Getting Ahead of Privacy and the CCPA – Healthcare Needs to Move Beyond HIPAA


This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

Privacy concerns are on the rise. Over the last couple of years, survey after survey have clearly shown a dramatic rise in overall consumer privacy awareness and concern – driven primarily by the never-ending litany of ongoing data breaches that make the news.

The healthcare industry has been somewhat shielded from this, seemingly due to the trust that patients extend to their doctors and, by proxy, the organizations they work with. HITECH and HIPAA legislation have acted as a perceived layer of safety and protection.

But healthcare is not immune from privacy issues.

Most people aren’t even aware of the hundreds of data breaches of unsecured health information in the last 24 months which are being investigated by the U.S. Department of Health & Human Services Office for Civil Rights. In fact, research indicates that consumers still trust healthcare organizations with their data more so than many other industries.

But for how much longer?

Studies show that, although trust is still high, consumers are becoming increasingly concerned about privacy in healthcare. The perceived shielding that federal legislation provides and the implicit trust healthcare enjoys are both decreasing as other industries continue to receive arguably well-deserved scrutiny over their privacy and data protection practices.

And What About the CCPA?

Many medical and healthcare organizations that are covered entities under HIPAA mistakenly believe they are fully exempt from consumer privacy legislation, such as the California Consumer Protection Act (CCPA). The CCPA does have an exemption for HIPAA protected data and current CCPA regulations are neither clear nor final. However, most legal opinions indicate that many types of data collected by healthcare organizations that are not regulated by HIPAA most definitely will be covered by the CCPA.

Data sources such as website cookies, health apps, conferences, marketing initiatives, fundraisers and more represent personally identifiable information that does fall under the CCPA. As such, medical organizations that handle that kind of data must be CCPA compliant. While EHR databases may be exempt, the CCPA’s definition of personal information is much broader and includes almost any data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Of course, both HIPAA and CCPA have specific requirements for compliance, and preparing for the CCPA is something most healthcare businesses should already be ahead of.

Beyond compliance issues, sustained public attention and skepticism over privacy issues will come to the healthcare industry sooner or later – and along with it will come potentially mammoth impacts to medical businesses. And because of the impending rise in public awareness and media scrutiny, hiding under the cover of compliance with HIPAA and the CCPA is no longer a viable choice.

The CCPA isn’t the end result of the rise of privacy concerns, it’s a bellwether for what’s to come, and it’s time for healthcare organizations to step up.

Getting and staying in compliance with both HIPAA and the CCPA are obviously critical, but they are only a first step. As healthcare begins to embrace big tech and the incredible promise those partnerships can bring, the medical industry must think far beyond legal compliance and embrace real data privacy principles as core operating commitments and key competitive differentiators.

Transparency, Choice and Accountability

Patient trust in healthcare isn’t permanent or unassailable, and being trusted doesn’t absolve healthcare organizations from ongoing transparent communication. In the modern and connected world, trust must be earned on an ongoing basis with both transparency and consistency of action.

Companies that use personal healthcare data must be transparent about their practices and provide consumers a sense of control by giving them a real choice to opt in or out whenever possible. Organizations also need to communicate clearly with consumers about where their data is coming from, why it’s being collected, and how vendors and service providers are used in providing the services that they need.

Transparency must also be in lockstep with consistency of action. That means healthcare businesses must not only be clear about their actions, they must enable public accountability mechanisms such as advisory boards, complaint processes, official advocates, ombudsmen and more.

Data Protection and Security

Patients have a right to know their healthcare data is private and safe. Medical organizations should not only use advanced security technology and governance for all data, but also communicate to consumers about how their data is protected – whether mandated by legislative requirements or not. Encryption, data minimization, retention and deletion protocols, and other privacy-related organizational measures should be enacted and communicated.

Make a Difference and Add Value

Personal healthcare data is sensitive and should be used to advance medicine, improve outcomes and make the world a healthier place – not solely for financial gain. Beyond legal compliance, healthcare must embrace respect and ethics, with a public commitment to using personal data to add value to people’s lives. Organizations must also clearly communicate the difference they are making by using personal data, both for the individuals themselves and to healthcare and medicine as a whole.

While these principles may seem counter-intuitive to some, this moment is actually an incredible opportunity for healthcare organizations to embrace these principles and get ahead of their competitors.

Other industries have clearly demonstrated that those who embrace privacy are rewarded, while those who do not are punished. Financial gain will come by acting beyond privacy compliance, whereas waiting for the inevitable incidents that will damage and degrade patient trust, whether a data breach or public relations issue, is not a sound business strategy.

The healthcare industry has the opportunity right now to build upon its history of patient trust, but that opportunity won’t be realized by simply maintaining the status quo.

Dan Linton, CIPP/US, CIPP/E, CIPM, is the Global Data Privacy Officer at W2O, where he supports internal and client data privacy and protection practices with a specific focus on GDPR, CCPA and the impact of global privacy legislation on healthcare marketing and communications.