The healthcare industry is among the most highly regulated industries when it comes to privacy protections. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), healthcare providers also must comply with a growing number of state laws governing data privacy and security. Fully complying with this patchwork of privacy protections is a complex task because these laws often classify different kinds of personal information as “protected information” and impose varying security and reporting requirements.

For example, HIPAA protects certain “individually identifiable health information,” often referred to as “protected health information” or PHI. HIPAA requires covered entities to adopt and implement a plethora of policies and technical safeguards to protect PHI. The California Consumer Privacy Act (CCPA), a relatively new law, protects consumers regarding the collection, use, processing, deletion, sale, and security of personal information, among other things, and also imposes obligations on businesses regarding the same. Healthcare providers who are HIPAA covered entities are exempt from the CCPA with respect to protected health information. However, HIPAA covered entities are not exempt when functioning as an employer with respect to the personal information of their employees who reside in California and therefore must comply with the CCPA to the extent it applies to them as employers.

With the growing number of state laws governing privacy protection, healthcare organizations must be sure their compliance efforts consider state law in addition to HIPAA. Meshing these obligations into one cohesive privacy protection system can be complicated. (See Personal Information, Private Information, Personally Identifiable Information…What’s the Difference?). A recent article by our Jackson Lewis Privacy, Data and Cybersecurity practice group addresses these issues. The article breaks down some factors that may trigger business obligations related to personal information and applies such considerations to the healthcare industry. These factors include but are not limited to industry, business location, categories of customers, types of equipment used, specific services provided, marketing and promotion methods, the categories of information collected, and employment practices. The article also provides some examples of laws that may be triggered (although it is not exhaustive).

So, what is the takeaway? Healthcare organizations should regularly evaluate their compliance efforts around the protection of personal information. This starts with understanding the state and federal laws applicable to their business. From there, healthcare organizations must work to establish and implement policies and safeguards that meet their obligations under each of the applicable laws. Failing to meet these obligations could expose an organization to potentially significant liability and reputational harm. To ensure compliance, healthcare organizations should, at minimum, consider doing the following:

  • Implement comprehensive data safeguards;
  • Conduct cybersecurity assessments;
  • Reconsider the types of data collected and the purposes for collection;
  • Determine whether data collected is the minimum necessary to accomplish the intended purpose; and
  • Monitor pending privacy legislation.

Jackson Lewis attorneys in our Privacy, Data and Cybersecurity practice group and Healthcare industry group regularly partner with healthcare providers to ensure they are up-to-date with this rapidly evolving area of law. Please contact your Jackson Lewis attorney if you would like to learn more about these services.

Update:  On May 17, 2024, we clarified our reference to HIPAA covered entities having to comply with HIPAA and the CCPA. HIPAA covered entities are exempt from the CCPA with respect to protected health information but must comply with the CCPA when functioning as an employer with respect to the personal information of their employees who reside in California.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters…

Michael R. Bertoncini is a Principal in the Boston, Massachusetts, office of Jackson Lewis P.C. He practices labor and employment law, with a particular emphasis on labor relations, employment law counseling and litigation, and data privacy and security law.

In labor relations matters, he regularly counsels clients on the practice of positive employee relations, negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Mr. Bertoncini’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He regularly reviews and develops policies and procedures, written information security plans and integrated compliance programs to assist clients in meeting their obligations under privacy and data security laws. Mr. Bertoncini has represented clients in investigations of alleged data breaches and advises them on their reporting obligations in the event of a data breach. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Before joining Jackson Lewis, Mr. Bertoncini was Deputy General Counsel for a hospital system that is the largest fully integrated community care organization in New England. He was responsible for all of the system’s labor and employment law matters, and was involved in its acquisition by a private equity firm as well as its growth from six to ten hospitals in a twelve-month period. His three years as in-house counsel for this large health care system give Mr. Bertoncini a keen understanding of the impact of labor and employment law issues on clients’ business operations.

In addition to his labor relations and privacy experience, Mr. Bertoncini has extensive experience in conducting internal investigations and counseling clients on whistleblower and retaliation matters, as well as negotiating executive agreements, both employment and separation agreements. Mr. Bertoncini also represents clients in the litigation of employment matters. His litigation experience includes matters before federal and state courts and administrative agencies. He has appeared before United States Courts of Appeals and District Courts, Massachusetts and New York state courts, the Equal Employment Opportunity Commission, and the Massachusetts Commission Against Discrimination.

Mr. Bertoncini is a frequent speaker and trainer on labor and employment law topics for various organizations including Massachusetts Continuing Legal Education, Council on Education in Management, Lorman Education Services, the Boston Bar Association, and several chambers of commerce.

While attending Boston College, he received the John A. McCarthy, SJ Award for the most distinguished Scholar of the College thesis.