Healthcare companies that must abide by the California Consumer Privacy Act (CCPA) are dealing with difficulties reaching compliance, based on a new study publicized in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543
The CCPA was approved on June 28, 2018 and became effective on January 1, 2020. The goal of the CCPA was to provide California locals better control over their personal information and how their data can be used.
The CCPA offered the residents of California the right to be advised concerning their personal records that will be gathered, whether their information may be sold or shared, to whom disclosures can be made, and to elect not to permit the sale of their personal information. They were additionally granted the right to see the personal records kept by an organization covered by the CCPA, to ask for the deletion of their personal information, and not to be discriminated against for availing their rights as per the CCPA.
The researchers carried out the research study to check out any possible problems connected with CCPA submission for healthcare providers, which included interviews with 19 digital privacy and data system specialists. The researchers discovered there are identified legal and technological difficulties for healthcare companies attempting to be compliant with the CCPA.
The CCPA is mainly about the usage of individuals’ personal information by large consumer-facing technology organizations, however, the CCPA has got a substantial effect on healthcare companies. HIPAA-eligible information is excluded from the CCPA, nevertheless, the researchers mentioned that there are certain types of data that are gathered by HIPAA-regulated entities that possibly fall within the command of the CCPA. For those data types, there is regulatory uncertainty, which can lead to legal issues for healthcare companies that undertake business with California locals.
An insufficiency of regulatory clearness and a low possibility of enforcement came up as two main topics of legal concern, mentioned by the researchers. Bad data discovery and inventory procedures, insufficiency of advanced digital infrastructure, the interaction between privacy and technology specialists, and the high price of compliance surfaced as major technological obstacles to CCPA compliance.
There is a misunderstanding because of the CCPA’s broad meaning of business and consumer firms that gather user records and use cookies, and the interplay between CCPA and HIPAA results in some unintended challenges with regard to compliance. One of the crucial concerns involves healthcare information obtained by healthcare institutions that are not categorized as protected health information (PHI) and are consequently not covered by the HIPAA Rules. In these cases, healthcare firms might have to comply with the specifications of the CCPA.
From the standpoint of implementation, the study shows that the more obvious elements of CCPA compliance, for example, creating a webpage or creating a helpline program for people to bring up data access requests, are quick to carry out. Nevertheless, the process of making sure a correct inventory of all the consumer information gathered and stored by the company will be a difficult undertaking.
Due to the substantial amount of extra data is likewise now being captured and compiled because of the COVID-19 pandemic, and the rate at which systems needed to be created to log, store, and share that data for the purpose of contact tracing and COVID-19 testing, there was less time to make sure sufficient privacy safety measures were carried out. For healthcare companies, it is not clear in a lot of instances whether these types of data are under the CCPA.
The suggestion of the researchers for healthcare providers located in California is to make certain they make compliance programs proactively. If found not to be compliant they may be pressured to make last-minute implementations to avert financial penalties and can deal with costly litigation.