Bloomberg Law
Aug. 2, 2018, 12:01 PM

California’s Dreaming of Tougher Health-Care Privacy

James Swann
James Swann

A new California law that sets tough consumer privacy protections is forcing health-care technology and manufacturing companies across the country to take notice.

The California Consumer Privacy Act (AB No. 375) gives consumers the right to know how much of their personal data is being collected by companies as well as the right to have that data deleted upon request, among other provisions.

Pharmaceutical and medical device manufacturers such as Johnson & Johnson, Medtronic, and Pfizer collect vast amounts of consumer data and will likely face new compliance burdens due to the California law.

The CCPA, which was signed into law June 28, affects not only California-based businesses but any businesses across the country that handle California consumer data, forcing them to comply or face heavy financial penalties.

The added layer of compliance could result in a slowdown in clinical research and development, Fielding Greaves, director of state government and regional affairs at the Washington-based Advanced Medical Technology Association, told Bloomberg Law. AdvaMed represents roughly 300 companies that produce medical devices.

“We’re concerned about the potential for unintended consequences related to the use of clinical trial data, which ultimately could delay research and slow access to medical technology,” Greaves said.

The law will go into effect Jan. 1, 2020, Iliana Peters, a health-care attorney with Polsinelli PC in Washington, told Bloomberg Law, and it’s possible that changes might be made before then.

The law was developed in response to a ballot initiative and could be modified to reflect company concerns, Peters, a former deputy director for the Health and Human Services Office for Civil Rights, said.

HIPAA Exemption

While the law appears to exempt businesses and providers covered by the Health Insurance Portability and Accountability Act, it promises to have an enormous impact on a wide range of consumer-directed health-care companies, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg Law.

Companies that stand to be affected by the California law include digital health companies, pharmaceutical and medical device manufacturers, and health-care technology companies, which aren’t covered by HIPAA, Hirsch, who specializes in health-care privacy, said.

“The new consumer privacy rights created under the CCPA represent a watershed moment in U.S. privacy regulation, introducing an expansive, GDPR-like approach to privacy,” Hirsch said. The GDPR, or General Data Protection Regulation, is a European privacy regulation that took effect May 25 and can be applied to any company in the world that processes the personal data of anyone physically located in the European Union.

Companies will need to verify whether the CCPA applies to them, as the law includes an exception for smaller companies, Peters said.

Companies are exempt if they have annual revenue below $25 million, don’t obtain personal information for more than 50,000 California residents, and don’t make 50 percent or more of their annual revenue from selling California residents’ personal information, Peters said.

There are numerous health-care companies outside of HIPAA’s scope that will face an enormous set of compliance challenges they haven’t seen before as a result of the California law, Kirk Nahra, a privacy attorney with Wiley Rein in Washington, told Bloomberg Law.

Wearable manufacturers such as Fitbit collect large amounts of consumer health-care data and will have to comply with the California law, as will developers of mobile health-care apps.

“It will impact lots of business operations and may have a significant meaningful adverse impact on some innovative business activities,” Nahra said.

The CCPA also creates new statutory damages that are likely to cause a spike in security-breach-related litigation in California, Hirsch said. Consumers will be able to sue companies for up to $750 for each individual data-breach violation, and the California attorney general can sue companies for up to $7,500 for each intentional violation of the law.

Future Privacy Laws

Other states are likely to enact their own privacy laws modeled after California, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg Law. Fader advises clients on health IT and health privacy issues, among other things.

Growth in state privacy laws could cause confusion for larger companies looking to comply with different language and provisions in the various laws, Fader said.

If other states end up developing their own privacy laws, the health-care industry will likely work together to push for a federal privacy law that will provide consistency and preempt state laws, Nahra said.

However, Nahra said he was doubtful there would be a surge of new state laws, as the circumstances of the California law were unique. The California law came about due to an aggressive referendum that was followed by a race to pass a law to preempt the referendum, Nahra said.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Brian Broderick at