California lawmakers have amended the state’s sweeping new privacy act to exempt HIPAA covered entities (CEs) from parts of the regulation. However, the amendment doesn’t give CEs and business associates (BAs) a free pass, one expert says.
In fact, the exclusion for CEs and BAs may not be truly helpful, says Rachel Marmor, a New York City-based attorney with Davis Wright Tremaine LLP who focuses on data privacy and cybersecurity issues.
The California Consumer Privacy Act of 2018 (CaCPA) was approved in a rush in late June to ward off a California ballot initiative on privacy (RPP 9/18, p. 4). It applies to most larger for-profit companies operating in the state, plus any companies that handle personal information for more than 50,000 state residents per year, or those that make a majority of their annual revenue from selling personal information.