The California Consumer Privacy Act, which took effect Jan. 1, aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. Frequent news from companies reporting breaches of individuals’ personal information created a need for two pieces of legislation, and former Gov. Jerry Brown signed those bills in 2018.
Although health care providers such as dental practices are exempt from this new law, it is important to understand that some of the law’s provisions are similar to those required by HIPAA and the California Confidentiality of Medical Information Act.
CCPA provides California residents with the right to transparency; the right to request an entity not to sell their personal information; the right to access their personal information; the right to data portability; the right to request deletion of personal information; the right to disclosure of the sale of personal information; and the right to opt out of the sale of personal information at any time.
The definition of “personal information” under California law is also drastically broadened under CCPA to include any information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This expands the definition to include IP addresses, browsing history or internet search information, geolocation data, biometric data, work history, education information, etc.
CCPA applies to entities that collect or control any personal information of a California resident and have gross annual revenues in excess of $25 million. If the revenue threshold doesn’t exempt a dental practice, the authors of CCPA recognized that health care providers already have legal obligations regarding patient privacy, record access and retention, and data security under HIPAA and the California Confidentiality of Medical Information Act and appropriately exempted health care providers from CCPA requirements.
Pending 2020 legislation, AB 713, if passed, will also exempt information that was deidentified pursuant to HIPAA regulations, as well as certain biomedical research information, from the CCPA.
A HIPAA-covered entity must obtain patient authorization to sell patient information in a transaction that is not a practice sale. In a practice sale, the buyer must have patient authorization to use the patient chart. A health care provider must provide a patient with access to information related to his or her treatment and payment for that treatment.
HIPAA-covered entities are also required to implement administrative, physical and technical safeguards to protect patient information in electronic format. If a patient requests destruction of his or her information, a health care provider is not required to comply with the request, although HIPAA does require the provider to respond to the patient’s privacy concerns.
For more information on patient privacy and dental practice obligations under HIPAA and CMIA, visit CDA Practice Support’s resource library.