The California Consumer Privacy Act (CCPA) adds a significant layer of complication for companies—including health care entities—that conduct business in California. As enforcement of the law ramps up this month, firms need a detailed plan on how to remain compliant.
That’s the word from attorney Andrew Clearwater, vice president of privacy at OneTrust, an Atlanta-based privacy and compliance technology company. He noted that while California lawmakers included an exemption for entities in the health care arena that otherwise would be subject to the CCPA, that exemption may only apply to protected health information and may not cover such areas as marketing data, data from mobile apps or call center data that does not involve PHI.
Health care organizations should tread carefully to make certain they’re in compliance as the CCPA, which first was approved in 2018 and took effect on Jan. 1, moves into its enforcement stage this summer, Clearwater told an audience at a recent HIPAA conference.
To be covered by the CCPA, a company must be for-profit, do business in California, collect consumer personal information of California residents (either online or offline) and determine the purpose and means of the data processing, Clearwater said.