Author: TSA Press

Cramming for the CCPA

Cramming for the CCPA

Axiom & Above the Law

Organizations engaging with personal healthcare data need to pay close attention to the rapidly evolving regulatory environment. Over the next few years, the compliance requirements around personal healthcare data are set to evolve at breakneck speed. Surviving and thriving in this environment of regulatory change will require a more strategic approach to managing personal data.

For decades, personal healthcare data was regulated by a patchwork of federal and state-level, industry-specific data protection rules that left significant gaps in coverage. As a result, an individual’s healthcare data – and all personally identifiable data within organizations working with healthcare information – fell under data protection rules only in some circumstances. Not surprisingly, today most individuals do not understand when their healthcare data is protected by data privacy rules and when it is not.

Now, the advent of new state-level data privacy laws, such as the California Consumer Privacy Act (CCPA), and the possibility of a comprehensive federal level law means it’s likely that those gaps in regulatory coverage will be filled, creating a range of new compliance requirements. These new data privacy rules – covering the previous gaps – present an opportunity for healthcare industry organizations to enhance the trust within their data relationships. Let’s look at an example of what is happening to see both the challenges and the possibilities.

Exploring CCPA and healthcare data
The impact of the CCPA on healthcare data privacy compliance will be significant, and so it makes a good case study for understanding what is to come. Until the CCPA – which comes into force in January 2020 – healthcare data privacy and security in California was primarily regulated through HIPAA. However, HIPAA only applies to “covered entities” holding “protected health information.” HIPAA’s focus is primarily health insurance, so organizations in scope include hospitals, clinics, insurance providers and clearing houses that process medical data.

In contrast, the CCPA applies to all for-profit organizations that do business in California that operate above certain revenue and data processing thresholds. The CCPA exempts personal data protected by HIPAA and California’s Confidentiality of Medical Information Act (CMIA) – so some types of personal healthcare data continue to be covered by the existing rules. However, CCPA now covers most other personal data created, processed and exchanged by the healthcare industry – filling in the gaps.

Understanding three big changes CCPA brings

CCPA will significantly alter the rules of the game for personal data in the healthcare industry. Below are three key ways in which organizations will need to rethink data privacy:

1. Under CCPA, all individuals within healthcare organizations have their data privacy protected, including their personal healthcare data. Currently, individuals who are not patients within healthcare organizations are not covered by HIPAA, from a personal data perspective – including doctors, nurses, and other employees. CCPA changes all of this in California. When it comes into force, all of the personal data of non-patients engaging with HIPAA-covered healthcare organizations will be covered by the regulation. As a result, HIPAA-covered organizations (as well as other healthcare organizations) will now need to have policies and processes for the protection of all of their employees’ personal data, including any healthcare data they may hold. They will also have to protect any employee data shared with third parties. There has been some temporary relief with passage of California Assembly Bill 5 (AB5), but it doesn’t exempt organizations of all requirements under CCPA.
2. With CCPA, other types of organizations that handle personal healthcare data will need to put protections in place. Thousands of organizations operating in California that are not covered by HIPAA – from pharmaceutical companies to the makers of watches that capture health statistics – will now need to comply with the CCPA’s requirements for all of the personal data they hold and process. This includes personal healthcare data, which is of a particularly sensitive nature. These organizations will need to put in place new approaches for securely managing all of this personal data. They will also need to communicate these changes to the individuals impacted. Many US consumers are not aware that their personal healthcare data isn’t legally protected under many circumstances, and so these communications will need to be undertaken with care. However, there is a real opportunity here to enhance consumer relationships if these activities are done well.
3. Healthcare companies doing business in California will have to apply CCPA to their entire US organization. Healthcare organizations often operate in state-based silos because of the nature of state-specific regulations. However, CCPA breaks down the silos from a data protection perspective. Healthcare industry organizations that process data on California residents will have to apply CCPA data protection policies and processes across their entire corporate network, managing this personal data in a more coherent way. This may create steep compliance challenges for many organizations not used to operating across state boundaries.

These are significant changes to the way personal data – and healthcare data in particular – needs to be handled under CCPA. They will require impacted healthcare organizations to make substantial changes to the way they obtain, process and store this information. Organizations may be tempted to try and comply by implementing a variety of point solutions to tackle individual issues. However, this would be a costly and inefficient approach given the scale of the changes that have already happened, and of those to come.

Preparing for the healthcare data revolution
For organizations in the healthcare industry, the impact of CCPA is just the beginning. A number of states, including Washington and New York, are working on putting their own CCPA-style regulations in place. At the federal level, a new data privacy bill is viewed as having enough strong support from both Republicans and Democrats to actually make it into law before the next presidential election cycle. Hearings are being held, and draft legislation, including a bill in the Senate, is making its way through the legislative process.

Change is coming, and it is coming soon. Healthcare industry organizations operating outside of California will soon have to face the same kinds of issues described above. In such an environment, a strategic approach to meeting personal data requirements over the long term makes sense. Tactical fixes aimed at short-term CCPA compliance may not be scalable to manage the coming multi-state or US-wide personal data rules. A proactive, enterprise-wide approach to data privacy enables organizations to scale compliance across multiple regulations quickly and easily.

It also empowers the organization to engage in a more proactive and responsive way with individuals. Prepared organizations can concentrate on enhancing the relationship of trust they have with their customers while competitors are still working hard to comply. Healthcare organizations that choose to implement an intelligent approach to data privacy once will be able to thrive in an environment of intense regulatory change.

Photo: LeoWolfert, Getty Images

The holiday season – and many CLE deadlines – are just around the corner. Whether you’re hoping to squeeze in some CLE before you travel, or looking to finish your CLE requirements before the end of the year, Lawline has you covered. With over 35 programs on the calendar in November, with topics ranging from key SCOTUS cases and corporate whistleblower protections, we’ve got something for everyone. Check out some of November’s CLE highlights below.

How to Franchise a Business: A Practitioner’s Guide. If you’re advising a client looking to turn their existing business into a franchise, it’s important to be aware of a number of different state laws, as well as the Federal Trade Commission regulations. This program will cover the applicable laws and regulations, as well as practical advice for guiding potential franchisors. Airing Monday, November 4, 2019 at 11:30 a.m. (EST

State & Local Government Issues at the Supreme Court, 2018 – 2020. This program will review some of the most interesting Supreme Court cases from the 2018 – 2019 term, and a few cases from the upcoming 2019 – 2020 term, that will have a large impact on state and local governance. There’s something for every kind of lawyer in this one. Airing Tuesday, November 12, 2019 at 2:30 p.m. (EST)

Hot Topics in Corporate Whistleblower Protections. This timely program offers a discussion of recent developments in protections for corporate whistleblowers, including the Taxpayer First Act, protected conduct under the Sarbanes-Oxley Act, the impact of Wadler v. Bio-Rad, and more. Airing Thursday, November 14, 2019 at 3:00 p.m. (EST)

If you can’t attend a live webcast, don’t worry! All of our courses go on-demand within 48 hours after airing (and you can check them out with our free trial). Check out these highly rated programs that were recently added to our catalog:

How to Succeed in a Contested Guardianship Proceeding. Regardless of who an attorney represents in a contested guardianship proceeding, the goal should be to protect the Respondent with diminished capacity. This program covers trial tips to achieve this outcome for attorneys representing either party, and pitfalls to avoid. Originally aired on October 1, 2019

Cybersecurity & Data Privacy: Regulatory and Enforcement Update. Recent cybersecurity enforcement has seen lawmakers asking businesses to protect their data, networks, and customer information or face stiff penalties. This program reviews recent enforcement trends, legal developments in cybersecurity, and predictions for 2020. Originally aired on October 10, 2019

Representing Plaintiffs in Wrongful Death Cases. This program provides strategies for trials involving wrongful death claims, including best practices in mediation, out-of-court settlements, handling experts at trial, issues for the surviving family members, and much more. Originally aired on October 22, 2019

I’m definitely working really hard and it’s a commitment that I’ve chosen to take this time away from my family to study and to not go out with my friends and live a different life. And I’m so OK with that.

— Kim Kardashian West, discussing her legal aspirations during a panel at the New York Times DealBook Conference earlier this week. “I love it and I just hope that one day I can start a firm that will help with prison reform,” the first-year legal apprentice continued. She again reiterated her desire to hire people who are currently behind bars, because “they know the law better than most lawyers.”

Staci Zaretsky is a senior editor at Above the Law, where she’s worked since 2011. She’d love to hear from you, so please feel free to email her with any tips, questions, comments, or critiques. You can follow her on Twitter or connect with her on LinkedIn.

The pressure is on at Gibson Dunn. The firm finds itself in the middle of a controversy surrounding its use of mandatory arbitration agreements as a condition of employment. Fourteen LGBTQ+ student organizations at 13 different law schools have announced they will no longer accept money from or otherwise promote firms that have mandatory arbitration agreements. As part of this campaign, they’re targeting Gibson Dunn’s arbitration policy (though summer and first-year associates are not subject to mandatory arbitration, the firm still uses it for non-attorney staff).

The open letter, written by Harvard Law School Lambda and the People’s Parity Project (student activists that have kept the heat on Biglaw firms over their use of mandatory arbitration agreements), was signed by the following organizations: Queer Caucus at Berkeley Law School, University of Chicago Law School OutLaw, Columbia Law School Outlaws, Cornell Law Lambda, Georgetown University Law Center OutLaw, Harvard Law School Lambda, Harvard Law School Queer & Trans People of Color, Michigan Law Outlaws, New York University School of Law OUTLaw, Northwestern Pritzker School of Law OUTLaw, Stanford Law School OutLaw, UCLA School of Law OUTLaw, University of Pennsylvania Law School Lambda Law, and Yale Law School OutLaws. Additionally, Harvard Law School Lambda, Michigan OUTLaws, UCLA OUTLaw, and Yale Law School OUTLaws are ending their existing partnerships with Gibson Dunn over the practice.

“Workplace discrimination remains alive and well in the legal profession—and we cannot in good conscience promote employers as LGBTQ+ friendly when they are using forced arbitration to sweep discrimination, harassment, and other workplace misconduct under the rug. The reality is that as long as Gibson Dunn or any other firm subjects its employees to forced arbitration, we simply do not know whether they are safe and equitable workplaces for queer and trans workers,” said Sejal Singh, a founding co-director of the People’s Parity Project and member of Harvard Law School Lambda.

Additionally, the People’s Parity Project announced that as a result of this campaign, Williams & Connolly will end their mandatory arbitration practice.

The practice of mandatory arbitration agreements in Biglaw first came under fire when Munger Tolles was called out on social media for the practice last year. That firm changed their policy as a result, and other firms voluntarily did away with the practice. Others required some good, old-fashioned pressure, but eventually eliminated the agreements. But, of course, there have been some firms that have held fast, despite complaints and bad press.

Kathryn Rubino is a Senior Editor at Above the Law, and host of The Jabot podcast. AtL tipsters are the best, so please connect with her. Feel free to email her with any tips, questions, or comments and follow her on Twitter (@Kathryn1).

Today, Milbank beat Cravath in announcing year-end bonuses. Which other firms have done so in the past?

Hint: Before now, it’s only happened two times since 2006, the year Above the Law first started tracking Biglaw bonus news.

See the answer on the next page.

Staci Zaretsky is a senior editor at Above the Law, where she’s worked since 2011. She’d love to hear from you, so please feel free to email her with any tips, questions, comments, or critiques. You can follow her on Twitter or connect with her on LinkedIn.

Three Western states’ efforts to rethink how they regulate the legal profession have drawn plenty of attention, and rightly so.

But Arizona, California, and Utah are not alone in examining hot-button topics such as whether to allow fee splitting with nonlawyers.

In Illinois, a panel created by the Chicago Bar Association and Chicago Bar Foundation is examining potential changes to the state’s legal marketplace.

The Task Force on the Sustainable Practice of Law & Innovation held its first meeting early last month.

A press release announcing the panel’s creation highlighted that the task force will strive to propose regulatory changes bolstering access to justice for consumers. But the chairs of the task force also made clear in their prepared statements that the panel will examine how to improve the legal market for lawyers.

“We intend to evaluate technologies, rule modifications and other changes, including the possible expansion of legal referral platforms to promote a more viable and sustainable law practice for Illinois attorneys,” said Task Force Co-Chair E. Lynn Grayson of Nijman Franzetti LLP.

Task Force Member Jayne Reardon said in an interview that she is glad the panel will be dually focused on “the fact we have so many lawyers who cannot have a sustainable and rewarding practice at the same time we as a profession are failing to meet the civil legal needs” of consumers.

While the justice gap has been well-documented for some time, Reardon said she thinks the myriad challenges facing lawyers in the current environment have been a key driver of the active focus on legal regulatory reform in multiple states.

“What I think is different now is that it has become clear over the last several years that the construct and structures of the legal profession are not working for lawyers either,” said Reardon, executive director of the Illinois Supreme Court Commission on Professionalism.

The Illinois task force also plans to closely follow developments in the Western states that are further along in their reform efforts, and it has established a National Advisory Council to help it do so.

Utah’s Work Group on Regulatory Reform released its recommendations in August. They were adopted by the Utah Supreme Court soon after, and the state’s implementation work is underway.

Arizona’s Task Force on the Delivery of Legal Services released its report and recommendations last month. The Arizona Judicial Council will determine next steps.

California’s Task Force on Access Through Innovation of Legal Services released tentative recommendations in the summer and is working to complete a final report in the coming months. Several members of that panel are on Illinois’ National Advisory Council.

Reardon said she thinks Utah has proposed the most novel approach to date. One of their recommendations called for the creation of a “regulatory sandbox” that will allow nontraditional legal services providers to “test innovative legal service models and delivery systems.”

These providers, such as legal tech companies, will be permitted to do their testing without being accused of engaging in the unauthorized practice of law. They will do so under the supervision of a new regulator implementing a “risk-based, empirically-grounded regulatory process for legal service entities.”

“Utah is in fact reimagining legal services in a way that breaks out of the constraints that have been basically the norm for the last 100 years,” Reardon said. “There is a lot of promise there. How they work out the regulatory piece and the regulatory sandbox will be interesting to watch.”

As for Illinois, the task force there hopes to identify and recommend ethics rules changes to the Illinois Supreme Court by September 2020.

Lyle Moran is a freelance writer in San Diego who handles both journalism and content writing projects. He previously reported for the Los Angeles Daily Journal, San Diego Daily Transcript, Associated Press, and Lowell Sun. He can be reached at lmoransun@gmail.com and found on Twitter @lylemoran.