CCPA Security FAQs: Does the CCPA Open Health Care Providers to Increased Litigation?

Probably not.

The CCPA exempts any health care provider or “covered entity” that is governed by the Health Insurance Portability and Accountability Act (“HIPAA”),1 and it exempts “protected health information that is collected by a covered entity or business associate” subject to the HIPAA Security Rule.2  Unlike the exemption provided to other industries (e.g., financial institutions), the exemption provided to health care providers, other covered entities, and business associates appears to cover all aspects of the CCPA including the ability of a Californian to bring a private right of action following a data breach, or seek statutory damages.