Navigating the California Privacy Rights Act as a HIPAA-compliant business

CPRA’s protected health information exemption is not a blanket entity exemption as found in other state privacy laws. Here’s what you need to know

Bex Evans, Senior Product Marketing Manager | CIPP/E, CIPM
January 9, 2023

Two male businessmen speaking on balcony in open office space

On January 1, 2023, the California Privacy Rights Act (CPRA) took effect, expanding consumer rights under the California Consumer Privacy Act (CCPA) passed in 2018. For healthcare-sector organizations, the most significant changes relate to the processing of personal information of their employees and website visitors, as well as handling personal information collected in the context of business-to-business transactions.   

US state consumer privacy laws

In recent years, several states including California, Connecticut, Colorado, Utah, and Virginia have passed new, modern consumer privacy laws that will take effect in 2023. These new laws will: 

  • Regulate the processing of personal information about state residents.  
  • Require businesses to provide public-facing privacy notices. 
  • Give individuals privacy rights to access, correct, delete, limit the use and opt out of the sale or sharing of their personal information.  

What types of businesses must follow these laws?

In general, the new privacy laws apply to businesses that reach certain thresholds of revenue; the number of state residents whose personal information is bought, sold, or shared; or the percentage of a company’s revenue derived from buying and selling personal information.  

In California, for example, the CPRA applies to for-profit businesses that collect and control the processing of personal information collected from California residents AND that: 

  • Generate annual revenue of more than $25 million OR  
  • Buy, sell or share the personal information of 100,000 or more California residents or households OR  
  • Derive 50 percent or more of their annual revenue from selling or sharing California residents’ personal information.  

In most cases, CPRA does not apply to California nonprofit or government-sector organizations. The regulations do apply, however, if a nonprofit is controlled by a CPRA-covered for-profit business and the two entities share personal information between them. 

How does CPRA complicate requirements for HIPAA-compliant businesses?

Under the new 2023 state privacy laws, HIPAA-covered and compliant entities such as healthcare service providers and their business associates may be exempt from new state privacy regulations. This means that some personal information they handle as part of their business operations – think protected health information (PHI) as defined by HIPAA – may not be subject to the new privacy regulations. In some cases, however, the new privacy laws include carve-outs for personal information that is not considered PHI. 

CPRA provides that only PHI is exempt. Other personal information that HIPAA-covered organizations collect from California residents, such as employee personal information or website traffic data, must be handled in accordance with CPRA requirements. These requirements may include: 

  • Providing consumers with both a HIPAA-compliant Notice of Privacy Practices (NPP) and a separate CPRA-compliant privacy notice for personal information processing activities that fall outside of PHI but within the scope of CPRA.  
  • Providing consumers with a CPRA-compliant pre-collection notice – separate from NPP – notifying consumers at a very minimum about the categories of personal information to be collected, the purpose of collection, and other disclosures related to the handling of personal information.  
  • Placing a clear and conspicuous link on the company’s website gives consumers an option to opt out from certain personal information processing practices – e.g., sharing their personal information with third parties in exchange for some benefit. 

Under California’s privacy regulatory framework, CPRA-covered and HIPAA-compliant organizations will need to assess their current personal information processing practices to determine which ones fall under PHI and which do not, then take appropriate steps to issue applicable privacy notices and comply with other mandates. 

What impact will CPRA have on your company balance sheet?

Not surprisingly, the new privacy laws could create particular financial challenges for HIPAA-compliant companies. For example, if they rely on advertising to bring potential customers to their website and expect to use that website data to generate revenue, being required to offer the option to opt-out of the company’s data-gathering activities could limit the company’s ad revenue. In this case, the company would have to weigh the benefits of communicating to individuals why data is being collected and why it provides value to them as consumers versus allowing them to opt-out. 

Another less obvious impact on companies could be the cost of responding to employee requests to review, inspect, modify, or potentially block the sharing of their data. Employee-related data typically resides in multiple locations such as e-mail, employee databases, Microsoft Teams correspondence, etc. Aggregating this information, therefore, could potentially strain a company’s administrative or operational resources. 

How can OneTrust help?

HIPAA-compliant companies can leverage OneTrust to comply with the CPRA. With policy and notice management, PIA and DPIA Automation, Privacy Rights Automation, and Data Policy Management, healthcare companies can evaluate current business processes for CPRA violations, provide compliant notices and opt-out mechanisms, and ensure proper data governance of sensitive personal information for California residents.  

OneTrust supports CPRA compliance with a range of tasks, including:  

  • Capture opt-in consent for classified sensitive personal data:  Demonstrate valid compliance through consent documentation. Sync consented data to marketing and IT systems to ensure data is used based on the individual’s choice. 
  • Respond to requests within the 45-day timeline: Automatically aggregate requestor data across distributed and unstructured sources and redact sensitive information before responding to the requestor, all within a secure communication portal.  
  • Assess privacy risk: Leverage pre-built templates to carry out PIAs in collaborating with business stakeholders to document risk for targeted advertising, profiling, sales of data, or in situations where activities present a heightened risk to California consumers.  
  • Provide notice and enforce retention policies: Link retention policies to categories of processing activities directly within records of processing. Reference DataGuidance retention schedules against datasets to flag when a retention policy is violated, and execute remediation actions like deletion, masking, or archival.  

To see how OneTrust can help you navigate CPRA, request a demo today. 

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more