HIPAA-Covered Entities Exempt from California Consumer Privacy Act Following Amendment

In June 2018, the legislature in California enacted the California Consumer Privacy Act (CCPA) which introduced major amendments to state legislatiion to protect the privacy of consumers.CCPA introduced new privacy protections and rights for consumers, many of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR).

The CCPA does not go to the same lengths as GDPR and only applies to for-profit firms that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to ask for access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be advised whether personal data will be sold or disclosed, the right to have personal data deleted and to stop personal data from being sold.

The CCPA has been hit with criticisms, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to legislators in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law which they feel is unworkable and several technical issues that are likely to have negative and unintended consequences.

The CCPA is not due to take effect until January 1, 2020, which allows California lawmakers plenty of time to make amendments. There are likely to be many amendments made before the law comes into effect, the first of which have just been passed.

On August 31, 2018, the legislature vote to passd SB 1121 which includes several technical edits to the CCPA and a notable change to the implementation of the CCPA. The compliance date has remained the same, although SB 1121 stated that the CCPA will go into effect as soon as it is signed into law. This is seen as an attempt to ensure that California localities will not be able to pass conflicting laws before January 1, 2020.

Entities covered by the CCPA will be given more time to ensure compliance, as SB 1121 altered the date by which the California Attorney General must publish its implementation regulations. The last date for publication of the implementation regulations is now July 1, 2020. Further, the Attorney General will not be allowed to bring CCPA enforcement actions against any company found not to be in compliance with CCPA until six months following the publication of the implementation guidelines.

As opposed to HIPAA, the CCPA includes a private right of action which permits California residents to take legal action against companies that have experienced data breaches due to a failure to implement appropriate security measures. In its initial form, any consumer that chose to take legal action for the exposure of their personal data was required to get in touch with the attorney general within 30 days of filing a legal action. That notification requirement has now been deleted.

SB 1121 has also revealed exemptions for data already covered by other legislative acts, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), and the Driver’s Privacy Protection Act (DPPA).

All data handled in relation to HIPAA, GBLA and the DPPA isexempt from the CCPA. Further, SB 1121 has confirmed that the CCPA will not apply to HIPAA-covered groups and neither to information collected by a HIPAA-covered entity or business associate that participates in a clinical trial.


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.