CCPA: Who in Healthcare Must Comply?Attorney Anne Kimbol of HITRUST on California Consumer Privacy Act Considerations
Healthcare organizations need to carefully assess whether data they hold falls under the scope of the California Consumer Privacy Act, says attorney Anne Kimbol, assistant general counsel of HITRUST, especially now that the regulation's Jan. 1 compliance deadline has hit.
For-profit healthcare organizations that handle certain data of California residents potentially must comply, Kimbol explains in an interview with Information Security Media Group. CCPA covers personal information other than what is defined as protected health information under HIPAA, she explains.
"If you're a for-profit entity, do business in California, and you either make more than $25 million a year, get 50 percent or more of revenue from data sales ... sell or disclose information on more than 50,000 consumers, devices or households - or are 50 percent controlled by a business that meets that definition - CCPA will apply to you," she says. "So larger for-profit healthcare providers will have to look at this no matter where in the U.S. they are."
In the interview (see audio link below photo), Kimbol also discusses:
- Suggestions for healthcare organizations vetting the security risks posed by third-party vendors;
- Considerations related to the National Institute of Standards and Technology's recently issued draft privacy framework;
- Recent additions to HITRUST's Common Security Framework to help address compliance with CCPA.
Kimbol is assistant general counsel and chief privacy officer of HITRUST, formerly called the Health Information Trust Alliance. It's best known for its framework designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information. She was previously general counsel at the Texas Health Services Authority, which oversees a implementation and facilitation of secure electronic health information exchange.