Organizations engaging with personal healthcare data need to pay close attention to the rapidly evolving regulatory environment. Over the next few years, the compliance requirements around personal healthcare data are set to evolve at breakneck speed. Surviving and thriving in this environment of regulatory change will require a more strategic approach to managing personal data.
For decades, personal healthcare data was regulated by a patchwork of federal and state-level, industry-specific data protection rules that left significant gaps in coverage. As a result, an individual’s healthcare data – and all personally identifiable data within organizations working with healthcare information – fell under data protection rules only in some circumstances. Not surprisingly, today most individuals do not understand when their healthcare data is protected by data privacy rules and when it is not.
Now, the advent of new state-level data privacy laws, such as the California Consumer Privacy Act (CCPA), and the possibility of a comprehensive federal level law means it’s likely that those gaps in regulatory coverage will be filled, creating a range of new compliance requirements. These new data privacy rules – covering the previous gaps – present an opportunity for healthcare industry organizations to enhance the trust within their data relationships. Let’s look at an example of what is happening to see both the challenges and the possibilities.
Exploring CCPA and healthcare data
The impact of the CCPA on healthcare data privacy compliance will be significant, and so it makes a good case study for understanding what is to come. Until the CCPA – which comes into force in January 2020 – healthcare data privacy and security in California was primarily regulated through HIPAA. However, HIPAA only applies to “covered entities” holding “protected health information.” HIPAA’s focus is primarily health insurance, so organizations in scope include hospitals, clinics, insurance providers and clearing houses that process medical data.
In contrast, the CCPA applies to all for-profit organizations that do business in California that operate above certain revenue and data processing thresholds. The CCPA exempts personal data protected by HIPAA and California’s Confidentiality of Medical Information Act (CMIA) – so some types of personal healthcare data continue to be covered by the existing rules. However, CCPA now covers most other personal data created, processed and exchanged by the healthcare industry – filling in the gaps.