By Brad Adatto, JD, Partner, ByrdAdatto
Do you own or work for a med spa in California? If so, this is important news. Just two months after California passed their new sweeping consumer privacy law, the California Legislature has passed an amendment to the act that was submitted to the Governor on September 12th for signature. The original bill, the California Consumer Privacy Act of 2018 (“Privacy Act”), was signed into law on June the 28, 2018, creating the strongest protections in the nation on collecting and using consumer’s information (please see our previous article here for more details on the Privacy Act). As written, the Privacy Act would require substantial compliance efforts for businesses working with California residents. The amendment makes many changes and clarifications to the Privacy Act, and several will be beneficial to medical practices.
The most beneficial change for medical practices is the Privacy Act now does not apply to health care providers to whom the rules of HIPAA or California’s Confidentiality of Medical Information Act apply, so long as the practices maintain patient information in the same manner as they are required to maintain protected health and medical information. Protected health information and medical information covered under those laws were already exempted in the original law.
A second helpful change for medical practices is that the disclosure to consumers of their rights of deletion no longer needs to be on the website or in the privacy policies. Rather, it now only needs to be “reasonably accessible to consumers.” Previously, this would have necessitated medical practices making major updates to their websites to be compliant.
The amendment also narrows the broad definition of personal information covered by the law. Previously “personal information” included a laundry list of types of information, ranging from biometric data to employment information. Unfortunately, the laundry list still remains, but is limited only to data that is capable of being associated or linked with a particular consumer or household. This is helpful as it exempts aggregated demographic and trend data.
While the Amendment may have eased the burden of compliance for medical practices, it has not removed it. We are hopeful that most of the nuts and bolts compliance concerns will be fully addressed in the Attorney General’s forthcoming rule interpretation. Consistent with the amendment, the AG must release its rule interpretation by July 1, 2020. However, since the Privacy Act itself becomes effective January 1, 2019, medical practices will need to be mindful of how they are treating consumer information before the Privacy Act takes effect. Substantial processes and changes may still needed by medical practices to be compliant.
Brad Adatto, JD, is a partner at ByrdAdatto, a business, healthcare, and aesthetic law firm that practices across the country. He has worked with physicians, physician groups, and other medical service providers in developing ambulatory surgical centers, in-office and freestanding ancillary service facilities, and other medical joint ventures. He regularly counsels clients with respect to federal and state health care regulations that impact investments, transactions, and contract terms, including Medicare fraud and abuse, anti-trust, anti-kickback, anti-referral, and private securities laws.