HIPAA (Health Insurance Portability and Accountability Act) has long been the acronym synonymous with privacy compliance for the healthcare and life science industry. But with the California Consumer Protection Act (CCPA) set to go into effect on January 1, 2020, a new acronym and a new way of thinking about privacy will soon become the norm. The healthcare industry is now at a potential crossroads as it navigates these two sets of privacy compliance regulations.
Time is short, even for an industry with existing strict privacy rules already in place. Healthcare organizations must begin evaluating data privacy practices now to develop a unified approach that will reduce the risk, cost, and complexity of keeping data safe.
Below are five important steps the healthcare and life science industry can take today to ensure compliance tomorrow.
1. HIPAA covered entities can not ignore CCPAFirst and foremost, organizations must have clarity around how CCPA will impact existing data privacy practices. Unfortunately, how HIPAA and CCPA intersect is still a point of confusion for much of the industry. Because HIPAA directly governs medical and protected health information (PHI), CCPA gives an exemption to HIPAA-covered entities and business associates (healthcare providers, pharmaceutical companies, insurers, etc.) This exemption has led to a common misperception that HIPAA-covered entities can ignore CCPA completely. In reality, many healthcare organizations and other providers maintain information that falls outside the definition of PHI but will soon be regulated under CCPA.
This includes personal information that could be used for marketing or other outreach purposes such as names and addresses. While personally Identifiable Information (PII) held for marketing purposes is subject to HIPAA, now these organizations will also be required to take CCPA regulations into account as well. CCPA will not supersede HIPAA, but many healthcare organizations will likely need to find new ways to effectively manage different sets of data and should consider managing data privacy across the board under one umbrella.
2. Redefine de-identified data
To ensure privacy, many healthcare and life science organizations maintain de-identified data for research and marketing purposes. Any organization that collects and maintains de-identified data will need to evaluate how it maintains this data and ensure it meets CCPA’s definitions and requirements.
The challenge is that CCPA and HIPAA have different standards for managing and using de-identified data.
As defined by CCPA,data is considered de-identified if the information, “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” and provided that a company that uses de-identified information has done the following: implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, implemented business processes that specifically prohibit reidentification of the information, implemented business processes to prevent inadvertent release of de-identified information, and makes no attempt to re-identify the information.
While many components of this definition are similar to the HIPAA standard for de-identification, the two standards are not identical. It is possible data considered to be de-identified according to HIPAA’s privacy rules will not meet CCPA’s new standard. These divergent standards can lead to confusion, misinterpretation, and potentially hefty fines or a class-action lawsuit. Additionally, de-identified health information is no longer considered PHI and may no longer be part of the HIPAA exemption and thus must comply with CCPA.
What is considered de-identified data must be redefined to ensure compliance and reduce any potential privacy violations, especially for an industry that maintains patient information. A robust platform, such as HealthVerity Consent, which is capable of aligning marketing, legal, and compliance needs must be put in place to avoid data privacy violations and maintain positive relationships with patients and clients. HealthVerity Consent provides a single platform to consolidate, connect, and log consumer data, which ensures the highest degree of trust and compliance under both CCPA and HIPAA.
3. Be more vigilant about consumer privacy rights
Under CCPA, consumers will now have unprecedented control over their personal data. These new consumer rights are similar but not identical to rights already identified under HIPAA. Beginning in January, consumers will now have the right to:
- Opt-out of communication
- Know what personal information is being collected
- Know whether their personal information is sold or disclosed and to whom
- Say no, or opt-out of the sale of personal information
- Request that a company delete personal data
- Request a copy of all personal data
- Receive equal service and price, even if they exercise their privacy rights
A new level of vigilance will be required to ensure compliance and maintain customer goodwill. Healthcare organizations must now juggle how to share PHI between providers or insurers with requests from consumers to opt-out of communication or have information deleted altogether. Only by implementing a single platform, such as HealthVerity Consent, to manage this varied data will healthcare organizations be able to ensure they are complying across the board.
4. Account for new personal information regulations
Under HIPAA, PHI is broadly defined as any information in a medical record that could identify an individual and that was created, used, or disclosed to a covered entity and/or the entity’s business associate (i.e. an insurance company or another healthcare provider) in the course of providing a healthcare service, such as a diagnosis or treatment. But other information, such as email addresses, wearable device metrics, and website browsing history that is not directly related to patient health or treatment, is not considered PHI and can be tracked by HIPAA-covered entities to use for marketing and research purposes.
However, under CCPA, covered entities will now have to take into account CCPA’s new data privacy rules and consumer rights. This means they must find a new way to manage data that will ensure compliance and, more importantly, reassure patients that their data is protected.
5. Keep clinical trials in compliance
Finally, CCPA exempts information collected as part of a clinical trial as long as the clinical trial is subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule. However, the Common Rule only officially applies to clinical trials that have federal funding. While many privately-funded clinical trials, such as those run by pharmaceutical or life science research organizations, also adhere to the Common Rule as a standard of best practice, under CCPA is it unclear if these organizations will also be exempt. This means that for many private companies conducting research, they must now examine how they manage clinical trial data and ensure they have the tools in place to comply with the Common Rule and CCPA. This will require action now to ensure research can continue and crucial information collected in these trials is not susceptible to lawsuits, fines, or potential suspension due to privacy regulation violations.
Prepare now to ensure privacy compliance down the road
January 1, 2020, is fast approaching. How healthcare and life science organizations think about and manage data privacy must evolve. Through a consolidated, single platform such as HealthVerity Consent, these organizations can mitigate risk, and most importantly, maintain trust among patients and consumers while complying with both HIPAA and CCPA by consolidating, connecting, and logging consumer data preferences and rights across one system.
While many aspects of the intersection between established healthcare privacy policies and new CCPA regulations remain murky, one fact is abundantly clear — companies and compliance officers must start preparing for CCPA today.