This information is not a legal interpretation of the law and is not binding on the Office for Civil Rights of the U.S. Department of Health and Human Services. This information is not intended to nor should it ever replace formal legal counsel.
As you may have heard, the California Consumer Privacy Act (CCPA) went into affect in 2020. This guide will go through some of the most common questions we’ve received regarding the California Consumer Privacy Act (CCPA) and how it relates to Jane.
You can read the full version of the CCPA here: California Consumer Privacy Act
Is Jane CCPA compliant?
When it comes to CCPA, it does not apply to Personal Health Information (PHI). Why? Because PHI is covered under HIPAA and CCPA Section 1798.145(c)(1)(A) clearly states that CCPA will not apply to
protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services…
What does this mean for Jane?
It means that CCPA does not apply to clinics or patients using Jane to store and process PHI because as a business associate complying with HIPAA, Jane is already subject to HIPAA legislation. It’s also worth noting that, as stipulated in our privacy policy, Jane does not sell or trade any personal information.
Does this mean that as a clinic owner or practitioner, I’m exempt from complying with CCPA?
Not necessarily, although it gets a bit complicated. There are two deciding factors when it comes to your compliance with CCPA:
- If you are considered a “business” under CCPA.
- If you are collecting personal information that does not constitute as PHI.
What constitute as a “business”?
A “business” under CCPA is if you meet one of the following qualifications:
- You are operating a for-profit business;
- You do business in California;
- You collect the personal information of California consumers for the purposes and means of processing that information; and
Your business satisfies one of the three thresholds:
- Annual gross income of more than $25 million.
- Collect data from over 50,000 individuals annually.
- Make more than half of your annual revenue selling personal information.
If you meet the criteria and you are collecting personal information (more detail on this down below) then you may have obligations under the CCPA.
What is considered personal information?
Personal information, based on CCPA, is classified as:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
So what’s the difference between Personal information and PHI? Well, PHI is medical information collected by covered entities (such as yourself) or business associates (Jane). Where as Personal information is not intended for medical purposes. Here are a few examples of what does not constitute as PHI:
- Personal information collected through referrals that is used for targeted marketing activities.
- Personal information collected through business websites (NOT including Jane).
Though these are only a few examples of data that would fall under CCPA, if you are collecting the above information and are considered a business under CCPA as mentioned above, then it’s possible that your business would need to comply with CCPA. If at this point, you’re still wondering if the CCPA applies to you, now would be a good time to consult your own legal counsel or regulating body!
Still Have Questions?
Have any questions about this guide or anything else related to privacy? Feel free to email Privacy and Security Support at [email protected] and we’d love to clarify anything you’re unsure on!