New California Privacy Law Will Impact the Medical Industry
With seemingly daily reports of data breaches or improper sharing of user data, consumer privacy is a growing concern. California is the latest State to take action to protect consumers’ personal information and has passed a law that provides strong and broad protections to do so. Signed into law on June the 28, 2018, the California Consumer Privacy Act of 2018 (“Privacy Act”) creates some of the strongest consumer privacy protections in the nation.
The Privacy Act creates a right for consumers to request that businesses disclose what information they have collected, sold, or shared on them, and if they so choose, to have collected information deleted and to proactively opt-out of future data collection, selling, and sharing. These protections in turn create numerous compliance, notice, and penalty issues for businesses who collect information from California residents.
Businesses subject to the Privacy Act will need to provide proper notice of the types of information collected and the rights of the consumer under the act before any information is collected. Businesses also will need to ensure that their data collection and use practices involve only the types of information and uses that have been properly disclosed to the affected consumer. Additionally, businesses will need to have trained personal to accept, verify, and respond to consumer requests within the statutory deadlines. And finally, businesses subject to the Privacy Act will need to have data systems capable of securely storing the information while providing for rapid and accurate access to for requests and to delete the information if requested.
Medical businesses who are covered under the Health Insurance Portability and Accountability Act (“HIPAA”) or California’s Confidentiality of Medical Information Act (“CMIA”) have additional hurdles to overcome. The Privacy Act exempts “protected” or “health information” that is already covered under the prior laws. However, medical businesses will need to determine what information they have and comply with the Privacy Act for other types of information not covered by HIPAA or CMIA. The safe and accurate handling of information and consumer requests will be critical to medical practices in particular as the Privacy Act creates substantial penalties for failure to maintain compliance, mishandling of information, and failure to respond appropriately to consumer requests. Luckily medical practices in California have some time to learn more about what is covered before being subjected to penalties, as the Privacy Act is slated to take effect on January 1, 2020.