The California Consumer Privacy Act (CCPA or Act),1 effective January 1, 2020, strengthens consumer privacy rights for California residents by providing them greater control over and transparency into their personal data. The Act contains an exclusion for health information governed by the federal privacy and security rules promulgated by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act (HIPAA).2 It also excludes "medical information" subject to California's health privacy law, the Confidentiality of Medical Information Act (CMIA).3 While these carve-outs are broad, they may not be expansive enough to cover all personal data that entities engaged in health care-related functions regularly collect and process. Indeed, some of these organizations may need to modify their practices to comply with the CCPA. This article discusses the CCPA's core provisions; instances where, despite the exclusions described above, the Act may cover data that health care-related organizations collect; and what steps these entities might take in anticipation of the CCPA.

HIPAA and the CMIA

HIPAA, enacted in 1996, required HHS to create national standards requiring "covered entities," meaning certain health care providers, health plans, and health care clearinghouses, to protect the privacy and security of health information.4 To fulfill its obligation, HHS promulgated the Privacy Rule (effective in 2003) and the Security Rule (effective in 2005). The Privacy Rule safeguards protected health information (PHI) by regulating how covered entities may use and disclose this information and requiring these entities to put measures in place to protect the privacy of the data.5 PHI means any individually identifiable information created, maintained, transmitted or received by covered entities that relates to the provision of health care or the payment for health care services. Thus, PHI includes medical records, lab tests, and medical bills. To be sure, health information will normally be considered PHI when it includes common identifiers, such as name, physical and email addresses, birth date, Social Security number, and IP address. The Security Rule, which applies to PHI in electronic form (ePHI), requires covered entities to employ administrative, physical, and technical safeguards to protect the ePHI.6

The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, expanded the reach of HIPAA by extending the applicability of certain Privacy Rule and Security Rule requirements to "business associates" of covered entities and strengthening many privacy and security obligations.7 "Business associates" are entities that provide services to or perform certain functions for covered entities that involve the use or disclosure of PHI.8 HHS' Omnibus Rule, effective in 2013, implemented the changes to the Privacy Rule and Security Rule that HITECH initiated.9 All told, as it stands today, both covered entities and businesses associates must comply with the key requirements of the Privacy and Security Rules as well as HHS' Breach Notification Rule.10

The CMIA also prescribes privacy protections for medical information. Medical information, similar to the definition of PHI, means "individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment."11 "Individually identifiable" means medical information that contains "personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, [email] address, telephone number, or social security number."12 A "provider of health care" under Section 56.05 of the CMIA includes a broad range of licensed health care professionals as well as licensed clinics, health dispensaries, or health facilities.13


California Governor Jerry Brown signed the amended version of the CCPA on September 23, 2018. It applies to for-profit companies that conduct business in California, that collect and direct the processing of personal information of California residents (which the Act defines as "consumers"), and that satisfy one of the following thresholds: (1) has annual gross revenues over $25 million; (2) sells, buys, or otherwise receives the personal information of 50,000 or more California residents, households, or devices; or (3) derives 50% or more of its annual revenue from selling the personal information of California residents.14 A California resident, for the purposes of the CCPA, is an individual consumer who is a permanent California resident or who lives outside the state for a temporary or transitory purpose.15 And "personal information" means "information that identifies, relates to, describes, is capable of being associated with" an individual consumer or household, including name, alias, postal address, IP address, email address, Social Security number or driver's license number, health information, certain physical characteristics, Internet activity data, and employment information.16

The CCPA grants California residents new rights with respect to their personal information. Most critically, consumers have the right to, with certain exceptions:

  • request that a covered business delete any personal information that the business has collected from them,17
  • request that a covered business that collects personal information disclose the categories of and specific personal information the business collected in the preceding 12 months, the categories of sources from which, and third parties from whom, the business collected the personal information and the business or commercial purpose for collecting or selling personal information,18
  • request that a covered business that sells or discloses their personal information identify the categories of personal information that the business collected and sold in the previous 12 months, the categories of third parties to whom the business sold the information or the categories of personal information that the business disclosed about them for business purposes,19 and
  • direct that a covered business that sells personal information to third parties not to sell their personal information (known as the "right to opt-out").20


1 Cal. Civ. Code § 1798.100 et seq.

2 42 U.S.C. § 1320d et seq.

3 Cal. Civ. Code § 56.05 et seq.

4 See Pub. L. No. 104-191, 110 Stat. 193645; see also 45 C.F.R. § 160.103.

5 See id. §§ 160, 164.

6 See id. §§ 160, 162, 164.

7 See 42 U.S.C. §§ 17921–17954.

8 45 C.F.R. § 160.103.

9 78 Fed. Reg. 5566 (Jan. 25, 2013).

10 See 45 C.F.R. §§ 164.400-414.

11 Cal. Civ. Code § 56.05(j).

12 Id.

13 Id. § 56.05(m).

14 Id. § 1798.140(c).

15 Id. § 1798.140(g).

16 Id. § 1798.140(o).

17 Id. § 1798.105(a).

18 Id. §§ 1798.110(a), 1798.130(a)(3).

19 Id. §§ 1798.115(a), 1798.130(a)(4).

20 Id. § 1798.120(a).

To view the full article click here.

Originally Published by AHLA Weekly

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.