A Quick Guide To Consumer Privacy Laws (CCPA/CDPA/CPA) and HIPAA Exemptions For Healthcare Providers
Primer on U.S. Healthcare Laws:
HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect individual’s medical records and other personal health information. HIPAA lays out the appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. HIPAA also gives a patient rights over their health information, including the right to examine and obtain a copy of their health records and request corrections.
HITECH: The Health Information Technology for Economic Clinical Health (HITECH) Act passed in 2009, with additions made to it as recently as 2021. HITECH is a part of HIPAA data privacy compliance; outside of tweaking few rules, the act created incentives for companies to become fully compliant and increased fines for non-compliance.
Who the regulations apply to:
Health plans, healthcare clearinghouses, and any healthcare provider who transmits health information in an electronic format will be covered by HIPAA regulations. With the addition of HITECH, business associates of any of the previously listed who handle PHI will also be covered.
What type of data do these rules apply to:
HIPAA Privacy laws govern individually identifiable health information, also known as protected health information (PHI), or ePHI, for electronic copies of this information. PHI includes information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Examples of PHI:
- Names
- Dates, except the year
- Telephone numbers
- Geographic data
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plates
- Device identifiers and serial numbers
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
What does HIPAA require your business to do:
Data Minimization: A central aspect of the HIPAA Privacy Rule is the principle of collecting the “minimum necessary” of patient data. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop policies and procedures to limit uses and disclosures to the minimum necessary.
Establish Safeguards: A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that violates the law’s standards, implementation specifications, or other requirements.
Mitigate Risk:A covered entity must mitigate any harmful risk by implementing cybersecurity standards such as a data backup plan and a disaster recovery plan.
Notice Requirement for Breach: Following a data breach involving PHI, covered entities must notify any individual affected by the breach within 60 days of discovering the breach. However, if a covered entity was a victim of a large data breach of more than 500 people, they have additional requirements. In that case, covered entities must notify the HIPAA Secretary of breaches and a prominent media outlet based in the area.
Patient rights under HIPAA
Right of Access: A patient has the right to access, inspect, and obtain a copy of their PHI. When a patient, or a representative, requests to access PHI, a covered entity must provide the records within 30-days (with a 30-day extension if requested within the original 30-day window).
Right to Amend: An individual has the right to have a covered entity amend PHI or a record about the individual. A covered entity must correct the information within 60-days after receiving the request (with a 30-day extension if requested within the original 60day window).
New 2021 Amendment to HITECH:
On February 5, 2021, a new amendment to HITECH (H.R.7898) was signed into law, creating more incentives for HIPAA covered entities to adopt robust data management programs. The amendment established a safeguard for businesses in HIPAA compliance who become victims of a data breach. A covered entity can now use its adoption of a recognized security practice as a defense against any fines from The Department of Health and Human Services (HHS). The adoption of a recognized security practice can result in mitigation and even the termination of all fines. In order to be in compliance and use this defense, a company can adopt NIST standards, approaches illustrated in the Cybersecurity Act of 2015, or other processes and programs that address cybersecurity.
How HIPAA and HITECH interact with state data privacy laws:
Does HIPAA override the state law? | An example of a HIPAA-covered entity collecting a hospital employee’s phone data. | |
California CCPA &CPRA (The CCPA is in effect now, and the CPRA takes effect on January 1, 2022) | Partially, only data that is considered PHI will be exempt from CCPA/CPRA regulation, whereas “personal information” that doesn’t constitute PHI will be governed by the CCPA/CPRA. | This information will most likely not be considered protected health information; therefore, if the data is considered personal information, the employee’s phone data is regulated by CCPA/CPRA. |
Virginia CDPA (The CDPA will take effect on January 1, 2023) | The CDPA provides an industry-level exemption for HIPAA-covered entities. This means that HIPAA-covered entities, and all of their information, are fully exempt from CDPA regulations. | Even though the data is not considered PHI, a HIPAA-covered entity is still the organization collecting the data. Under the broad exemptions of the CDPA, that information is exempt from the state law. |
Colorado CPA (The CPA takes effect July 1, 2023) | The CPA provides an industry-level exemption for HIPAA-covered entities. This means that HIPAA-covered entities, and all of their information, are fully exempt from CPA regulations. | Even though the data is not considered PHI, a HIPAA-covered entity is still the organization collecting the data. Under the broad exemptions of the CPA, that information is exempt from the state law. |
How HIPAA and HITECH interact with other Federal Regulations/ Industries:
The Gramm-Leach-Bliley Act (GLBA) – Financial Institutions- While a financial institution will most likely not fall under the covered entities of HIPAA, if the organization is a business associate of a HIPAA-covered entity, they are regulated by GLBA and HIPAA. Fortunately, the two laws have a lot of overlap when it comes to compliance. They both dictate what a business can do with sensitive data and a requirement to establish safeguards through a security plan. If an entity is in full compliance with HIPAA, it will most likely meet the data privacy requirements of the GLBA.
Family Education Rights and Privacy Act (FERPA)- Educational Institutions- In most cases, the two laws/industries do not intersect since schools are not covered entities under HIPAA. HIPAA also excludes any information that is considered “education information,” which is exclusively regulated by FERPA. This could include notes or a diagnosis from a school nurse, information that would typically be PHI and regulated by HIPAA becomes education information since a school employee created the notes about a student. There are exceptions to this rule, such as a “hybrid school” that functions as a healthcare provider and a school or if an educational institution brought in an outside health provider to administer a vaccine, that would be PHI and regulated by HIPAA.
Proposed rule changes to be aware of:
At the end of 2020, the Office of Civil Rights (OCR) discussed some possible HIPAA rule changes regarding the handling of patient data. HHS could adopt the following changes as early as 2021:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Decrease the maximum time to provide access to PHI from 30 days to 15 days.
- Patients can transfer their PHI to a personal health application.
- Provide select individuals with their ePHI at no cost.
- HIPAA-covered entities will be required to inform patients that they have the right to obtain or direct copies of their PHI when a covered entity only offered a summary of PHI instead.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.