Even before HIPAA, healthcare providers were generally obligated at a state level for certain levels of privacy protections for their patients. HIPAA compliance, though a significant part of risk management, has become well-engrained in everyone’s policies and procedures and training.
However, since 2018, healthcare providers that meet the criteria are now forced to comply with a whole new set of privacy protections under the California Consumer Privacy Act (CCPA). For some reason, many healthcare systems underestimated the CCPA’s applicability as there is no exemption for healthcare providers.
CCPA applies to any for-profit entity that meets any one of the following:
- Has an annual gross revenue in excess of $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Of the three triggering thresholds, it is most likely that a healthcare provider or system would trigger the revenue threshold as even a small size hospital or surgical center would likely blow past $25 million in annual revenue. Check out the gross patient revenue as taken from each hospital’s most recent Medicare Cost Report.
Under HIPAA, a data breach is difficult enough to deal with. Depending on the size of the breach, you may have to notify the media and Health and Human Services. The blowback often comes with fines and a lot of upset patients.
However, CCPA specifically allows that patients can file a lawsuit (usually as a class action) as a result of a breach due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” Specific statutory damages between $100 and $750 “per consumer per incident or actual damages, whichever is greater” are available to private parties and have already proven to result in mass class actions. This means a single incident of 500 records could result in a liability of almost 400 thousand dollars.
Except, most major breaches (500 records or more) are much more than 500. The average number of records leaked in a HIPAA data breach incident is more than 5,000! Healthcare institutions already spend an average of $429 per stolen record. Much of that spend is from fines and notification requirements, including offering victims credit monitoring services.
This means that a patient data leak of 5,000 in California though may result in an additional 3.75 million dollars. The cost of privacy compliance in healthcare has just doubled.