California has a well-earned reputation for being on the cutting edge. Of style, technology, environment, legal trends… a lot of important ideas sprouted and took root in the Golden State. A new law that went into effect on January 1, 2020, could be the Next Big Thing.
The California Consumer Privacy Act (CCPA) is an answer to a question that has only grown since the dawn of the Social Media Age: What do these companies know about me, and what are they doing with that information?
The law requires companies that meet certain levels of business in California to seek and receive permission from consumers before it can sell users’ data, or transfer it to a third party in exchange for something of value. The threshold for being subject to the law is pretty high: gross annual revenue of $25 million or more; buying, selling, or receiving data on 50,000 or more consumers, devices, or households; or deriving more than 50% of revenue from trafficking consumer data. But the penalties can be quite steep: $2,500 for an unintentional violation, $7,500 if intentional.
The CCPA pairs with the California Confidentiality of Medical Information Act (CMIA), which in 2013 was expanded to include vendors of mobile apps and other means of collecting health data and prevent buying or selling the data without the user’s permission. Together, these laws extend beyond HIPAA to protect patient data.
California companies aren’t the only ones that should be concerned
Though CCPA and CMIA only apply in California, their application is not limited to California companies. Any company whose business in California meets the minimum standards of the law is subject to them, no matter where it is based. And considering one out of every ten Americans lives in California, odds are good that any health care business covered by HIPAA may also find itself covered by CCPA and CMIA.
What does this mean for the health care company and its network security?
For the health care company that is fastidious in doing its duty to protect patient data under HIPAA, regularly assessing its compliance, updating its practices and procedures to comport with changes in the law, and training staff to follow the best practices established by the industry… CCPA and CMIA are probably incidental, and will never impact their business.
But for that large number of companies that are not HIPAA compliant (HHS regulators found violations in 70% of complaints they investigated through November 2019), this is another set of pitfalls ready to trap the unwary.
Vigilance is the only protection against pitfalls
What can be done to avoid them?
The best plan is to follow a regular routine of review, assessment, and revision of policies and practices, and close monitoring of developments in security technology. HIPAA compliance requires “reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.” What was reasonable last year may no longer be reasonable today—advances in technology and security are constantly changing to adapt to threats that might never have been imagined a year ago.
Any company that doesn’t have a fully committed and well trained IT security team is well advised to seek outside guidance from consultants and advisors who specifically target the most up-to-date best practices, policies, and technology in the health care data security field. With a thorough assessment from fresh eyes trained to spot weaknesses in your defenses, you will learn where you are vulnerable, where you need help, and get the best advice on how to avoid these pitfalls before hackers or government investigators find them and make them real problems for you.
Elinext teams provide a range of development services to companies representing the healthcare industry. Software solutions we deliver are HIPAA compliant, improve patient outcomes, and secure PHI. If you have any questions, contact us any time.