The healthcare industry is among the most highly regulated industries when it comes to privacy protections. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare providers also must comply with a growing number of state laws governing data privacy and security. Fully complying with this patchwork of privacy protections is a complex task because these laws often classify different kinds of personal information as “protected information” and impose varying security and reporting requirements.

For example, HIPAA protects certain “individually identifiable health information,” often referred to as “protected health information” or PHI. HIPAA requires covered entities to adopt and implement a plethora of policies and technical safeguards to protect PHI. The California Consumer Privacy Act (CCPA), a relatively new law, protects consumers regarding the collection, use, processing, deletion, sale, and security of personal information, among other things, and also imposes obligations on businesses regarding the same. Healthcare providers who are HIPAA covered entities are exempt from the CCPA with respect to protected health information. However, HIPAA covered entities are not exempt when functioning as an employer with respect to the personal information of their employees who reside in California and therefore must comply with the CCPA to the extent it applies to them as employers.

With the growing number of state laws governing privacy protection, healthcare organizations must be sure their compliance efforts consider state law in addition to HIPAA. Meshing these obligations into one cohesive privacy protection system can be complicated. (See Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?). A recent article by our Jackson Lewis Privacy, Data and Cybersecurity practice group addresses these issues. The article breaks down some factors that may trigger business obligations related to personal information and applies such considerations to the healthcare industry. These factors include but are not limited to industry, business location, categories of customers, types of equipment used, specific services provided, marketing and promotion methods, the categories of information collected, and employment practices. The article also provides some examples of laws that may be triggered (although it is not exhaustive).

So, what is the takeaway? Healthcare organizations should regularly evaluate their compliance efforts around the protection of personal information. This starts with understanding the state and federal laws applicable to their business. From there, healthcare organizations must work to establish and implement policies and safeguards that meet their obligations under each of the applicable laws. Failing to meet these obligations could expose an organization to potentially significant liability and reputational harm. To ensure compliance, healthcare organizations should, at minimum, consider doing the following:

  • Implement comprehensive data safeguards;
  • Conduct cybersecurity assessments;
  • Reconsider the types of data collected and the purposes for collection;
  • Determine whether data collected is the minimum necessary to accomplish the intended purpose; and
  • Monitor pending privacy legislation.

Jackson Lewis attorneys in our Privacy, Data and Cybersecurity practice group and Healthcare industry group regularly partner with healthcare providers to ensure they are up-to-date with this rapidly evolving area of law. Please contact your Jackson Lewis attorney if you would like to learn more about these services.

Update:  On May 17, 2024, we clarified our reference to HIPAA covered entities having to comply with HIPAA and the CCPA. HIPAA covered entities are exempt from the CCPA with respect to protected health information but must comply with the CCPA when functioning as an employer with respect to the personal information of their employees who reside in California.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.