California legislators are giving companies dealing in personal data—including some health information—yet another set of restrictions to contend with thanks to a new broad privacy law passed last week.
The California Consumer Privacy Act of 2018 gives consumers more control over the personal data that businesses collect. Companies have to tell people what data they've collected, what they're using the data for, and which third parties they've given access to the data, among other requirements.
Although healthcare companies already comply with HIPAA, the new state law will create another layer of compliance when it goes into effect in a year and a half.
"It's going to have a significant impact on the healthcare sector," said Mark Brennan, a partner with Hogan Lovells. "From an operational perspective, it's going to be interesting to see how companies work to sort out these requirements."
For some organizations, like those that make consumer-facing wellness apps that collect personal information, the law will apply to all the personal data they collect.
For others, like those defined as covered entities under HIPAA, the law does not apply to protected health information regulated by HIPAA's privacy, security and breach notification rules.
But it does apply to other information held by an organization that does business in California.
For instance, if a consumer requests that an organization delete their personal information other than protected health information, the organization has to take the request into consideration.
"Healthcare provider organizations need to start thinking about what data they have and whether or not it is covered by HIPAA and what data they might be getting from other sources they may not be covered by HIPAA," said Dominique Shelton, co-chair of Perkins Coie's ad tech privacy and data management group.
Healthcare organizations must also be careful when investing in outside companies that develop and market consumer-facing health or wellness mobile apps and solutions or when launching their own internal ventures that do the same.
"The privacy, and security administrative and technological infrastructure for complying with the newly-established rights of the consumer under this new and far-reaching law will be a key feasibility consideration," said Bernadette Broccolo, a partner with the law firm McDermott Will & Emery.
Businesses that work with covered entities will also need to pay close attention to the type of data they're collecting.
"Groups that may buy and sell data from EHRs—this may have a significant effect on their business," Brennan said. "There's the possibility that this law could put U.S. companies at a disadvantage in global competition," he said. "It's going to be difficult for California courts to enforce this law against non-U.S. companies."
But many of those companies, and some U.S. companies too, are already paying attention to similar requirements by the European Union's General Data Protection Regulation policies.
"The good news is everyone's been thinking along these same terms for GDPR," said David Ross, principal and cybersecurity growth leader for the risk, internal audit and cybersecurity practice at Baker Tilly. "Everything you've done for GDPR pretty much ports over, since it shares a tremendous amount in common from a conceptual level with GDPR."
So, much as healthcare organizations needed to prepare for those regulations, which went into effect on May 25, they'll need to figure out which patients' data this law applies to, Shelton said. "Everybody's going to need to update their privacy policies when this goes into effect," she said.
Some expect the California law, like GDPR, to start a domino effect, with other states soon following suit, Ross said. "California's always been kind of a trendsetter."