Jessica Kim Cohen reports that CCPA’s impact on hospitals is not totally clear at this point, and some hospitals will be exempt because they are not-for-profit. Here’s a snippet from her report:
Only large, investor-owned hospitals will fall under its purview, according to Lois Richardson, the California Hospital Association’s vice president and legal counsel.
But here’s the part that I see as really tricky/complex to sort out:
The law also includes carve-outs for healthcare data and won’t change patient privacy protections. The CCPA doesn’t apply to protected health information collected by organizations covered by existing privacy laws, such as HIPAA and California’s Confidentiality of Medical Information Act.
The exemptions also mean that it wouldn’t apply to data sharing that’s performed as part of business associate agreements between health systems and other companies, including tech giants like Google. The law was designed to target companies whose “business model is to collect and sell consumer information” rather than healthcare organizations, according to Richardson.
But for-profit health systems aren’t off the hook. It may require litigation to clarify the boundary between “data that’s considered health information, and data that’s considered personal information, but not health information,” Marks said.
Read more on Modern Healthcare.
I can see where I will need to attend at least a few more — and probably many more — seminars or workshops on CCPA.