The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences

•California consumer privacy act (CCPA) is a digital privacy regulation overseeing technology companies' data collection and usage practices in the United States.•Although the act was intended for consumer-facing digital companies, California's healthcare organizations are impacted signifi...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Health policy and technology Jg. 10; H. 3; S. 100543
Hauptverfasser: Mulgund, Pavankumar, Mulgund, Banashri Pavankumar, Sharman, Raj, Singh, Raghvendra
Format: Journal Article
Sprache:Englisch
Veröffentlicht: Elsevier Ltd 01.09.2021
Schlagworte:
CCPA
Consumer health information
Data privacy
HIPPA
Data privacy
HIPPA
CCPA
Consumer health information
ISSN:2211-8837, 2211-8845
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:•California consumer privacy act (CCPA) is a digital privacy regulation overseeing technology companies' data collection and usage practices in the United States.•Although the act was intended for consumer-facing digital companies, California's healthcare organizations are impacted significantly and face several compliance challenges.•Lack of regulatory clarity and low likelihood of enforcement emerged as main legal issues. Poor data discovery processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high compliance cost emerged as significant technological hurdles to CCPA compliance. In 2018, California legislators passed the California Consumer Privacy Act (CCPA), a digital privacy regulation conferring consumers more control over their online personal information. CCPA is a significant regulation overseeing technology companies’ data collection and usage practices in the United States. This article analyzes CCPA and its implications on healthcare organizations. We elaborate on the compliance challenges that have emerged due to the interplay of the CCPA with the Health Insurance Portability and Accountability Act (HIPAA) from legal and technical/operational perspectives. Qualitative methods comprising semi-structured expert interviews, qualitative data coding, and analysis were used to explore the perceptions of the practitioners on various dimensions of the policy and to obtain insights from the field. Our findings indicated that California's healthcare organizations faced several legal and technological challenges in complying with CCPA. A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern. Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance. Despite considerable ambiguity around the scope and jurisdiction of CCPA in the healthcare sector, healthcare organizations may be subject to CCPA, primarily when they collect personally identifiable information that is not protected health information. Such organizations may need to comply with both regulations. Furthermore, it is in their best interest to develop compliance plans proactively rather than being caught in the quandary of last-minute implementation or expensive litigation.
ISSN:2211-8837
2211-8845
DOI:10.1016/j.hlpt.2021.100543