Healthcare Privacy Compliance Requirements for 2023

There are new consumer privacy laws set to become effective on January 1, 2023. These laws supplement many existing consumer privacy laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act which has new provisions effective on the first day of 2023. The states with new consumer privacy healthcare laws include Connecticut, Colorado, Virginia, and Utah.

HIPAA and protection of patient information

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) creates national standards for protecting sensitive protected health information (PHI) from being disclosed without the consent or knowledge of the patient. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. “The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.”

The Privacy Rule creates standards to protect PHI by “covered entities” including most medical practices. The rule balances the right of privacy of patient records with the need to provide quality healthcare. Covered entities include every healthcare provider that sends PHI to determine their eligibility for benefits, process claims, make referrals, and manage other transactions. Generally, the HIPAA privacy rule also applies to insurers, HMOs, Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers, long-term care insurers, employer-sponsored group health plans, government- and church-sponsored health plans, multi-employer health plans, healthcare clearinghouses, and “business associates.” The Rule clarifies what uses and disclosures are permissible – such as treatment, payment, and healthcare operations and disclosures based on the consent of the patient. Other permissible uses may include public health, domestic abuse, judicial proceedings, some research, and other exceptions listed in the HIPAA privacy rule.

The HIPAA Security Rule generally applies to PHI that a covered entity sends electronically – called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing. The Security Rule provides that covered entities must:

• “Ensure the confidentiality, integrity, and availability of all e-PHI
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
• Certify compliance by their workforce”

“Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures.”

The California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) of 2018 provides applies to many healthcare providers. One test, for example, provides that companies are subject to the CCPA if the company:

“Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”

Today, many medical practices rely on data and medical devices that regularly “track thousands of patients and consumers.” Consumers may file a direct or a consumer class action claim for violations.

“Consumers can also seek to enjoin the data practices of the company until the business shows it is in compliance with the CCPA. If the failure to comply is intentional, the financial penalties can increase exponentially. The Attorney General of California can also seek to enforce the new law.”

Consumers who wish to file a claim generally must give the business 30 days to comply with the law – if they wish to claim statutory damages. If the consumer is just claiming actual damages, then 30 days’ notice is likely not required

“Skilled California CCPA lawyers explain whether your practice needs to comply with the CCPA. They then help your medical business prepare the necessary steps to best comply with the law. The necessary steps will involve many safeguards – not just a simple step such as providing notice on the company website.”

The new state consumer privacy laws

According to the National Law Review, the new state consumer privacy laws (California and four other states) may not apply if companies are already complying with HIPAA. “The amended California Privacy Rights Act (CPRA), “exempts protected health information (“PHI”) under HIPAA, as well as HIPAA covered entities to the extent they are maintaining patient information according to HIPAA requirements.” So, it does become critical to know if your medical practice is HIPAA compliant.

The National Law Review articles states that for the states affected by new healthcare consumer privacy laws:

• Virginia.  “The Virginia Consumer Data Protection Act (VCDPA) does not apply to qualifying HIPAA covered entities and business associates, or to PHI, as the terms are defined under HIPAA.  The VCDPA also exempts from its requirements healthcare data that has been de-identified according to HIPAA standards, information used for public health purposes authorized by HIPAA, or information originating from, and intermingled to be indistinguishable from PHI maintained by a covered entity or business associate. “
• Utah and Connecticut. The exemptions under the Utah Consumer Privacy Act (“UCPA”) and Connecticut’s Privacy Law (“CTPA”) largely track the VCDPA.
• Colorado. The Colorado Privacy Act (“CPA”) does not apply to information and documents created by a covered entity to comply with HIPAA.  Note that this is broader than under the CCPA/CPRA and the VCDPA exemptions.

Non-Patient Health Information, HIPAA, and the new state consumer privacy laws

While there are some changes in the area of Private Health Information (PHI), businesses (medical practices and health insurance companies) must sill comply with the parts of HIPAA that involve non-PHI data. For example:

“Information regarding maternity status for purposes of administering leave benefits or COVID-19 status for workplace safety, are also likely not PHI, and therefore, are outside the bounds of exemptions of the 2023 Privacy Laws for information maintained in accordance with HIPAA requirements.”

The National Law Review discussion of privacy compliance for 2023 suggests that medical practices and other entities that work with patients should consider the following regarding non-PHI information:

• Understand what data is PHI under HIPAA and what data is not. This means medical practices and entities should inventory all their data to properly classify it. As discussed above, non-PHI is not exempted from the new 2023 Privacy Laws while PHI data may be exempted. The exemptions generally don’t apply in states other than five states discussed above – California, Connecticut, Utah, Virginia, and Colorado.
• Medical practices and entities that use PHI should provide a privacy policy notice to consumers and employees of personal information that is to be collected and the reasons for the collection. The National Law Review states that “This is a separate notice from the HIPAA-required Notice of Privacy Practices (“NPP”).  The notice should be written in plain language and must inform the consumers and employees of the statutorily enumerated categories of PHI that are collected, including categories of sensitive patient information. Some medical businesses may be required to disclose whether patient information (PI) is being sold or shared and – “the length of retention of the categories of PI and, if the business sells or shares PI, a link (or URL address) to the opt-out notice.” If a business grants to third parties the ability to control the collection of PI, the notice should also include the names of the third parties or provide information about their business practices.
• The National Review adds that:
  • “The CCPA/CPRA requirements for HR data, which are effective on January 1, 2023, requires the provision of a full privacy policy to HR data subjects (e.g., current and former employees, job applicants, contractors, etc.) that incorporates all the content requirements for privacy policies enumerated in the implementing regulations.  This means that in addition to drafting and implementing a general privacy policy and NPP, covered entities must also prepare an HR privacy policy.”
• Implement a device where data subjects (consumers and employees) can submit requests to exercise their rights under the 2023 Privacy Laws.
  • “Healthcare entities must develop and implement a mechanism for receiving privacy rights requests from individuals and HR data subjects, and a process for responding to the same. “The mechanisms supplement (they don’t replace) the HIPAA requirements for receiving patient rights requests and responding to those requests. This mechanism should thus include the aforementioned data inventory within the company and with vendors and others who may access the PI.”
  • The National Review article suggests that medical entities should implement ways to distinguish between:
    • Traditional consumer requests
    • HR data subject requests
    • HIPAA rights requests.
  • The National Law Review emphasizes that the five 2023 state consumer privacy laws do have slight differences. “For example, the right to know what categories of PI were collected about an individual by a business in the twelve (12) months prior to the request date is only available to California residents.”
  • Healthcare entities that work in more than of these five states will need to resolve how different states may handle the same type of data.

A few states have updated their consumer privacy laws for 2023. Medical practices that do business in those states need to understand how these new laws affect the patient information the practices keep, what the rights of their patients are, and how these new laws affect HIPAA. The good news is that healthcare entities in these five states will benefit from certain PHI exemptions – but the healthcare entities still will be obligated to protect non-PHI data.

Medical practices should contact Cohen Healthcare Law Group, PC to discuss the changing federal and state legal consumer privacy laws. Our experienced healthcare attorneys advise medical practices and medical businesses about healthcare compliance laws and regulations.