I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy Act (CCPA) and point you in the direction of additional resources as you assess CCPA’s impact on your practice.
Does my physical therapy practice have to comply with CCPA?
Your physical therapy practice probably has to comply with CCPA if all of the following apply to you:
You must also comply with CCPA if you control, or are controlled by, an entity that meets the above criteria, and you share common branding with that entity. Check out this privacy law blog if you are interested in researching any of these requirements further.
A couple of important points to mention here:
- Businesses can take the form of sole proprietorships, LLCs, or corporations.
- While “doing business in the state of California is not defined in the CCPA, you can be doing business in California even if you are not physically present in the state. For example, if you are selling continuing education products, conference registrations, or therapy materials to California residents, then your sales may be considered “doing business in the state of California.” So, determining whether you are doing business in California can require a complicated legal analysis, and you should consult legal counsel if you have questions.
Who is protected by CCPA?
A “consumer” is a California resident, whether he or she is living in the state or is temporarily outside of the state. Currently, CCPA also applies to the personal information of employees, job applicants, and contractors, although the California legislature is seeking to amend the law to exclude these individuals. A recent amendment did exempt employees from some of the rights offered by the CCPA until January 1, 2021—although employees still have a right to know what personal information the employer is collecting about them and how the employer is using it.
I heard that protected health information (PHI) is excluded from CCPA. I am only collecting PHI, so do I still have to comply with CCPA?
It depends. It is true that CCPA does not apply to PHI, which is covered by HIPAA. However, if you are collecting personal information as leads (for the purpose of nurturing new patient referrals via targeted marketing activities, for example), this information may not be considered PHI. Lead information is personal information associated with soon-to-be patients (you hope), so if those individuals are also California residents, CCPA requirements may apply.
What is personal Information? Is it the same as PHI?
Personal information is the subject of the CCPA, and its scope is much broader than PHI’s. Personal information includes any information about an individual that could identify or reasonably be linked to that individual in any way, whether directly or indirectly. It includes the standard data elements for identifying people—such as names and social security numbers—but it can also include data elements that could reasonably be linked to an individual (e.g., biometric information, IP addresses, and account numbers). This New York University School of Law blog lists the 11 categories of personal information and examples of each.
What does it mean to collect and/or sell personal information?
Do you collect personal information about employees for business purposes, such as human resources activities? Are you collecting personal information from potential patients as part of your lead generation marketing program? Do you share personal information to a third party, such as another business? Essentially, if you are collecting, sharing, disclosing, or selling the personal information of a California consumer, it is highly likely that your activities are subject to the CCPA requirements.
I think I may have to comply with CCPA. What does the law require?
Essentially, CCPA requires businesses that collect, disclose, or sell the personal information of California consumers to:
- be transparent about how they are using the data,
- hand over the data to the owner of the data upon the owner’s request,
- delete the data upon the owner’s request, and
- allow the consumer a right to opt out of the sale or collection of his or her personal information.
This American Bar Association blog breaks down each of the CCPA consumer rights.
If you do have to comply with CCPA, the good news is that you still have time to get ready. The law goes into effect January 1, 2020. Your first step should be to consult legal counsel on what you must do to comply. CCPA is complicated, it is still being amended, and regulations under CCPA have not yet been published. Creating an inventory of the California consumer personal information you collect, disclose, or sell will help you form a strong foundation for your compliance program development.
The process of determining whether CCPA applies to your physical therapy practice is complex. If you have any questions about whether you must comply, whether your service delivery qualifies as doing business in California, or whether you are collecting personal information, I’d strongly recommend consulting legal counsel. Here’s a link to the law itself, one to a short webinar, and one to a longer webinar to help you educate yourself.
Before I sign off, here’s my legal disclaimer: I am an attorney, but I’m not your attorney. The purpose of this blog post is to provide legal information, but it does not constitute legal advice. To determine how and whether CCPA applies to your specific practice, you should consult with an attorney; you should not rely solely on this information.