The healthcare industry is among the most highly regulated industries when it comes to privacy protections. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare providers also must comply with a growing number of state laws governing data privacy and security. Fully complying with this patchwork of privacy protections is a complex task because these laws often classify different kinds of personal information as “protected information” and impose varying security and reporting requirements.
For example, HIPAA protects certain “individually identifiable health information,” often referred to as “protected health information” or PHI. HIPAA requires covered entities to adopt and implement a plethora of policies and technical safeguards to protect PHI. The California Consumer Privacy Act (CCPA), a relatively new law, protects consumers regarding the collection, use, processing, deletion, sale, and security of personal information, among other things, and also imposes obligations on businesses regarding the same. Healthcare providers who are HIPAA covered entities are exempt from the CCPA with respect to protected health information. However, HIPAA covered entities are not exempt when functioning as an employer with respect to the personal information of their employees who reside in California and therefore must comply with the CCPA to the extent it applies to them as employers.
With the growing number of state laws governing privacy protection, healthcare organizations must be sure their compliance efforts consider state law in addition to HIPAA. Meshing these obligations into one cohesive privacy protection system can be complicated. (See Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?). A recent article by our Jackson Lewis Privacy, Data and Cybersecurity practice group addresses these issues. The article breaks down some factors that may trigger business obligations related to personal information and applies such considerations to the healthcare industry. These factors include but are not limited to industry, business location, categories of customers, types of equipment used, specific services provided, marketing and promotion methods, the categories of information collected, and employment practices. The article also provides some examples of laws that may be triggered (although it is not exhaustive).
So, what is the takeaway? Healthcare organizations should regularly evaluate their compliance efforts around the protection of personal information. This starts with understanding the state and federal laws applicable to their business. From there, healthcare organizations must work to establish and implement policies and safeguards that meet their obligations under each of the applicable laws. Failing to meet these obligations could expose an organization to potentially significant liability and reputational harm. To ensure compliance, healthcare organizations should, at minimum, consider doing the following:
- Implement comprehensive data safeguards;
- Conduct cybersecurity assessments;
- Reconsider the types of data collected and the purposes for collection;
- Determine whether data collected is the minimum necessary to accomplish the intended purpose; and
- Monitor pending privacy legislation.
Jackson Lewis attorneys in our Privacy, Data and Cybersecurity practice group and Healthcare industry group regularly partner with healthcare providers to ensure they are up-to-date with this rapidly evolving area of law. Please contact your Jackson Lewis attorney if you would like to learn more about these services.
Update: On May 17, 2024, we clarified our reference to HIPAA covered entities having to comply with HIPAA and the CCPA. HIPAA covered entities are exempt from the CCPA with respect to protected health information but must comply with the CCPA when functioning as an employer with respect to the personal information of their employees who reside in California.