If you’re considering building a CCPA patient portal you must ask yourself: Is my patient engagement company CCPA compliant? If not, your business may be at risk. Discover exactly what CCPA is and if it applies to your healthcare business.
What is CCPA compliance?
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. The bill was passed into law on June 28, 2018, and went into effect on January 1, 2020.
The Act provides California residents with the right to:
- Request a business disclose the categories and specific pieces of personal information that it collects about the consumer, and the categories from which that information is collected
- Know the business purposes for collecting or selling the consumer’s personal information
- Know the categories of 3rd parties with which the information is shared
- Request the deletion of personal information
- Opt-out of the sale of personal information by a business and not be discriminated against for exercising this right (i.e. by charging different prices or providing different quality of goods or services)
- Protect the sale of minor’s personal information and opt-in to having that information sold
What is considered personal information?
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as:
- Name or alias
- Postal address or physical address
- Unique personal identifier
- Online identifier
- Internet protocol address
- Email address
- Account name
- Social security number
- Driver’s license number
- Passport number
- Physical characteristics or description
- Telephone number
- State identification card number
- Insurance policy number
- Education and employment history
- Financial information including bank account number, credit card number or debit card number
- Medical information
- Health insurance information
What data types could be subject to CCPA?
- Personal information not regulated by HIPAA
- Personal information which is processed by a non-healthcare division of a HIPAA-hybrid entity, or connected non-profit
- Certain employee data
- Personal information collected through conferences, fundraisers, marketing events, or similar activities
- Personal information used for research
Does the CCPA apply to your healthcare business & CCPA Patient Portal app?
The CCPA applies to any business, including any for-profit entity that collects consumers’ data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenue exceeding $25 million
- Buys or sells the personal information of 50,000 or more consumers or households
- Earns more than half of its annual revenue from selling consumers’ personal information
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
Even if your organization doesn’t have locations in California, if you conduct business or market your offerings in California and meet the criteria above, CCPA applies to you.