CPRA is in Effect: What Health and Life Sciences Entities Need to Know
The long-awaited January 1, 2023 effective date of the California Privacy Rights Act (CPRA) has arrived and cannot be ignored or dismissed any longer. Many health care entities are aware of the Health Insurance Portability and Accountability Act (HIPAA)- and health information-related exceptions to CPRA's predecessor, the California Consumer Privacy Act (CCPA). However, CPRA, which amends and extends CCPA, eliminates CCPA’s employee and business-to-business data exemption. This is a shift in U.S. privacy law, and health and life sciences entities previously exempt from CCPA's requirements may need to take compliance steps under CPRA.
As a reminder, CCPA became effective on January 1, 2020, increasing consumers’ control of how personal information is collected, used and shared by companies. CPRA, passed in 2020 and effective as of January 1, 2023, amends CCPA, expanding consumer rights and removing the previous exemptions for employee and business-related personal data, effectively adding significant requirements for businesses handling employee and business-related personal data.
CCPA exemptions exist related to certain consumer health care data and certain types of health care entities, including:
- “Medical information” governed by California’s Confidentiality of Medical Information Act (CMIA) and “protected health information” (PHI) collected by a HIPAA covered entity or business associate.
- Providers of health care governed by CMIA or HIPAA covered entities to the extent the entities maintain patient information in the same manner as CMIA and HIPAA (note: this exemption does not explicitly include “business associates” under HIPAA).
In addition to the health care-specific exceptions, CCPA previously exempted employee and business-related personal data held by an entity subject to CCPA. Specifically, CCPA did not extend certain consumer rights to employees and individuals acting in a business capacity. With the variety of exemptions and limitations in scope, many health and life sciences entities could avoid most CCPA compliance obligations.
New Considerations under CPRA
With the arrival of CPRA on January 1, 2023, the compliance landscape for health and life sciences entities has changed. While exemptions for CMIA and HIPAA-regulated data still exist under CPRA, the exemptions for processing employee and business-related personal data (including medical staff data) have been eliminated.
For entities subject to CCPA, all employers – even those whose health care data is exempt – must comply with CPRA requirements with respect to employee and business-related personal data, including posting policies and notices and offering certain rights to data subjects. CPRA includes a number of requirements for employee data, including:
- Employers must provide employees and job applicants with a privacy notice prior to collecting personal information. The notice must include: a list of employee/applicant rights regarding their data, disclosures of third parties collecting the employee/applicant data, and any collection and use of sensitive personal information (including social security number, racial or ethnic origin, union affiliation or biometric information);
- Employers must review and respond to employee/applicant requests, including requests to delete, know, correct and access their data, as well as permit employees and applicants to opt out of the sale and sharing of personal information; and
- Employers must limit the use and disclosure of sensitive information collected regarding employees and job applicants.
As of January 1, 2023, these same rights must be extended to data collected in a business-to-business ("B2B") context, such as company contact and lead information. Entities subject to CPRA must offer a privacy notice prior to collecting B2B information and offer individuals whose data is collected in a B2B setting certain rights regarding their data.
In addition, CPRA requires businesses to include specific provisions in contracts with third-party vendors that process data on a business's behalf which now expands to vendors processing employee data, applicant data, contractor data, medical staff member data and other business-related personal data. These vendor agreements must include specific terms regarding the vendor’s processing and management of such data.
CPRA's January 1, 2023 effective date marks a shift in U.S. privacy law with legislated, business and employee-specific privacy rights. Health and life sciences entities relying on CCPA exemptions should (1) review employee, applicant, medical staff, contractor and B2B contact data collection and processing; (2) update vendor contracts with CPRA requirements for processing such personal information; (3) create and post an employee privacy notice; and (4) create a privacy notice for data collected in a B2B context. CPRA enforcement begins July 1, 2023, giving health and life sciences entities some breathing space to work through compliance obligations and avoid costly enforcement.
For more information regarding CCPA, CPRA, or other data privacy and security related questions in the health care industry, contact your Quarles & Brady attorney or:
- Meghan O’Connor: (414) 277-5423 / firstname.lastname@example.org
- Heather Buchta: (602) 229-5228 / email@example.com
- Rachel Weiss: (414) 277-5829 / firstname.lastname@example.org
- Kaitlyn Fydenkevez: (202) 780-2642 / email@example.com