Beyond HIPAA: How the health insurance industry needs to change their approach to data privacy in light of the CCPA and other incoming data regulations

US healthcare insurers have been operating under the auspices of the Health Insurance Portability and Accountability Act (HIPAA) since it was signed into law in 1996.

A lot of hard work as gone into HIPAA compliance, but the data privacy problem has just gotten larger. Approximately 143 million patient health records are thought to have been compromised in HIPAA breaches since 2009. That, combined with the recent wave of high profile personal data breaches – across several industries – has ignited international and national concern about improper use of personal data.

In May 2018, the EU adopted the General Data Protection Regulation (GDPR), a first of its kind law which enforces greater protections of EU citizen’s personal data by requiring specific data collection, protection, breach processes and protocols, such as the right for consumers to opt-out and have their records erased.

Following GDPR, some US States and cities have enacted domestic protections. California established the Consumer Privacy Act, which goes into effect January 1, 2020, while New York has proposed the SHIELD Act and the City of Chicago has also proposed a data privacy ordinance. More recently, several of the largest technology firms have lobbied Congress to introduce federal legislation to standardize this oncoming rush of state and local laws.

So, why should payers care about the California Consumer Privacy Act (CCPA)?

CCPA applies to for-profit businesses that do business in the state of California and collect and process California residents’ personal information. Other qualifications include:

  • Annual gross revenues in excess of $25 million; or
  • Receiving or disclosing the personal information of 50,000 or more CA residents, households or devices on an annual basis; or
  • Deriving 50 percent or more of their annual revenues from selling CA resident’s personal information.

While this means that non-profit care providers are not subject to CCPA, for-profit payers will need to figure out what personal data is regulated by which regulation. Which begs the question, when do potential CCPA covered customers become HIPAA covered patients? Though the specifics of CCPA are yet to be defined, it is our feeling the best approach is to adhere to the spirit of the law, rather than the letter.

Our work on over 50 privacy projects in the last year (largely helping global organizations respond to GDPR) has taught us that early preparation is vital because incoming legislation is not without teeth. Much like GDPR, CCPA introduces fines for violations in regard to large data breaches or poor responsiveness to customer data requests. Companies should consider these important steps:

  • Understand what data you control and process within your organization. Developing and maintaining an inventory of personal data becomes an implicit requirement of the CCPA. The inventory will serve as the source of record to facilitate the current and future data privacy regulatory compliance. Don’t forget to inventory data which is processed on your behalf by third parties. Consider longer term efforts to separate CCPA data from HIPAA data.
  • Clarify which regulations apply to you. For example, do you hold personal data on residents of Europe or in the states that you do business in? Do you qualify for an exemption from CCPA? Do you handle personal data beyond Protected Health Information? Do you have a revenue stream from marketing data to other business partners?
  • Define your future interactions with your customer. Determine the basis and means of asking and gaining permission to collect the data. Prepare to allow customers to exercise their new rights like opt-out and data reporting.
  • Review data retention policies and procedures. Holding onto personal data longer than required is an increasingly contentious topic and presents an organizational risk. Ensure you have robust data retention polices in place, ensure that they are being followed by your staff and are supported by reportable metrics.
  • Assess your breach processes. Consider the differences between HIPAA data breach processes and the new CCPA legislation requirements. There are differences – ensure you are applying the right response according to the most appropriate data environment. For example, is your staff properly made aware of these new regulations and have been trained?

Although existing HIPAA regulations may add some complexity when understanding what changes are required, health insurers and their affiliates are at some advantage in having a data privacy-oriented culture already embedded in their organizations. We know from experience that leveraging this mindset to adopt broader comprehensive data privacy policies and programs that go beyond tactical responses to point legislation is the best approach to take.

With less than 12 months to address all the implications of CCPA, increasing number of business partners and other stakeholders will seek assurances or establish legal right to audit contracts to ensure that your company’s data privacy processes are effective in reducing operating risk. Your reputation is increasingly going to be measured on how well you protect personal information. Now is the time to be prepared.

Ken Lewis is an IT transformation expert at PA Consulting. Jennifer Fuller is a healthcare expert at PA Consulting.

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars