California Consumer Privacy Act

Subscribe to California Consumer Privacy Act via RSS

As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for

As the coronavirus spreads across the globe and in the United States, providers, businesses, employers, and others are struggling to understand what medical information they can collect and what information they can share. These are difficult questions the answers to which involve considering factors such as long-standing compliance requirements (e.g., HIPAA, ADA, GINA, state law), the unprecedented times we are in, business risk, and common sense. Government is trying to act to relieve some of these challenges, but questions still remain.

HIPAA Privacy Rule Waiver of Penalties and Sanctions

Effective March 15, 2020, for example, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar (Secretary) waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers were issued in response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and the Secretary’s earlier declaration of a public health emergency on January 31, 2020. The Secretary’s guidance makes clear that the Privacy Rule is not suspended during this crisis and provides guidance about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. But, in the following areas, the Secretary has waived sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020, and there is more information and access to resources in the Bulletin about where it applies and for how long.

Reminder About What Entities Are Covered Entities and Business Associates

As part of its guidance on HIPAA privacy and disclosures in emergency situations, the Bulletin reminds readers what entities are covered by these rules – covered entities and business associates. There can be some tricky questions here, but these are the basic rules from the Bulletin:

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.

Employers are Not Covered Entities or Business Associates – But Still Have Privacy and Confidentiality Obligations

When conducting its business, an organization can be a HIPAA covered entity and/or a business associate. However, when that business is functioning as an employer, it is neither a HIPAA covered entity nor a business associate, although it may sponsor a covered health plan subject to the HIPAA privacy and security rules. As organizations face the coronavirus threat to their workforce and their business, many questions arise about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. These can be thorny questions and organizations should seek qualified counsel, but here are some general rules:

When may an ADA-covered employer take the body temperature of employees during the COVID-19 pandemic?
Continue Reading HIPAA Privacy Rule Waiver, Other Medical Information Questions During the COVID-19 Pandemic

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun.  Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance.  Likely,

Many businesses and their service providers have been awaiting final guidance from the California Attorney General concerning the California Consumer Privacy Act (CCPA). When news came last Friday of a regulatory update (“Update”), there may have been some initial disappointment that the Update did not announce final regulations, but only revisions to existing proposed regulations

Image result for CCPA class actionAs reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning

When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for

After years of data breaches, mass data collection, identity theft crimes, and failed attempts at broad-based federal legislation, 2020 may be the year that state privacy and data security legislation begins to take hold in the U.S. For example, the California Consumer Privacy Act (“CCPA”) and the New York Stop Hacks and Improve Electronic Data