other businesses may be able to offer cash incentives to consumers to allow the company to collect or sell their personal information. The California Consumer Privacy Act applies to for-profit hospitals. Hospitals that are not for profit may be exempt from the act. Most physician practices, medical device practices, and health sales practices are for profit – and may need to comply with the CCPA law – if they collect our use a substantial amount of personal information data.
The California Consumer Privacy Act Is a broad law that will affect more and more healthcare businesses as access to personal information expands. The consequences for failure to comply may seem small for just one consumer but multiply the damages and penalties across tens of thousands of consumers and many businesses could be forced to close. The Act sets forth many compliance requirements. The full meaning of those requirements will likely change with time. Experienced healthcare lawyers can help medical businesses comply with the law and show they are working towards compliance.
For help understanding the California Consumer Privacy Act and the ways medical practices, medical companies, and for-profit hospitals can prepare for the consumer demands for disclosures, deletions, and opt-outs by contacting Cohen Healthcare Law Group, PC today. We understand the laws and regulations that apply to personal data information as they affect the healthcare industry.