California law introduces new data issues for health organizations

California lawmakers are giving businesses dealing with personal data – including health information – another set of restrictions to manage through a new privacy law passed last week. control over the personal data collected by the companies. Businesses must tell users what data they collect, what they use the data for and what third parties they have access to, among other requirements.

Although health care companies are already complying with the HIPAA, the new state law will create another layer of compliance when it comes into force in a year and a half.

"This is going to have a significant impact on the health sector," said Mark Brennan, partner of Hogan Lovells. "From an operational point of view, it will be interesting to see how companies are working to address these requirements."

For some organizations, such as those that make wellness apps for personal information collection, the law will apply to all

For others, such as those defined as entities covered by the HIPAA Act, the law does not apply to protected health information governed by the rules of confidentiality , security and notification of violation of the HIPAA.

For example, if a consumer requests an organization to delete their personal information other than protected health information, the organization must consider the request.

Organizations need to start thinking about the data they have and whether they are covered by HIPAA and what data they could obtain from other sources; Said Dominique Shelton, Co-Chair of Perkins Coie's Data Management and Privacy Group.

Companies working with covered entities will also need to pay close attention to the type of data

"Groups that can buy and sell data from EHRs can have a significant effect on their business", said Brennan. "It is possible that this law could disadvantage US companies in global competition," he said. "It will be difficult for California courts to enforce this law against non-US companies."

But many of these companies, and some American companies too, are already paying attention to the similar requirements of the European Union's General Data Protection Regulation. "The good news is that everyone thinks in the same terms for GDPR," said David Ross, director and chief growth officer for Cyber ​​Security Risk, Internal Audit and Cyber ​​Security Practice at Baker. Tilly. "All you have done for GDPR is almost finished because it shares a considerable amount in common with GDPR."

So, just as health care organizations had to prepare for these regulations, which came into effect on May 25, they will have to determine what patient data this law applies to, stated Shelton. "Everyone will have to update their privacy policies when that comes into effect," she said.

Some are waiting for California law, like the GDPR, to start having a domino effect. "California has always been a pioneer."