US healthcare insurers have been operating under the auspices of the Health Insurance Portability and Accountability Act (HIPAA) since it was signed into law in 1996. A lot of hard work as gone into HIPAA compliance, but the data privacy problem has just gotten larger. Approximately 143 million patient health records are thought to have been compromised in HIPAA breaches since 2009. That, combined with the recent wave of high profile personal data breaches – across several industries – has ignited international and national concern about improper use of personal data.
In May 2018, the EU adopted the General Data Protection Regulation (GDPR), a first of its kind law which enforces greater protections of EU citizen’s personal data by requiring specific data collection, protection, breach processes and protocols, such as the right for consumers to opt-out and have their records erased.
Following GDPR, some US States and cities have enacted domestic protections. California established the Consumer Privacy Act, which goes into effect January 1, 2020, while New York has proposed the SHIELD Act and the City of Chicago has also proposed a data privacy ordinance. More recently, several of the largest technology firms have lobbied Congress to introduce federal legislation to standardize this oncoming rush of state and local laws.
So, why should payers care about the California Consumer Privacy Act (CCPA)?
CCPA applies to for-profit businesses that do business in the state of California and collect and process California residents’ personal information. Other qualifications include:
While this means that non-profit care providers are not subject to CCPA, for-profit payers will need to figure out what personal data is regulated by which regulation. Which begs the question, when do potential CCPA covered customers become HIPAA covered patients? Though the specifics of CCPA are yet to be defined, it is our feeling the best approach is to adhere to the spirit of the law, rather than the letter.
Our work on over 50 privacy projects in the last year (largely helping global organizations respond to GDPR) has taught us that early preparation is vital because incoming legislation is not without teeth. Much like GDPR, CCPA introduces fines for violations in regard to large data breaches or poor responsiveness to customer data requests. Companies should consider these important steps:
Although existing HIPAA regulations may add some complexity when understanding what changes are required, health insurers and their affiliates are at some advantage in having a data privacy-oriented culture already embedded in their organizations. We know from experience that leveraging this mindset to adopt broader comprehensive data privacy policies and programs that go beyond tactical responses to point legislation is the best approach to take.
With less than 12 months to address all the implications of CCPA, increasing number of business partners and other stakeholders will seek assurances or establish legal right to audit contracts to ensure that your company’s data privacy processes are effective in reducing operating risk. Your reputation is increasingly going to be measured on how well you protect personal information. Now is the time to be prepared.
Ken Lewis is an IT transformation expert at PA Consulting. Jennifer Fuller is a healthcare expert at PA Consulting.
A global movement towards increased data privacy is changing the way companies do business. Are you ready for the new era of data privacy?