Healthcare organizations across the country should be keeping an eye on the California Consumer Privacy Act (CCPA), which will go into effect Jan. 1, 2020. Failure to comply with this new rule can result in significant penalties, and it is a mistake to think HIPAA compliance will protect organizations.

Some healthcare companies are incorrectly assuming they are exempt from CCPA compliance because of superseding HIPAA guidelines, says Ryan P. Blaney, JD, partner with Proskauer in Washington, DC.

As providers expand beyond traditional care delivery to focus on digital innovation and, in some cases, venture capital, parts of an organization still could be subject to CCPA and other emerging state-based legislation requirements, Blaney explains. Not knowing one’s exposure could end up costing healthcare organizations millions, he says.

Healthcare organizations based outside California could be subject to the privacy requirements of CCPA if they are doing business in the state, which can be construed broadly, Blaney explains. Compliance with HIPAA does not necessarily mean the organization will be in compliance with CCPA, he says.

“Although there is an exception under CCPA for healthcare companies that fit some criteria, not all healthcare companies will fit within that exception. It is important not to assume that just because you deal in healthcare information, you are going to fall under the healthcare exception to the CCPA,” Blaney says. “There is an analysis that needs to be done to be sure you fall squarely within that exception.”