HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer, May 2019
Since the last issue, HHS extended the comment period for proposed rules to improve the interoperability of electronic health information by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology (health IT) and enabling patients to electronically access their health information. The new deadline for the comment period submissions is June 3, 2019.
The extension of the public comment period coincides with a release by the HHS Office of the National Coordinator for Health Information Technology (ONC) of the second draft of the Trusted Exchange Framework and Common Agreement, along with a related Notice of Funding Opportunity. HHS also today released of a set of frequently asked questions (FAQs) from the Office for Civil Rights (OCR).
The FAQs address the Health Insurance Portability and Accountability Act (HIPAA) right of access as it relates to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.
On February 11, 2019, HHS announced two proposed rules to support the seamless and secure access, exchange, and use of electronic health information (with Federal Register publication on March 4, 2019). The rules would increase choice and competition while fostering innovation that promotes patient electronic access to and control over their health information. Together the proposed rules address both technical and healthcare industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Addressing those challenges will help to drive an interoperable health IT infrastructure across systems, enabling healthcare providers and patients to have access to health data when and where it is needed.
This extension responds to requests from a variety of stakeholders, including healthcare provider organizations and industry representatives. The Centers for Medicare & Medicaid Services (CMS) and ONC understand that both rules include a range of issues having major effects on healthcare. The extension of the public comment deadline will maximize the opportunity for meaningful input and further the overall objective to obtain public input on the proposed provisions to move the healthcare ecosystem in the direction of interoperability.
California Consumer Protection Act
In the last issue of the COIN, I promised to highlight the provisions of the new California Privacy Law, the California Consumer Protection Act (herein referred to as CCPA) which is effective for the most part on January 1, 2020.
This new state law requires that the California Attorney General publish regulations between January 1, 2020 and July 2, 2020. The Attorney General under this law may not bring an enforcement action under the CCPA until the earlier of 6 months after the final regulations are published well in advance of July 1, 2020, so that they can fully prepare for implementation.
Who has rights under the CCPA? California residents, defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” of “domiciled” in California but “outside the State for a temporary or transitory purpose.”
Businesses subject to CCPA are: For-profit entities that both collect and process the personal information of California residents and do business in the state of California, and a physical presence in California is not a requirement. Simply making sales in the state would be sufficient to be subject to this law.
Businesses must meet at least one of the following criteria for the CCPA to apply: Businesses must generate annual gross revenue in excess of $25 million; businesses must receive or share personal information of more than 50,000 California residents annually, or the business must derive at least 50% of its annual revenue by selling the personal information of California residents.
The types of businesses subject to CCPA are companies that generate revenue from targeted advertising over internet platforms, such as Facebook, Twitter, Google, will be the most impacted. This law threatens established business models throughout the digital sector. It could also extend to internet service providers such as AT&T and Verizon, which collect broadband activity data (web browsing data) and could attempt to use it to generate behavioral profiles to enable digital advertising.
The types of firms who stand to lose even more are data brokers such as Acxiom, Epsilon, Experian, and Oracle, for example, who generate profits by collecting quantities of data on individual consumers and selling it to third parties. These include ad networks, marketers, retailers, or any other type of interested businesses.
Personal Information Under the CCPA
Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes social security numbers, drivers’ license numbers, and purchase histories, as well as “unique personal identifiers,” such as device identifiers or other online tracking technologies. It excludes information that is publicly available, aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by the Confidentiality of Medical Information Act or HIPAA.
New Rights Given to Consumers by CCPA
The CCPA provides consumers with more control over their personal information in four ways: knowledge (must notify what is being collected), sale of personal information (consumers must be presented with a simple process to opt-out of having personal information sold to a third party; businesses must post a DO NOT SELL MY PERSONAL INFORMATION link on its homepage for opting out), personal information removal (consumers may request that a business delete their personal information, and businesses must inform consumers they have this right; personal information must also be deleted from third-party contractors), and service equality (businesses cannot discriminate against a consumer who exercises his or her rights under CCPA; CCPA prevents a business from charging a consumer a fee because he or she exercised a right under the CCPA; businesses can offer consumers financial incentives to allow persona information to be collected).
Disclosure Responsibilities of CCPA
Entities subject to the CCPA must proactively explain their privacy notices when personal information is collected. They must also inform consumers of their rights under CCPA, categories of personal information collected, the ways that personal information is used, and the categories of personal information the business has sold to third parties in the last year.
Disclosures must be updated every 12 months.
In many ways, the CCPA disclosure responsibilities are similar to what our industry requires agents to do under the Graham-Leach Bliley (GLBA) Act, as well as Cal-GLBA.
Private Right of Action
CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violaton of the duty to implement and maintain reasonable security procedures and practices. Consumers can file individual or class action lawsuits, and can recover between $100 and $750 in statutory damages per incident, or actual damages. CCPA allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.
Penalties for Non-Compliance
Civil penalties under the CCPA can be fined up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the Attorney General, companies have 30 days to come into compliance in order to avoid penalties. The data breach occurrence information here is unclear at this time.
Preparation
Although we expect additional amendments, businesses that are subject to the CCPA should still start to prepare for their compliance. Privacy notices, Policies and Procedures, and websites should be updated before the effective date. In addition, businesses should start mapping the personal information they collect and locations where personal information is stored so that they can promptly meet the requests under the CCPA.
Pending Bills Related to CCPA and Other Related Privacy Matters
In the Legislative Updates Column found on page 10, I had mentioned that I would discuss some additional bills CAHU is tracking in this column.
Please refer to AB 981 (Daly D) – Insurance Information & Privacy Protection Act – This bill would exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the California Consumer Privacy Act of 2018, except as specified.
CAHU Supports this bill.
CAHU SUPPORTS AB 981 (Daly), which amends the Insurance Information and Privacy Protection Act (IIPPA) to make it clear that entities governed by the IIPPA are not subject to the California Consumer Privacy Act of 2018 (CCPA).
This will ensure continued consumer protection while avoiding different and conflicting standards which may work counter to the best privacy and security protection for consumers. If there are additional consumer protections needed beyond those provided in the IIPPA, a much better solution would be to clarify such issues in the IIPA.
Trying to reconcile the CCPA with a long standing and well-vetted insurance-specific law will result in foreseeable legal conflicts, and jeopardize the critical balance achieved in current privacy and security laws applicable to and strongly supported by insurers.
I also wanted to mention one more pending bill on the CAHU Priority Bills list, as it relates to privacy laws… SB 441 (Galgiani D) Electronic Health Records: Vendors. This bill would enact the California Interoperability Enforcement Act to regulate electronic health record vendors operating in California. The bill would require the Office of Health Information Integrity to review federal law and policy for opportunities to regulate electronic health record vendors and to establish an interoperability enforcement structure. The bill would require the office to promulgate regulations for this purpose. The bill would establish a Complaint and Technical Assistance Division within the office and the Interoperability Enforcement Fund, which would be available, upon appropriation, to fund the administration of these provisions.
CAHU supports SB 441.
CAHU SUPPORTS SB 441 which would help insure the ability of health care providers to quickly and appropriately access health related information across different health care settings. We believe this would limit excessive charging and opportunistic pricing that hinders a health care providers ability to clearly and efficiently exchanging information pertaining to our clients health. ##
CCPA References: SB 1121 bill text; “What You Need to Know About California’s New Date Privacy Law,” Dipayan Ghosh, July 11, 2018; “California Passes Strictest Online Privacy Law in the Country the Country,” By Heather Kelly, CNN, June 29, 2018; “The California Consumer Privacy Act: What You Need to Know,” by Mark McCeary, December 1, 2019, New Jersey Law Journal.