Benefits Bryan Cave

Benefits BCLP

Data Privacy

Main Content

HIPAA Continues to Apply During Coronavirus Pandemic

As the Coronavirus Disease 2019 (COVID-19) pandemic grows, employers and others may be wondering how the public health emergency created by the outbreak affects information protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The short answer: All HIPAA protections continue to apply. Accordingly, employer-sponsored health plans, which are “covered entities” subject to HIPAA, must continue to adhere to HIPAA’s privacy and security rules and may not use or disclosure protected health information (PHI) in a manner not already provided for under HIPAA in the absence of an applicable exception issued by the U.S. Department of Health and Human Services. As a reminder, PHI that an employee obtains when carrying out an administrative function for the plan generally cannot be shared with the employer.  For example, if in the process of performing auditing activities for the employer-sponsored health plan, an employee learns that the plan has provided coverage for the COVID-19 treatment for an employee’s child, that information is PHI and the employee is prohibited from sharing that information with the employer.

The U.S. Department of Health and Human Services Office for Civil Rights recently issued a Bulletin to remind covered entities of their continuing compliance requirements and the circumstances under which PHI may be disclosed without an individual’s authorization, including:

  • Treatment, when necessary to treat the patient or a different patient by one or more health care providers.
  • Public health activities, including disclosure to a public health authority such as the

The CCPA: Employee Data Requirements May Be Delayed, But Do Not Appear to be Going Away

July 12, 2019

Categories

Action is currently underway to amend the California Consumer Privacy Act (“CCPA”) to provide employers an additional year to comply with the CCPA with respect to employee data of California-based employees.

The California Senate Judiciary Committee has passed AB-25, an amendment to the CCPA that would delay most of the compliance obligations for employee data until January 1, 2021. Specifically, the amendment provides that employees are not “consumers” for most purposes of the statute until January 1, 2021.

If the legislature passes the bill, the CCPA will still apply to employers with California-based employees in the following ways, effective January 1, 2020:

  • Employees will be able to sue employers for a data breach involving their unencrypted data
  • Employers must provide a notice to employees describing the categories of employee information collected, used and disclosed by the employer.

While there have been many predictions that the CCPA would be amended to remove employee data from the requirements of the statute altogether, if the California state legislature approves the bill amending the CCPA, the effect will be to simply delay the compliance obligations for employers for a year.

For now the bill is with the Senate Appropriations Committee for hearing and another round of voting.  Assuming Appropriations votes to pass the bill, it will go to the Floor for a vote.  The Appropriations Committee has until August 30th to vote on bills.

Employer CCPA FAQs #9: May an employer become subject to the CCPA because of a corporate transaction?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction.    These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies.  For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).   Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.  If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #9: May

Employer CCPA FAQs #8: Does the CCPA apply to non-profit employers?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction.    These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies.  For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).   Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.  If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #8: Does

Employer CCPA FAQs #7: If an employer is based in California, will the CCPA requirements apply to all employee data held by the employer?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction.    These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies.  For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).   Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.  If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #7:  If an

Employer CCPA FAQs #6: Does an employer need to generate revenue in California in order for CCPA to apply?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction.    These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies.  For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).   Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.  If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #6: Does an employer need

Employer CCPA FAQs #5: Does an employer have to be “established” in the United States for U.S. data privacy and security laws, and particularly the CCPA, to apply?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction.    These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies.  For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).   Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.  If you or your organization would like information on this compliance program or any other issue, please contact us or one of your other trusted BCLP attorneys.

Question #5: Does an employer

Employer CCPA FAQs #4: What information is not “Personal Information” under the CCPA?

This post is part of our series of FAQs examining the California Consumer Privacy Act (“CCPA”)  that should help employers with operations in California to determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

By way of background, the CCPA is a new privacy law that will go into effect in early 2020. Because the CCPA refers to “consumers” many HR professionals do not realize that the CCPA, as currently enacted, also applies to data collected about California-based employees. Please see our recent blog post for a summary of which employers will be subject to the CCPA and the key requirements of the law.

Although the law will not be in effect until next year, employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the European Union’s General Data Protection Regulation (“GDPR”), the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and updated or new data policies. Employers who are required to comply with the GDPR will likely already be familiar with many of the requirements of the CCPA, and a key area of interest is the degree to which the CCPA aligns with GDPR for purposes of implementing CCPA compliant practices for their California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols

Employer CCPA FAQs #3: As used in the CCPA, do the terms “personal data,” and “personal information” mean the same thing? 

In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”)  of particular importance to employers.  These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

By way of background, employers with operations in California should be aware of the CCPA, a new privacy law that applies to data collected about California-based employees.   Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees. Please see our recent blog post summarizing the CCPA for employers.

The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies.

For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).  Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP also offers a

Employer CCPA FAQs #2: What is “personal information” under the CCPA? 

In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”)  of particular importance to employers.  These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

By way of background, employers with operations in California should be aware of the CCPA, a new privacy law that applies to data collected about California-based employees.   Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees. Please see our recent blog post summarizing the CCPA for employers.

The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies.

For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).  Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP also offers a complete

The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.