How State General Privacy Laws Apply to Healthcare Providers
With 2023 underway, healthcare providers have a more complex patchwork of privacy laws than ever before to navigate. Five states have enacted general privacy laws: California, Colorado, Connecticut, Utah, and Virginia. These laws include varying exemptions for protected health information (PHI), HIPAA de-identified information, healthcare providers, HIPAA covered entities, HIPAA business associates, and non-profits.
While all of the laws exempt PHI, healthcare providers may have obligations under these laws with respect to other personal information, such as employee information or website data.
To help healthcare providers navigate these laws, we have put together the following table:
|
|
California Consumer Privacy Act (CCPA) |
Colorado Privacy Act |
Connecticut Data Privacy Act |
Utah Consumer Privacy Act |
Virginia Consumer Data Protection Act |
|
Exempts PHI in the hands of a covered entity or business associate |
|||||
|
Exempts HIPAA-covered entities completely (not limited to PHI) |
No (but does exempt patient information maintained by a covered entity in the same manner as PHI, Cal. Civ. Code § 1798.146(a)(2)) |
No (but does exempt information maintained by a covered entity in the same manner as PHI, Colo. Rev. Stat. § 6-1-1304(2)(g)) |
|||
|
Exempts Non-Profits |
Yes (except for a non-profit that controls or is controlled by a business, as defined in Cal. Civ. § 1798.140(d)(1), and that shares common branding with the business and with whom the business shares consumers' personal information, see Cal. Civ. § 1798.140(d)(2)) |
No |
|||
|
Applies to employee information |
Yes |
No (definition of "consumer" at Colo. Rev. Stat. § 6-1-1303(6)(b)) |
No (definition of "consumer" at Conn. Pub. Act 22-15 § 1(7)) |
No (definition of "consumer" at Utah Code Ann. § 13-61-101(10)(b)) |
No (definition of "consumer" at Va. Code Ann. § 59.1-575) |
|
Excludes HIPAA de-identified information derived from PHI |
Yes (Cal. Civ. Code § 1798.146(a)(4)), except places contracting restrictions on sale or license of HIPAA de-identified information, which applies to non-profits (Cal. Civ. Code § 1798.148(c)) |
||||
|
Applicability threshold* |
A for-profit that does business in California with $25 million in gross revenue in the preceding year (not limited to California revenue) or that buys, sells, or shares the personal information of 100,000 or more California residents or their households; or a non-profit that controls or is controlled by such a for-profit and shares common branding. (Cal. Civ. § 1798.140(d)) |
Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and (1) controls or processes the personal data of 100,000 or more Colorado residents during a calendar year; or (2) derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 or more Colorado residents. (Colo. Rev. Stat. § 6-1-1304(1)) |
Conducts business in Connecticut or produces products or services that are targeted to Connecticut residents and during the preceding calendar year controlled or processed the personal data of 100,000 or more Connecticut residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. (Conn. Pub. Act 22-15 § 2) |
Conducts business in Utah or produces a product or service that is targeted to Utah residents, has annual revenue of $25 million or more (not limited to Utah revenue), and during a calendar year controls or processes personal data of 100,000 or more Utah residents. (Utah Code Ann. § 13-61-102(1)) |
Conducts business in Virginia or produces products or services that are targeted to residents of Virginia and during a calendar year controls or processes personal data of at least 100,000 Virginia residents. (Va. Code Ann. § 59.1-576(a)) |
* For purposes of the applicability threshold, we are assuming that healthcare providers do not derive 25% or more of their annual revenues from selling or sharing consumers' personal information.
Takeaways
Some takeaways based on the above:
- Healthcare providers that are HIPAA covered entities appear to be completely exempt from the Connecticut, Utah, and Virginia general privacy laws.
- For-profit healthcare providers should evaluate whether they meet CCPA's applicability threshold and, if so, should comply with the CCPA with respect to: (1) personal information collected from their websites that is not PHI; and (2) employee information.
- Nonprofit healthcare providers should evaluate whether they share common branding with a for-profit affiliate that meets CCPA's applicability threshold and, if so, should comply with the CCPA with respect to: (1) personal information collected from their websites that is not PHI; and (2) employee information.
- Healthcare providers (regardless of tax exemption status) should: (1) evaluate whether they meet the Colorado law's applicability threshold and, if so, should comply with the Colorado Privacy Act with respect to personal information collected from their websites that is not PHI; and (2) evaluate whether they sell or license HIPAA de-identified information and, if so, whether they must comply with CCPA's contractual restrictions with respect to such data.
If you would like assistance with determining applicability of state privacy laws or complying with such laws, you may contact the author or the DWT attorney with whom you work.