California Consumer Privacy Act

two rows of palm trees across a teal color sky
Tiffany Yang

Director of Customer Privacy

What is the California Consumer Privacy Act?

“The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.”

Lucky you if you live in the state of California, which is one of the very few states across the nation to take an extra stance on patient privacy. According to the National Conference of State Legislatures, only 5 states have implemented digital privacy laws, giving individuals the right and control to choose when and how their information is shared. State legislation such as these is becoming more popular as many are figuring out that HIPAA is not enough. Unregulated data brokers are dangerous and unethical, working through loopholes and around vague federal language to profit from buying and selling your sensitive health information and data.

Your rights

One of the many regulations stated in the CCPA is the requirement of all data brokers in the state of California to register their business with the Attorney General who then publicly displays the information allowing consumers to easily identify or perhaps track their information, giving access to contact the data brokers directly.

Moreover, the CCPA allows consumers to:

  1. Know what personal information is collected
  2. See specifically what personal information is collected
  3. Correct inaccurate information
  4. Delete the personal information that was collected
  5. Restrict the sale or sharing of personal information
  6. Limit the use and sharing of sensitive information about you (e.g. genetic information, sexual orientation, race and ethnicity, etc.)
  7. Not be discriminated against for expressing CCPA rights

The CCPA additionally created the California Privacy Protection Agency to fine any businesses that do not follow these regulations, including a tripled and maximum penalty for violations of individuals under the age of 16.

What to do

While many states and even federal laws allow and encourage consumers to submit their complaints, the submission process can be challenging and time-consuming. For example, to file a Patient Safety Confidentiality Complaint, one must:

  1. file the complaint in writing via mail, fax, or e-mail if you can find the contact information and the appropriate department to send the complaint to
  2. describe the act or acts believed to be in violation of the Patient Safety Act and name the perpetrators
  3. file the complaint within 180 days of when you learned of the potential violation of confidentiality.

Another example is filing a complaint to the Medical Board of California (MBC) against your provider for breach of confidence, in the event you learn your health information is being sold by your provider to data brokers. The MBC’s website claims to receive over 10,000 complaints a year. Beyond the detailed procedures for submitting a complaint, a resolution in a timely manner is unlikely.

The quickest way to start safeguarding your healthcare data is to exercise your rights at your doctor’s office. Prior to your visit, you may be asked to sign a HIPAA authorization, sometimes called a Notice of Privacy Practices. Per the U.S. Department of Health & Human Services, the privacy notice must, “…explain that your permission (authorization) is necessary before your health records are shared for any other reason.” If the written language is unclear to you, ask for clarification, or do not give authorization. Learn how your provider records your refusal to sign, as required of your provider by law. Then, learn how this refusal to sign follows your data. Allow these inquiries to be your opportunity to make informed decisions.

For further assistance

For non-California residents and those who want to save time and a lot of effort submitting restriction requests to individual providers, health organizations, and data brokers, allow HealthConsent to advocate on your behalf to anyone and anywhere your health data has traveled.