health as it happens

Health care organizations face steep hurdles complying with sweeping California Consumer Privacy Act - UB Now: News and views for UB faculty and staff - University at Buffalo Reporter

The landmark California Consumer Privacy Act (CCPA) aims to give people greater control over their personal information online. But health care organizations face several legal and technological challenges that affect their compliance with the regulation, according to new research from the School of Management.

The CCPA — which passed in 2018 and went into effect Jan. 1, 2020 — is the nation’s first comprehensive data privacy law, applying to most for-profit companies that do business in California. It gives state residents the right to access the personal information companies collect on them, request to delete their data and seek legal recourse for a data breach or misuse.

“Given the law’s broad definition of ‘business’ and ‘consumer,’ companies across the U.S. that collect user data and deploy cookies must comply with the CCPA,” says lead author Pavankumar Mulgund, clinical assistant professor of management science and systems. “But health care organizations have an additional burden of complying with HIPAA — and we found the interplay of the two laws creates some unintended hurdles.”

HIPAA, or the Health Insurance Portability and Accountability Act, protects patients’ health information. The UB study, published in Health Policy and Technology, is the first to investigate the implications of the CCPA on HIPAA-compliant organizations.

Researchers conducted extensive interviews with nearly 20 experts at the intersection of digital privacy and information systems in the health care space. When they analyzed the data, researchers found the more visible aspects of the law were easy to implement — for example, building a website or setting up a helpline for customers to request data access.

However, the study found ensuring an accurate inventory of all consumer data the organization collects and stores is considerably more difficult.

“It’s critical for organizations to proactively comply with CCPA regulations, rather than face expensive legal battles,” says co-author Raj Sharman, professor of management science and systems. “But especially for smaller health care organizations, it can be challenging to understand the law’s jurisdiction and develop technology infrastructure that’s sophisticated enough to protect against data breaches.”

On the tech side, experts identified four major issues for compliance: challenges in data discovery and inventory; a lack of robust digital infrastructure; coordination between technical and legal professionals; and the high cost of compliance.

Meanwhile, on the legal side, experts cited a lack of clarity as a key concern — for example, whether data-sharing agreements constitute a “sale” and whether data collected by wearables and health apps are subject to compliance.

“The COVID-19 pandemic really exacerbated the confusion, as organizations make enhanced use of technology to capture personal and health-related information — like temperature scans, contact tracing and test results — without establishing adequate privacy safeguards,” says Mulgund. “It’s unclear whether these data points fall under the CCPA, and as other states debate similar legislation, this issue will only become more complex.”

School of Management alumni Banashri Mulgund, MS ’20, and Raghvendra Singh, MS ’20, also co-authored the study.