The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences

•California consumer privacy act (CCPA) is a digital privacy regulation overseeing technology companies' data collection and usage practices in the United States.•Although the act was intended for consumer-facing digital companies, California's healthcare organizations are impacted signifi...

Full description

Saved in:
Bibliographic Details
Published in:Health policy and technology Vol. 10; no. 3; p. 100543
Main Authors: Mulgund, Pavankumar, Mulgund, Banashri Pavankumar, Sharman, Raj, Singh, Raghvendra
Format: Journal Article
Language:English
Published: Elsevier Ltd 01.09.2021
Subjects:
CCPA
Consumer health information
Data privacy
HIPPA
Data privacy
HIPPA
CCPA
Consumer health information
ISSN:2211-8837, 2211-8845
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•California consumer privacy act (CCPA) is a digital privacy regulation overseeing technology companies' data collection and usage practices in the United States.•Although the act was intended for consumer-facing digital companies, California's healthcare organizations are impacted significantly and face several compliance challenges.•Lack of regulatory clarity and low likelihood of enforcement emerged as main legal issues. Poor data discovery processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high compliance cost emerged as significant technological hurdles to CCPA compliance. In 2018, California legislators passed the California Consumer Privacy Act (CCPA), a digital privacy regulation conferring consumers more control over their online personal information. CCPA is a significant regulation overseeing technology companies’ data collection and usage practices in the United States. This article analyzes CCPA and its implications on healthcare organizations. We elaborate on the compliance challenges that have emerged due to the interplay of the CCPA with the Health Insurance Portability and Accountability Act (HIPAA) from legal and technical/operational perspectives. Qualitative methods comprising semi-structured expert interviews, qualitative data coding, and analysis were used to explore the perceptions of the practitioners on various dimensions of the policy and to obtain insights from the field. Our findings indicated that California's healthcare organizations faced several legal and technological challenges in complying with CCPA. A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern. Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance. Despite considerable ambiguity around the scope and jurisdiction of CCPA in the healthcare sector, healthcare organizations may be subject to CCPA, primarily when they collect personally identifiable information that is not protected health information. Such organizations may need to comply with both regulations. Furthermore, it is in their best interest to develop compliance plans proactively rather than being caught in the quandary of last-minute implementation or expensive litigation.
ISSN:2211-8837
2211-8845
DOI:10.1016/j.hlpt.2021.100543