Effective Jan. 1, 2020, the California Consumer Privacy Act of 2018, officially called AB-375, grants consumers the right to request a business to disclose the categories and specific pieces of personal information it collects about a consumer. The AB-375 requires entities that meet the following criteria to comply with the law:
- annual gross revenue in excess of $25 million;
- annually purchases, receives for the business’ commercial purposes, sells, or shares—for commercial purposes, alone or in combination—the personal information of 50,000 or more consumers, households or devices; or
- derives at least 50 percent of its annual revenues from selling consumers’ personal information.
Most California physician practices probably do not meet these requirements; however, it is worth noting that under HIPAA patients have the right to request an accounting of who their protected health information was disclosed to.
In terms of breach notification, California Civil Code s. 1798.29(a) [agency] and California Civil Code s. 1798.82(a) [person or business] requires a business or a state agency to notify a California resident of a breach of unencrypted personal information that was acquired, or reasonably believed to have been acquired, by an unauthorized person.
By maintaining a pulse on changes regulations and technology, physicians and their business associates can have reasonable assurances that the technical, administrative, and physical safeguards that they are attesting to in their business associate agreements remain accurate. Physicians who stay current can mitigate their risks of breaches, harm to patients, and legal liability.