Global Edition
Compliance & Legal

California Consumer Privacy Act can cause headaches for healthcare orgs

A recent study suggests that healthcare organizations can face legal and technological challenges when it comes to complying with the regulation.
By Kat Jercich
September 21, 2021
02:59 PM

Photo: Anete Lusina/Pexels

The California Consumer Privacy Act, passed in 2018, aims to give consumers more control over their online personal information.

A new study published in this month's issue of Health Policy and Technology found, however, that healthcare organizations may face obstacles when it comes to complying with the law.  

"It’s critical for organizations to proactively comply with CCPA regulations, rather than face expensive legal battles," said Raj Sharman, professor of management science and systems at the University of Buffalo School of Management, in a statement.  

"But especially for smaller healthcare organizations, it can be challenging to understand the law’s jurisdiction and develop technology infrastructure that’s sophisticated enough to protect against data breaches," said Sharman, who co-authored the study.  

WHY IT MATTERS  

After interviewing 19 digital privacy and information system experts, researchers found that professionals perceived legal and technological challenges for healthcare organizations in complying with CCPA.  

Part of the issue, say researchers, stems from the combination of CCPA and HIPAA.  

Although the law does not apply to nonprofits, "given the law’s broad definition of 'business' and 'consumer,' companies across the U.S. that collect user data and deploy cookies must comply with the CCPA," said the study's lead author Pavankumar Mulgund, clinical assistant professor of management science and systems in the UB School of Management, in a statement.  

"But healthcare organizations have an additional burden of complying with HIPAA – and we found the interplay of the two laws creates some unintended hurdles," Mulgund said.  

CCPA allows state residents to access the personal information that companies collect on them, request to delete their data and seek legal options for data misuse or a breach. The law explicitly exempts HIPAA-eligible information.

"However … several types of data collected by HIPAA-compliant healthcare organizations potentially fall within the jurisdiction of the CCPA, but there is significant regulatory ambiguity around such data," wrote the researchers.  

They argue that, in general, healthcare organizations face a lack of regulatory clarity and uncertain likelihood around reinforcement. In addition to those legal issues, technology-related challenges emerged from interviews with experts:

  1. Challenges of data discovery and inventory.
  2. Lack of sophisticated and robust digital infrastructure.
  3. Coordination between technical and privacy professionals.
  4. The high cost of compliance without an equitable ROI.

"From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish," read the study.

"However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor," it continued.  

THE LARGER TREND  

It's no surprise that federal and state regulatory compliance, particularly where information sharing is concerned, can present challenges for healthcare organizations.  

Sometimes failing to comply can carry a big price tag: The U.S. Department of Health and Human Services' Office of Civil Rights has settled more than a dozen HIPAA-related cases over the past few years, often related to the so-called right of access rule.  

"Providing patients with their health information not only lowers costs and leads to better health outcomes, it's the law," said OCR Director Roger Severino in 2019, in a statement about the first of such settlements. We aim to hold the healthcare industry accountable for ignoring peoples' rights to access their medical records and those of their kids."  

ON THE RECORD  

"The COVID-19 pandemic really exacerbated the confusion, as organizations make enhanced use of technology to capture personal and health-related information – like temperature scans, contact tracing and test results – without establishing adequate privacy safeguards," said Mulgund in a statement.   

"It’s unclear whether these data points fall under the CCPA, and as other states debate similar legislation, this issue will only become more complex," he added.

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Topics: 
Compliance & Legal, Data Warehousing, Patient Engagement

More regional news

UnitedHealth Group Optum building

Optum Virtual Care said to be closing down

By
Andrea Fox
April 26, 2024
Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI

AI can make maternal ultrasonography more accessible, accurate and efficient

By
Bill Siwicki
April 26, 2024
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken

Prepare for success before deploying healthcare AI

April 26, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dr. Yinka Oyelese of Beth Israel Deaconess Medical Center on ultrasound AI
AI & ML Intelligence
AI can make maternal ultrasonography more accessible, accurate and efficient

Most Read

HIMSS24 Europe: Interoperability takes centre stage in Rome
Virtus Health enhancing IVF patient experience with AI
WebMD acquires Healthwise to bolster patient engagement and growth
Toward new telehealth strategies at the HIMSS24 Virtual Care Forum
Zocdoc launches advanced partner program
Memorial Healthcare finds success with switch to Epic-based telehealth vendor

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

Video

Adam McMullin at AvaSure_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patient safety gets a boost from AI-powered virtual care
Sponsored by
John Halamka, president, Mayo Clinic Platform, and Arcadia president and CEO Michael Meucci with Kate Milliken
AI should augment, not replace, clinicians’ expertise
Jonathan Bush at Zus Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Independent patient data platform helps advance interoperability
Rachelle Landry at BD Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How to help clinicians understand the value of digital health

More Stories

A radiologist examining X-ray images
National University Hospital launching AI-driven...
Heidi Wold at Longevity Health Plan_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Patients benefit from post-acute care
Wes Cronkite of TruBridge on AI
Highlighting rural voices is imperative for equitable, bias-free healthcare AI
Dr. Bill Frist and Larry Ellison
Oracle launches Autonomous Shield initiative, with eye on cloud cybersecurity
Clinicians consult a tablet
Patch management advice for fixing IoT vulnerabilities
Dr. Jesse M. Ehrenfeld, AMA president_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
AMA leader: Physicians must be the lodestar for IT innovation
Christine Antorini
Recognizing nursing as a calling: A key step toward enhancing workforce sustainability
One of Mercy Health's hospitals in Victoria
Role-based messaging's growing popularity in...