Recently, California passed a sweeping new privacy law, the California Consumer Privacy Act of 2018 (the “Act”), which is being compared to the GDPR.
The Act raises a number of practical implementation and compliance questions for those health care entities subject to its stringent requirements.
The major provisions include the following four rights that apply to “consumers,” essentially defined as California residents:
- Right to Know: consumers have the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
- Right to Opt Out: consumers can opt out of allowing a business to sell their personal information to third parties;
- Right to Delete: consumers can request that a business delete their information, with some exceptions; and
- Right to Non-Discrimination: those who exercise their privacy rights under the Act cannot be discriminated against in either service or pricing.
There are also protections for minors and numerous requirements regarding the process for consumers to exercise their rights. While the Act does not apply to protected health information, it does apply to “personal information,” which is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
A concerning part of the Act is the private right of legal action that allows consumers, either individually or as a class, to seek statutory or actual damages, injunctions, and other relief. Statutory damages can be between $100 and $750 per resident per incident, or actual damages, whichever is greater. The California Attorney General has also been empowered to enforce the Act, with the civil penalty for intentional violations up to $7,500 per violation (although what constitutes a “violation” has not yet been defined).
While compliance is not required until January 1, 2020, the Act will require significant changes and upgrades to policies, procedures, web sites, and data gathering/storing software systems. It will also result in the need to review third party agreements, including Business Associate Agreements, and to expand risk assessments and monitoring of third parties.
The Mazars USA Health Care Consulting Group has decades of experience in privacy and information security compliance and operations. If you have questions or need assistance complying with the new Act, the GDPR, creating a vendor risk assessment process, a refresh of your HIPAA training, a review of policies and procedures, or are interested in obtaining HiTrust Certification, please contact us.