CCPA in Healthcare: Requirements, HIPAA Exemptions, and Compliance Checklist

CCPA Applicability in Healthcare

When CCPA applies to healthcare organizations

CCPA applies to for-profit entities that do business in California, determine the purposes and means of processing personal information, and meet statutory thresholds (such as revenue or volume of consumer data). Hospitals, health plans, clinics, digital health platforms, life sciences sponsors, and medical device companies can qualify—even if they are also regulated by HIPAA.

Importantly, CCPA covers more than patient charts. It reaches personal information gathered from websites, mobile apps, call centers, retail pharmacy programs, connected devices, and HR systems. Since 2023, workforce and job applicant data have been fully in scope, meaning employees enjoy the same consumer rights as patients and website visitors.

Interplay with health privacy laws

CCPA coexists with sectoral laws. Medical information regulated by the California Confidentiality of Medical Information Act (CMIA) and Protected Health Information (PHI) regulated by HIPAA may be exempt, but only to the extent those laws actually govern the data at issue. Marketing analytics, advertising identifiers, and nonclinical consumer records are frequently subject to CCPA even inside a hospital or health plan.

Sensitive personal information

Health-related details, precise geolocation, and other sensitive personal information trigger additional obligations. You must implement Data Minimization Standards—collect only what is reasonably necessary for stated purposes—and provide mechanisms to limit the use and disclosure of sensitive data when required.

HIPAA-Covered Entity Exemptions

What the exemption covers

CCPA exempts PHI that a covered entity or HIPAA Business Associates create, receive, maintain, or transmit in accordance with HIPAA. It also exempts “medical information” processed under CMIA. Claims files, electronic health records, and HIPAA-defined designated record sets are typical examples of data that fall outside CCPA’s scope.

What the exemption does not cover

The HIPAA/CMIA carve-outs are not blanket exemptions for the organization. Non-PHI consumer data—such as website cookies, newsletter subscriptions, patient portal tracking outside the medical record, connected fitness data, and donor or foundation records—remains subject to CCPA. Hybrid entities must ensure non–health care components comply with CCPA for the data they control.

Operational guidance

Classify data at intake to distinguish PHI/CMIA data from broader consumer data. Segregate systems and vendors accordingly, and map which flows rely on HIPAA Business Associates agreements versus CCPA service provider agreements. This reduces the risk of inadvertently “selling” or “sharing” personal information and clarifies which requests are handled under HIPAA rights versus CCPA consumer rights.

De-Identified and Aggregate Data Exemptions

CCPA de-identified versus HIPAA de-identified

CCPA exempts de-identified information when you take reasonable measures to prevent re-identification, publicly commit not to re-identify, and bind downstream recipients to the same safeguards. HIPAA’s Safe Harbor and Expert Determination pathways also produce de-identified data, but the standards are not identical. Data meeting HIPAA de-identification often satisfies CCPA expectations, yet you should document separate CCPA controls and commitments.

Aggregate consumer information

Aggregate information—statistics that relate to a group or category of consumers and cannot be linked to any individual or household—is also exempt. Use aggregation for reporting, benchmarking, and quality improvement metrics that do not require person-level analysis.

Operational guardrails

Maintain written de-identification procedures, conduct periodic re-identification risk tests, and label datasets (de-identified, aggregate, pseudonymous). Share only under contracts that prohibit re-identification, secondary use, or attempts to single out individuals.

Clinical Trial Data Exemptions

Scope of the exemption

Personal information collected as part of Common Rule Clinical Trials or under Good Clinical Practice Guidelines is generally exempt from CCPA. This exemption recognizes that human-subject research already includes robust privacy and ethics controls. Sponsors and sites should maintain documentation showing that specific datasets were created and processed under these frameworks.

Boundary cases to watch

Recruitment and pre-screening data gathered before consent, marketing lists for trial awareness, or information collected by companion apps outside the protocol may fall under CCPA. Keep pre-consent intake systems and advertising tools separate from trial data environments and apply CCPA notices and opt-outs where appropriate.

Sponsor and site considerations

Sites that are HIPAA-covered may handle PHI; sponsors usually are not covered entities. The clinical trial exemption can apply to both, but only for data processed within the regulated research context. Non-trial operations—such as patient-support programs or commercial analytics—require standard CCPA compliance.

Healthcare Organization Compliance Requirements

Notices and transparency

Provide a clear notice at collection describing categories of personal information, purposes, whether you sell or share data for cross-context behavioral advertising, retention periods or criteria, and links to consumer choices. Align your public privacy policy with actual practices across web, mobile, in-person, and call-center channels.

Consumer Request Procedures

Offer designated methods for submitting requests (for example, an online webform and a toll-free number, as applicable). Verify identities using risk-appropriate methods; respond within statutory timelines; and maintain request logs. Train staff to distinguish HIPAA access requests from CCPA rights and to route each correctly.

Opt-outs and universal signals

Implement “Do Not Sell or Share My Personal Information” and, when required, “Limit the Use of My Sensitive Personal Information.” Honor browser-based universal opt-out signals, such as recognized global privacy controls, across web and app properties and propagate choices to ad-tech partners.

Sensitive data and Data Minimization Standards

Limit collection and disclosure of sensitive personal information to what is reasonably necessary for disclosed purposes. Set documented retention schedules and defensible deletion triggers. Avoid collecting new data solely to verify a request if you can verify using existing records.

Contracts and vendors

Classify partners as service providers, contractors, or third parties and include required CCPA terms. Coordinate these contracts with HIPAA Business Associates agreements where both apply, ensuring restrictions on secondary use, cross-context advertising, and re-identification are explicit.

Security, children’s data, and training

Maintain reasonable security, conduct periodic risk assessments for high-risk processing, and practice incident response. Obtain parental consent before selling or sharing data of consumers under 13 and opt-in consent for ages 13–15. Provide role-based training and audit adherence to policies and procedures.

Consumer Rights Under CCPA

• Right to know and access: You must disclose categories and specific pieces of personal information collected, sources, purposes, and disclosures.
• Right to delete: Upon a verified request, delete personal information and direct service providers and contractors to do the same, subject to statutory exceptions.
• Right to correct: Allow consumers to rectify inaccurate personal information you maintain.
• Right to opt-out of sale or sharing: Provide easy-to-use mechanisms and respect global opt-out signals across devices and browsers.
• Right to limit use of sensitive personal information: Offer controls to restrict uses beyond those that are reasonably necessary and proportionate.
• Right to data portability: Provide data in a readily usable, transferable format when feasible.
• Right to non-discrimination: Do not retaliate against consumers for exercising their rights; permitted financial incentives must be transparent and proportionate.

Developing a Healthcare Compliance Checklist

• Map data flows across patient services, marketing, apps, devices, research, and HR; tag PHI/CMIA, de-identified, aggregate, and CCPA personal information.
• Confirm whether your organization meets CCPA thresholds; identify covered “businesses,” affiliates under common branding, and joint ventures.
• Update notices at collection and the privacy policy to reflect categories, purposes, retention, sale/share status, and consumer choices.
• Implement Consumer Request Procedures: intake channels, verification standards, routing between HIPAA and CCPA, and response timelines.
• Deploy opt-out mechanisms for sale/share and a method to limit sensitive personal information; honor global privacy control signals.
• Adopt Data Minimization Standards: collect only necessary data; define retention schedules and automated deletion for stale records.
• Harden ad-tech and analytics: review pixels, SDKs, and tags on patient-facing and marketing properties; avoid unauthorized disclosure of sensitive data.
• Align vendor contracts: add CCPA service provider/contractor terms; reconcile with HIPAA Business Associates obligations; prohibit re-identification and cross-context advertising.
• Secure systems: apply reasonable safeguards, encryption where appropriate, access controls, and incident response playbooks.
• Prepare research workflows: separate Common Rule Clinical Trials and Good Clinical Practice Guidelines datasets from operational consumer data.
• Train and test: deliver role-based training, run tabletop exercises, and audit request handling and opt-out honoring.
• Document governance: maintain records of processing, request logs for at least the required period, and approvals for new high-risk processing activities.

FAQs

What types of healthcare data are exempt from CCPA?

PHI processed by covered entities or HIPAA Business Associates in accordance with HIPAA, medical information regulated by the California Confidentiality of Medical Information Act, properly de-identified data, aggregate consumer information, and personal information collected in Common Rule Clinical Trials or under Good Clinical Practice Guidelines are generally exempt. Publicly available information is also outside CCPA’s scope.

How does CCPA differ from HIPAA in healthcare?

HIPAA regulates Protected Health Information within covered entities and their business associates, focusing on treatment, payment, and healthcare operations. CCPA is a broader consumer privacy law that governs personal information across sectors, including marketing, digital services, and workforce data. CCPA adds rights to opt out of selling or sharing data and to limit sensitive personal information, and it imposes transparency, contracting, and data minimization duties that apply beyond PHI.

What are the key compliance steps for healthcare organizations under CCPA?

Create an accurate data inventory; update notices and privacy policies; implement Consumer Request Procedures and verification; enable opt-outs (including global privacy controls) and sensitive data limits; apply Data Minimization Standards and retention schedules; align service provider and HIPAA Business Associates contracts; and strengthen security, training, and audit routines.

Can clinical trial data be excluded from CCPA requirements?

Yes, when personal information is collected and processed as part of Common Rule Clinical Trials or under Good Clinical Practice Guidelines, it is generally exempt. The exemption does not automatically cover pre-screening outreach, recruitment marketing, or other non-protocol data flows, which should be managed under standard CCPA notices and opt-out controls.