California Laws Go Above and Beyond HIPAA: Are You Compliant?

Darina Borushko
Digital Content Manager
January 8, 2020

California has a well-earned reputation for being on the cutting edge. Of style, technology, environment, legal trends… a lot of important ideas sprouted and took root in the Golden State. A new law that went into effect on January 1, 2020, could be the Next Big Thing.

The California Consumer Privacy Act (CCPA) is an answer to a question that has only grown since the dawn of the Social Media Age: What do these companies know about me, and what are they doing with that information? 

The law requires companies that meet certain levels of business in California to seek and receive permission from consumers before it can sell users’ data, or transfer it to a third party in exchange for something of value. The threshold for being subject to the law is pretty high: gross annual revenue of $25 million or more; buying, selling, or receiving data on 50,000 or more consumers, devices, or households; or deriving more than 50% of revenue from trafficking consumer data. But the penalties can be quite steep: $2,500 for an unintentional violation, $7,500 if intentional.

The CCPA pairs with the California Confidentiality of Medical Information Act (CMIA), which in 2013 was expanded to include vendors of mobile apps and other means of collecting health data and prevent buying or selling the data without the user’s permission. Together, these laws extend beyond HIPAA to protect patient data.

California companies aren’t the only ones that should be concerned

Though CCPA and CMIA only apply in California, their application is not limited to California companies. Any company whose business in California meets the minimum standards of the law is subject to them, no matter where it is based. And considering one out of every ten Americans lives in California, odds are good that any health care business covered by HIPAA may also find itself covered by CCPA and CMIA.

What does this mean for the health care company and its network security?

For the health care company that is fastidious in doing its duty to protect patient data under HIPAA, regularly assessing its compliance, updating its practices and procedures to comport with changes in the law, and training staff to follow the best practices established by the industry… CCPA and CMIA are probably incidental, and will never impact their business.

But for that large number of companies that are not HIPAA compliant (HHS regulators found violations in 70% of complaints they investigated through November 2019), this is another set of pitfalls ready to trap the unwary.

Vigilance is the only protection against pitfalls

What can be done to avoid them?

The best plan is to follow a regular routine of review, assessment, and revision of policies and practices, and close monitoring of developments in security technology. HIPAA compliance requires “reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.” What was reasonable last year may no longer be reasonable today—advances in technology and security are constantly changing to adapt to threats that might never have been imagined a year ago.

Any company that doesn’t have a fully committed and well trained IT security team is well advised to seek outside guidance from consultants and advisors who specifically target the most up-to-date best practices, policies, and technology in the health care data security field. With a thorough assessment from fresh eyes trained to spot weaknesses in your defenses, you will learn where you are vulnerable, where you need help, and get the best advice on how to avoid these pitfalls before hackers or government investigators find them and make them real problems for you.

Elinext teams provide a range of development services to companies representing the healthcare industry. Software solutions we deliver are HIPAA compliant, improve patient outcomes, and secure PHI. If you have any questions, contact us any time.


RPM Systems and eHealth Technologies for Diabetes Care

According to the latest Spyglass Study  (Trends in remote patient monitoring) that was based on the telephone interviews over 100 health IT thought leaders, the majority (88%) of U.S. healthcare providers surveyed have invested or are considering new investments in RPM solutions to provide quality and cost-effective treatment for chronic...

Top 10 IT Healthcare Conferences to Attend in 2020

We write a lot about digital health innovations, mainly because the healthcare industry is one of the most promising areas in terms of technological advance, and the one showing the most exciting use cases. In addition to blog posts that highlight such fascinating topics as mobile health for depression detection...

Medical VR, or how one could make medicine engaging

This article is written by Elinext's Healthcare IT Consultant, Victoria Yaskevich, who carefully collected the most exciting medical VR use-cases to provide you with a clear insight into this promising MedTech trend. Enjoy your reading. For hundreds of years, medical students have been tortured cadavers to learn more about the internals...