I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy Act (CCPA) and point you in the direction of additional resources as you assess CCPA’s impact on your practice.  

Regulatory Roundup: 6 Challenges Confronting Rehab Therapists in 2018 - Regular BannerRegulatory Roundup: 6 Challenges Confronting Rehab Therapists in 2018 - Small Banner

Does my physical therapy practice have to comply with CCPA?

Your physical therapy practice probably has to comply with CCPA if all of the following apply to you:

  • you are operating a for-profit business;
  • you do business in California;
  • you collect the personal information of California consumers for the purposes and means of processing that information; and
  • your business satisfies one or more of the following thresholds:
    1. Has annual gross revenue of more than $25 million.
    2. Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
    3. Derives 50 percent or more of its annual revenues from selling consumer information. 

You must also comply with CCPA if you control, or are controlled by, an entity that meets the above criteria, and you share common branding with that entity. Check out this privacy law blog if you are interested in researching any of these requirements further.  

A couple of important points to mention here:

  1. Businesses can take the form of sole proprietorships, LLCs, or corporations.
  2. While “doing business in the state of California is not defined in the CCPA, you can be doing business in California even if you are not physically present in the state. For example, if you are selling continuing education products, conference registrations, or therapy materials to California residents, then your sales may be considered “doing business in the state of California.” So, determining whether you are doing business in California can require a complicated legal analysis, and you should consult legal counsel if you have questions.

Who is protected by CCPA?

A “consumer” is a California resident, whether he or she is living in the state or is temporarily outside of the state. Currently, CCPA also applies to the personal information of employees, job applicants, and contractors, although the California legislature is seeking to amend the law to exclude these individuals. A recent amendment did exempt employees from some of the rights offered by the CCPA until January 1, 2021—although employees still have a right to know what personal information the employer is collecting about them and how the employer is using it.

I heard that protected health information (PHI) is excluded from CCPA. I am only collecting PHI, so do I still have to comply with CCPA?

It depends. It is true that CCPA does not apply to PHI, which is covered by HIPAA. However, if you are collecting personal information as leads (for the purpose of nurturing new patient referrals via targeted marketing activities, for example), this information may not be considered PHI. Lead information is personal information associated with soon-to-be patients (you hope), so if those individuals are also California residents, CCPA requirements may apply.

What is personal Information? Is it the same as PHI?

Personal information is the subject of the CCPA, and its scope is much broader than PHI’s. Personal information includes any information about an individual that could identify or reasonably be linked to that individual in any way, whether directly or indirectly. It includes the standard data elements for identifying people—such as names and social security numbers—but it can also include data elements that could reasonably be linked to an individual (e.g., biometric information, IP addresses, and account numbers). This New York University School of Law blog lists the 11 categories of personal information and examples of each.

What does it mean to collect and/or sell personal information?

Do you collect personal information about employees for business purposes, such as human resources activities? Are you collecting personal information from potential patients as part of your lead generation marketing program? Do you share personal information to a third party, such as another business? Essentially, if you are collecting, sharing, disclosing, or selling the personal information of a California consumer, it is highly likely that your activities are subject to the CCPA requirements.

I think I may have to comply with CCPA. What does the law require?

Essentially, CCPA requires businesses that collect, disclose, or sell the personal information of California consumers to:

  • be transparent about how they are using the data,
  • hand over the data to the owner of the data upon the owner’s request,
  • delete the data upon the owner’s request, and
  • allow the consumer a right to opt out of the sale or collection of his or her personal information.

This American Bar Association blog breaks down each of the CCPA consumer rights.

If you do have to comply with CCPA, the good news is that you still have time to get ready. The law goes into effect January 1, 2020. Your first step should be to consult legal counsel on what you must do to comply. CCPA is complicated, it is still being amended, and regulations under CCPA have not yet been published. Creating an inventory of the California consumer personal information you collect, disclose, or sell will help you form a strong foundation for your compliance program development.  


The process of determining whether CCPA applies to your physical therapy practice is complex. If you have any questions about whether you must comply, whether your service delivery qualifies as doing business in California, or whether you are collecting personal information, I’d strongly recommend consulting legal counsel. Here’s a link to the law itself, one to a short webinar, and one to a longer webinar to help you educate yourself.

Before I sign off, here’s my legal disclaimer: I am an attorney, but I’m not your attorney. The purpose of this blog post is to provide legal information, but it does not constitute legal advice. To determine how and whether CCPA applies to your specific practice, you should consult with an attorney; you should not rely solely on this information.

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • How to Deal with a Patient Data Breach (and Avoid One in the First Place) Image

    articleOct 15, 2019 | 7 min. read

    How to Deal with a Patient Data Breach (and Avoid One in the First Place)

    With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.  The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult.  Do not place your …

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

  • How the Affordable Care Act Impacts Patient Payment Collection Image

    articleMay 16, 2016 | 5 min. read

    How the Affordable Care Act Impacts Patient Payment Collection

    You take the good; you take the bad. You take ’em both, and you have healthcare reform. Like most government-led initiatives, healthcare reform in general—and the Affordable Care Act (ACA) in particular—has inspired a lot of passionate debate. And that’s because, while it has expanded health coverage to millions of previously uninsured people (woo-hoo!), it also has given way to some less-than-positive consequences. One such effect: the trend toward increased patient financial responsibility (whomp, whomp). Out-of-Pocket Overload …

  • Common Questions from Our Patient Sticker Shock Webinar Image

    articleMar 31, 2017 | 33 min. read

    Common Questions from Our Patient Sticker Shock Webinar

    From copays and deductibles to payer contracts and benefits verification, understanding all the nuances of third-party insurances is tough enough for healthcare providers—let alone their patients. In WebPT’s most recent webinar— Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans —co-hosts Heidi Jannenga, PT, DPT, ATC/L, the cofounder and president of WebPT, and WebPT CEO Nancy Ham provided a lot of great advice on how to have productive conversations about healthcare costs with your patients—without …

  • Common Questions from our Cloudy with a Chance of Reform Webinar Image

    articleFeb 13, 2017 | 13 min. read

    Common Questions from our Cloudy with a Chance of Reform Webinar

    In our first webinar of 2017 , WebPT’s co-founder and president, Heidi Jannenga, teamed up with CEO Nancy Ham to discuss the current and future healthcare trends that will impact PTs, OTs, and SLPs. (Missed it? No worries; you can view the complete recording here .) As always, we received quite a few questions during the presentation—way more than we could address live. So, we’ve put them all here, in one handy Q&A doc. Scroll through and …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • Common Questions from our State of Rehab Therapy Webinar Image

    articleJul 17, 2017 | 16 min. read

    Common Questions from our State of Rehab Therapy Webinar

    WebPT recently conducted an industry survey of thousands of rehab therapy professionals across a wide variety of settings, specialties, and geographic regions. Our goal: To capture an accurate snapshot of the demographics, trends, frustrations, and motivations that shape our businesses, our future outlook, and our potential for success in this environment of change. In last week’s webinar , WebPT President and Co-Founder Dr. Heidi Jannenga, PT, DPT, ATC/L, and WebPT CEO Nancy Ham shared the results of …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.