A sweeping new privacy law approved by California legislators doesn’t directly cover protected health information (PHI), but analysts say it will have significant effects on how health care businesses collect, use and store personal data.
The law, approved in a rush in late June to ward off a California ballot initiative on privacy, applies to all for-profit business entities in the state that meet one or more of these criteria: 1) have annual gross revenues greater than $25 million; 2) buy, receive, sell, or share personal information on more than 50,000 state residents per year; or 3) derive 50% or more of annual revenues from selling personal information.
The new law does not apply to nonprofits, including nonprofit health care organizations operating in California. It also does not apply to smaller health care organizations, providing they don’t make the majority of their money selling personal information.
However, larger health care organizations that meet the law don’t get a pass. Although PHI collected by HIPAA covered entities (CEs) and business associates (BAs) is excluded, other personal information—for example, IP addresses and website usage data collected when a patient visits an entity’s website—is covered, says Rachel Marmor, a New York City-based attorney with Davis Wright Tremaine LLP who focuses on data privacy and cybersecurity issues.
“Also, employees are consumers under the law, and any employee data collected by HIPAA Covered Entities [CEs and BAs] would be covered. In short, these entities are still going to be impacted by the law,” Marmor tells RPP.