HIPAA vs CCPA Compliance: What’s the Difference?



The healthcare sector suffered record-high data breaches in 2021, with each incident costing $9.23 million. In March 2022 alone, 43 data breaches occurred, exposing 3,083,988 healthcare records.

Safety regulations are a must when it comes to handling PHI. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, and California’s Consumer Privacy Act (CCPA) took effect on January 1, 2020, further impacting healthcare companies operating in the California region.
In this article, we will explain the difference between HIPAA and CCPA, how to comply with both laws, and the CCPA exemptions that apply to HIPAA-compliant businesses.

Understanding HIPAA Compliance

The fundamental objective of the Health Insurance Portability and Accountability Act (HIPAA) is to protect the privacy and security of patient health information, commonly known as Protected Health Information (PHI). HIPAA works alongside other legislation to dictate how covered entities and their business associates should handle PHI.

Key Provisions of HIPAA

Here, we break down the primary rules and considerations of HIPAA:

Privacy Rule: This rule emphasizes the protection of the privacy of an individual’s health information. It defines the standards for using and disclosing PHI by covered entities.

Security Rule: This aspect deals with setting the standards for safeguarding electronic PHI, detailing the administrative, physical, and technical safeguards organizations must employ.

Enforcement Rule: Reiterates the penalties for HIPAA violations and the procedures for investigations. Reiterates the penalties for HIPAA violations and the procedures for investigations.

Minimum Necessary Rule: This is a part of the Privacy regulation that dictates when PHI is used or disclosed, it should only involve the minimum necessary information to accomplish the intended purpose.

HIPAA applies to all stakeholders in the healthcare industry, from healthcare facilities and hospitals to IoMT equipment suppliers and third-party data management companies.

Role of a HIPAA Compliance Officer

A HIPAA compliance officer ensures all of the HIPAA rules are followed, manages system implementations, and educates staff on what’s required. Keeping HIPAA privacy and security standards in check is essential for every organization.

Understanding CCPA Compliance

California’s Consumer Privacy Act (CCPA) is a law that enhances privacy rights and consumer protection for Californians. It was enacted in 2020, establishing a new privacy framework for controlling and processing personal data, marking a major milestone for data privacy laws in the US.

CCPA and Its Interplay with HIPAA

When comparing HIPAA and CCPA, it’s important to note that while CCPA offers broad consumer data protections, it also lets HIPAA-compliant businesses use certain exemptions, facilitating a synchronized approach to protecting different types of personal data in healthcare.
Businesses that meet at least one of these requirements must abide by CCPA guidelines:
1. Gross revenue of $25 million or more
2. Data collection, buying, or selling of more than 50,000 people
3. More than half of our income comes from selling data

Key Provisions of CCPA

Here is a CCPA compliance checklist to help you understand the crucial provisions of CCPA:

Consumer Rights to Access: Individuals have the right to request that businesses disclose the categories and specific pieces of personal information collected about them.

Consumer Rights to Deletion: Consumers can ask businesses to delete their personal information, with certain exceptions.

Consumer Rights to Opt-Out: Consumers have the right to opt out of personal information sales by a business.

Data Protection Laws: CCPA ensures stricter data protection laws compared to HIPAA, imposing greater responsibility on businesses regarding non-PHI data.

According to the CCPA, companies must:

Ensure Non-discrimination: They cannot discriminate against consumers who choose to exercise their rights under the CCPA.

Include a “Do Not Sell My Personal Information” Link: Companies are required to place this link on their homepage to allow users to opt out of the sale of their personal information.

Respect Withdrawal of Consent: After a consumer has withdrawn their consent, the company must refrain from asking to sell or disclose the consumer’s data for a period of 12 months.

Protect Children’s Privacy: Companies must establish a process to obtain consent from parents or guardians before using the data of children below 13 years of age.

Health Data Exclusions Under CCPA

While HIPAA usually covers health information in the medical field, CCPA exempts certain data, like information collected during clinical trials, which are governed by different rules.

HIPAA and CCPA: How They Work Together

There is some overlap between HIPAA and CCPA when it comes to protecting personal data. For instance, even if certain organizations follow HIPAA guidelines, they may still fall under the CCPA. Here’s how:

Data from Outside Healthcare: Some organizations, while following HIPAA, might collect information that isn’t strictly about health, such as where their employees are located based on mobile geolocation data. This isn’t health-related data (or “Protected Health Information” under HIPAA), but it is still considered “personal information” by the CCPA. For example, a hospital tracking staff locations through an app must comply with the CCPA for that specific data.

Anonymized Health Data: Sometimes, health data is stripped of personal details, making it “de-identified.” While HIPAA doesn’t consider this as personal data, CCPA might. So, even if names are removed from health records, the data might still fall under CCPA rules.

Guesswork from Health Data: Consider CCPA as having a broad net, catching even guesses or “inferences” from our health information. If a system guesses you love running because of your health data and starts showing you ads for running shoes, that guessed information falls under CCPA protection. It’s like piecing together a puzzle about someone’s hobbies from their health habits, and CCPA ensures those puzzle pieces are protected.

In short, just because an organization is HIPAA compliant doesn’t mean it’s CCPA compliant. Organizations must take steps to manage and protect consumer data in accordance with the CCPA. Third-party vendors they work with must also be CCPA compliant.

How does CCPA affect HIPAA-compliant businesses?

Imagine a busy health clinic in sunny Los Angeles. Their files are packed with patient records, treatment histories, and digital data trails from online appointments. You can trust them to keep your health information confidential because they’re HIPAA-compliant. However, now that CCPA is in place, it gets a little more complicated.
To understand the interplay between HIPAA and CCPA, let’s think of CCPA as a parent who wants to know everything about their child. As part of the CCPA, businesses have to disclose what personal information they collect and how they use it. This same LA clinic might also store data about a patient’s web inquiries on their CCPA-compliant software. This isn’t health data but personal information all the same.
Things get interesting here: HIPAA focuses specifically on medical data protection. The CCPA, on the other hand, encompasses a wider range of personal information. Even though CCPA focuses on giving consumers control over their personal data, it recognizes HIPAA’s expertise in managing medical records. Hence, they’ve carved out an exemption: if a business handles patient data just like HIPAA (think of the clinic’s secure patient files), they’re in the clear with CCPA.
However, what about the clinic’s website data or a survey they conducted? This is where the HIPAA minimum necessary rule comes into play, ensuring only essential data is collected and minimizing the CCPA overlap.
Now consider the role of a HIPAA compliance officer at the same clinic. A HIPAA compliance officer ensures patient records are kept under tight lock, but now, they also have to keep an eye on other data types, using a CCPA compliance checklist to ensure nothing slips through the cracks.
While CCPA and HIPAA operate in adjacent lanes, they sometimes cross paths. Healthcare businesses especially have to be vigilant to stay compliant. You can’t just follow the rules, you have to maintain the trust that patients and consumers have placed in you.
Managing the interaction between these new requirements and existing obligations under HIPAA, California’s Confidentiality of Medical Information Act (CMIA), and other healthcare privacy policy laws will continue to be a major concern of the healthcare cybersecurity and data privacy community for years to come.

HIPAA Exemptions in CCPA

Let’s explore the HIPAA exemptions in CCPA:

Here’s what you need to know:

HIPAA: A federal privacy law that keeps your health information safe.

CCPA: A California law that protects your personal information.

HIPAA-Compliant Healthcare Organizations and CCPA:
If you are a healthcare provider following HIPAA rules, here is the good news:
You’re largely exempt: Your patient’s medical details, which are confidential, don’t fall under CCPA. You continue to follow HIPAA rules as usual.

Clinical Trials are exempt: If you conduct a clinical study, the data collected is not under CCPA but follows other guidelines, ensuring safety and confidentiality.

Example: Think of a hospital handling a patient’s health records. While the hospital follows HIPAA for these records, it doesn’t need to double-check CCPA guidelines for the same data.

But here’s Where You Need to Pay Attention:

Your Website: If your healthcare facility has a website collecting non-medical data (like email addresses), CCPA rules apply. You need to handle this data carefully.

Example: If your hospital’s website has a section where visitors can sign up for newsletters and provide their email and name, this data must follow CCPA rules.

Credit Card Details: If you store payment information, it’s not protected by HIPAA. CCPA guidelines are in play here.

Stricter CCPA Guidelines:
In some instances, the CCPA has even stricter rules than HIPAA. For instance:

Project Nightingale: Google accessed many health records without telling patients. While HIPAA allowed this for health advancements, CCPA might say “no,” ensuring tighter control.

Even if your business is HIPAA compliant, you’ll still want to make sure you’re checking off all the right boxes with the CCPA, especially when it comes to non-medical data.

Legal Risks of CCPA & HIPAA

A company or healthcare entity that fails to adhere strictly to CCPA & HIPAA can face hefty fines and even jail time.

CCPA Penalties

If a company doesn’t follow CCPA rules:

They might be fined between $100 and $750 per person per mistake.

The fine can be up to $2,500 if the mistake wasn’t on purpose.

If a rule is intentionally broken, the fine can shoot up to $7,500 for each mistake.

HIPAA Penalties

If an individual doesn’t follow HIPAA rules regarding private health information (PHI):

Sharing PHI on purpose can cost up to $50,000 and one year in jail.

Lying to get PHI can result in a fine up to $100,000 and up to five years in jail.

Selling PHI or using it for other monetary business purposes can lead to a fine up to $250,000 and as much as 10 years in jail.

Final Thoughts

Complying with HIPAA and CCPA is crucial to protecting patient data and avoiding legal issues. It’s more than following rules; it’s about building trust with consumers by safeguarding their information.

Healthcare organizations should prioritize this by embracing transparency and utilizing experts in the field. Get started with MedStack’s HIPAA compliance software, an industry-recognized solution that meets regulatory demands, enhances trust, and fosters a secure healthcare data environment.

Taking care of your digital health isn’t just a choice, it’s a necessity. Get compliant and secure digital healthcare with MedStack.