On January 1, 2023, the California Privacy Rights Act (CPRA) took effect, expanding consumer rights under the California Consumer Privacy Act (CCPA) passed in 2018. For healthcare-sector organizations, the most significant changes relate to the processing of personal information of their employees and website visitors, as well as handling personal information collected in the context of business-to-business transactions.
In recent years, several states including California, Connecticut, Colorado, Utah, and Virginia have passed new, modern consumer privacy laws that will take effect in 2023. These new laws will:
In general, the new privacy laws apply to businesses that reach certain thresholds of revenue; the number of state residents whose personal information is bought, sold, or shared; or the percentage of a company’s revenue derived from buying and selling personal information.
In California, for example, the CPRA applies to for-profit businesses that collect and control the processing of personal information collected from California residents AND that:
In most cases, CPRA does not apply to California nonprofit or government-sector organizations. The regulations do apply, however, if a nonprofit is controlled by a CPRA-covered for-profit business and the two entities share personal information between them.
Under the new 2023 state privacy laws, HIPAA-covered and compliant entities such as healthcare service providers and their business associates may be exempt from new state privacy regulations. This means that some personal information they handle as part of their business operations – think protected health information (PHI) as defined by HIPAA – may not be subject to the new privacy regulations. In some cases, however, the new privacy laws include carve-outs for personal information that is not considered PHI.
CPRA provides that only PHI is exempt. Other personal information that HIPAA-covered organizations collect from California residents, such as employee personal information or website traffic data, must be handled in accordance with CPRA requirements. These requirements may include:
Under California’s privacy regulatory framework, CPRA-covered and HIPAA-compliant organizations will need to assess their current personal information processing practices to determine which ones fall under PHI and which do not, then take appropriate steps to issue applicable privacy notices and comply with other mandates.
Not surprisingly, the new privacy laws could create particular financial challenges for HIPAA-compliant companies. For example, if they rely on advertising to bring potential customers to their website and expect to use that website data to generate revenue, being required to offer the option to opt-out of the company’s data-gathering activities could limit the company’s ad revenue. In this case, the company would have to weigh the benefits of communicating to individuals why data is being collected and why it provides value to them as consumers versus allowing them to opt-out.
Another less obvious impact on companies could be the cost of responding to employee requests to review, inspect, modify, or potentially block the sharing of their data. Employee-related data typically resides in multiple locations such as e-mail, employee databases, Microsoft Teams correspondence, etc. Aggregating this information, therefore, could potentially strain a company’s administrative or operational resources.
HIPAA-compliant companies can leverage OneTrust to comply with the CPRA. With policy and notice management, PIA and DPIA Automation, Privacy Rights Automation, and Data Policy Management, healthcare companies can evaluate current business processes for CPRA violations, provide compliant notices and opt-out mechanisms, and ensure proper data governance of sensitive personal information for California residents.
OneTrust supports CPRA compliance with a range of tasks, including:
To see how OneTrust can help you navigate CPRA, request a demo today.