The implications of the California Consumer Privacy Act (CCPA) on healthcare organizations: Lessons learned from early compliance experiences

Objective: In 2018, California legislators passed the California Consumer Privacy Act (CCPA), a digital privacy regulation conferring consumers more control over their online personal information. CCPA is a significant regulation overseeing technology companies’ data collection and usage practices in the United States. This article analyzes CCPA and its implications on healthcare organizations. We elaborate on the compliance challenges that have emerged due to the interplay of the CCPA with the Health Insurance Portability and Accountability Act (HIPAA) from legal and technical/operational perspectives. Methods: Qualitative methods comprising semi-structured expert interviews, qualitative data coding, and analysis were used to explore the perceptions of the practitioners on various dimensions of the policy and to obtain insights from the field. Results: Our findings indicated that California's healthcare organizations faced several legal and technological challenges in complying with CCPA. A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern. Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance. Conclusions: Despite considerable ambiguity around the scope and jurisdiction of CCPA in the healthcare sector, healthcare organizations may be subject to CCPA, primarily when they collect personally identifiable information that is not protected health information. Such organizations may need to comply with both regulations. Furthermore, it is in their best interest to develop compliance plans proactively rather than being caught in the quandary of last-minute implementation or expensive litigation.