Health Care Law
Data privacy: Are you in compliance?
The latest political and business “hair on fire” news items will burn brightly and then thankfully fade to memory and cycle. By comparison, worrying about data privacy seems virtually mundane. While the latest political and business chatter can and should often be ignored, the ongoing electronic data evolution with persistent consumer data interface is here to stay and requires attention.
All enterprises doing business in California will persistently deal with consumer data, and cannot ignore basic data privacy compliance requirements. So rather than checking your favorite social media outlet for a moment, briefly consider what enterprises doing business in California must navigate to properly handle data privacy requirements. All enterprises doing business in California that intake personal consumer information data should become familiar with California’s basic data protection statute, evaluate if other state or federal requirements apply, implement essential data protection efforts, and explore cybersecurity insurance.
First, a wide range of state and federal laws protect data privacy in California and the U.S. Do not focus your attention on just one (1) data privacy law (example: Health Insurance Portability and Accountability Act or “HIPAA”), and presume navigating that one law navigates them all. Rather, accept that diverse state and federal laws generally require data security and are designed to impose personal data security requirements on virtually ALL enterprises. The safe assumption, therefore, is that at least one (and probably more) state and federal laws mandate data security and protect personal information privacy. For an excellent list (but with a couple unfortunate omissions — GINA and Common Rule are not referenced but represent important federal privacy laws), see https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_public.pdf.
Second, how should an enterprise with personal consumer data comply with state and federal privacy laws? An excellent place to start is the California Data Protection Act (“CDPA”) (California Civil Code Sections 1798.80-1798.94). While the CDPA’s breach notice requirements garner a lot of attention, the CDPA also includes a comprehensive set of personal information security requirements that (generally and sort of) track HIPAA and Confidentiality Medical Information Act (“CMIA”) legal health information protection protocols.
The CDPA attempts to avoid layers of statutory requirements by confirming (again, this is simplifying things) that compliance with HIPAA or CMIA is compliance with CDPA. If your enterprise receives electronic personalized health information from a “covered entity” (basically: medical providers or health plans) such that HIPAA is triggered and complies with HIPAA, then you are either outside of or complying with CDPA requirements. Conversely, even if you believe HIPAA or CMIA do not apply to your enterprise, CDPA requirements do apply if you receive consumer personal information data. One way or another, regulatory data protection regulations apply to virtually all enterprises with personal information data.
Health-related behavioral communication apps/platforms are rapidly proliferating.
Enterprises engaged in health-related communication might presume that if a medical provider or health plan is not the health data source because the consumer directly loads/shares their health data, HIPAA does not apply. But, that app or platform doing business in California does trigger CMIA requirements similar to HIPAA if the product helps “treat” or “diagnose” a health condition based on health data. Many privacy notices for communication app enterprises engaged in health behavior modification fail to reflect the enterprises understand CMIA requirements may apply.
Assuming this article already distracted you for a minute from “Brexit Regrexit” and cat videos, let’s focus quickly on essential CDPA requirements. To oversimplify, your enterprise must protect the privacy of all personal information data you receive and/or store from consumers by adopting data security measures. Additionally, if your enterprise shares personal information with third parties that may direct market your consumers, your enterprise must also provide CDPA-guided notice in that regard to consumers. If your data security is breached, the CDPA mandates the form and format of a mandatory breach notice (and depending on the scope of that breach, you might have to offer identity theft protection services for a year). Can you ignore the CDPA, like those social media posts obviously outside your viewpoint by the uneducated? No!
Violating the CDPA may expose you to general civil damages, per-incident statutory damages, and the potential for injunctive relief. And, if HIPAA and/or CMIA requirements apply, your enterprise must ensure it has minimum necessary security protocols and statutorily mandated documentation in place.
But why are there all these privacy statutes? Can’t we just do business with consumer data and let the markets figure that out?
Well, that’s not feasible for a number of reasons. Data integrity has become a serious national/international issue, with countries and rogue organizations hacking and trading with consumer data to criminally defraud. Tax dollars are under attack with fraudulent state and federal medical plan false billing, and fraudulent tax refund theft, based on hacked consumer data. Private enterprises are at risk from economic spying efforts involving data security breaches by both countries and competitors. Internal security breach events used to harm or defraud enterprises represent another threat.
Data protection triggers too many critical issues to be unregulated or ignored. Finally, if you are wise enough to procure cybersecurity insurance to protect your enterprise from data breach events, your policy will mandate an accurate disclosure of your data security measures and generally require state and federal data protection compliance. If you fail to accurately describe your data protection efforts, or otherwise fail to comply with policy requirements, your cybersecurity insurance coverage could be as limited and meaningless as that grammatically challenged media commentary you try not to read (but you do anyway, you know you do). Consumer data interface is here to stay for a long, long time. How many enterprises lack consumer data and refrain from doing business in California? Not many. That means basic California and federal cybersecurity compliance is more immediately relevant than Texit/Scotlondexit, or clever/annoying social media videos that you love/hate. Consumer data, unlike your ex-best friend’s rant, is far too valuable to be left unregulated, unprotected, uninsured, or ignored.
Bottom line, all enterprises doing business in California must become familiar with the CDPA, assess if HIPAA and/or CMIA requirements may apply, and implement mandatory state and federal data protection protocols and related consumer notifications.
Adopting strong data protection efforts (like encryption and password protection), and evaluating cybersecurity insurance, will protect both enterprises and consumers. Animal videos come and go, political debates are endless, but do not ignore data protection requirements. Data driven business will thankfully persist and flourish, which means protecting your enterprise and its consumers requires basic privacy regulation knowledge and protocols. Time expended on basic data security will yield a rate of return far superior to debating your former friend about immigration politics.