Los Angeles Data Breach & Privacy Litigation Lawyers

What federal and California laws govern healthcare data and consumer data?

At McNicholas & McNicholas, LLP, we understand:

• The laws protect your online information
• The requirements and duty of care that businesses have to protect your sensitive personal information
• What you can do when you learn of a breach
• What compensation can you seek for any financial or personal damage you suffer

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards for protecting sensitive health information from improper disclosure.

The key parts of this law are:

The HIPAA Privacy Rule

This rule requires that covered entities protect your protected health information (PHI) from improper uses and disclosures, while allowing access to those who need your PHI to provide high-quality healthcare and protect the public.

Covered entities include healthcare providers who electronically transmit your PHI for insurance claims, referral authorization requests, inquiries about benefit eligibility, and other HHS-approved transactions. Additional covered entities include health plans, healthcare clearinghouses, and certain healthcare providers. HIPAA also applies to business associates that handle PHI for covered entities.

HIPAA permits certain uses and disclosures of PHI without patient authorization, including for treatment, payment, and healthcare operations, or when required by law.

The HIPAA Security Rule

The Security Rule protects your electronic protected health information (e-PHI). Written and oral PHI are governed by HIPAA’s Privacy Rule.

HIPAA’s Security Rule establishes administrative, physical, and technical safeguards for electronic PHI. Breach notification obligations are addressed by HIPAA’s Breach Notification Rule.

Damages for violations of HIPAA

Individuals who learn of a breach can file a complaint with HHS. HHS can then investigate the claim and seek to hold the responsible covered entity accountable. Accountability may include the payment of fines to HHS, but not to the patient.

HIPAA does not provide a private right of action, but its standards may inform state-law claims such as negligence or breach of contract. California’s Confidentiality of Medical Information Act (CMIA) provides statutory damages for certain negligent or improper disclosures of medical information, though courts have limited recovery in some cases based on the nature of the violation and whether it resulted in a serious invasion of privacy.

Consumer data protection laws

Many different laws protect electronic consumer information from misuse by the government, businesses, and organizations.

Consumer data may include:

• Names and addresses
• Driver’s license number
• Social Security number
• Credit card information
• Tax records
• Employment history
• Passwords to accounts
• Biometric data
• Location and device data
• Online behavior
• User opinions and preferences (including religious and political views)

Some of the federal laws that protect consumer data, in addition to HIPAA, include:

• The Federal Trade Commission Act. The FTC generally regulates unsafe business practices, which may include the improper collection and use of consumer information (such as identity theft).
• The Privacy Act of 1974. This law governs the misuse of data by federal agencies.
• The Children’s Online Privacy Protection Act (COPPA). COPPA requires that websites and online services obtain parental consent for the personal information of children under 13.
• The Fair Credit Reporting Act. This law regulates credit reporting agencies and their duties to keep your credit information safe.
• The Gramm-Leach-Bliley Act (GLBA). This law regulates financial institutions and requires that they explain how they collect and use your information.
• Other laws, including:
  • The Computer Fraud and Abuse Act
  • The Family Educational Rights and Privacy Act (FERPA)

We can explain which laws, such as the Fair Credit Reporting Act, may provide individual remedies against the entities (such as credit reporting agencies) that control your private sensitive information.

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act

Your rights

The California Consumer Privacy Act of 2018 (CCPA) provides consumers with the following rights:

• The right to know about the personal information a business collects about them, and how it is used and shared
• The right to delete personal information collected from them (with some exceptions)
• The right to opt out of the sale or sharing of their personal information, including via the GPC (Global Privacy Control)
• The right to non-discrimination for exercising their CCPA rights

The California Privacy Rights Act (CPRA) adds the following rights:

• The right to correct inaccurate personal information that a business has about them
• The right to limit the use and disclosure of sensitive personal information collected about them

Consumers may have a limited right to file a legal claim under the CCPA or CPRA in connection with certain data breaches involving defined categories of personal information.

Damages for violations of the CCPA/CPRA

To bring a claim, the information must be subject to unauthorized access, exfiltration (unauthorized removal), theft, or disclosure

Your first name (or first initial) and last name in combination with any of the following:

• Social Security number
• Driver’s license number
• Tax identification number
• Passport number
• Military ID number
• Other government IDs
• Financial account numbers
• Credit or debit card number – and your password/security code/access code – to allow someone access to your account
• Your medical or health insurance information
• Unique biometric data used to identify you – generally not included photos unless used for facial recognition purposes

The private right of action may also apply if an email address (or username) combined with a password or security question/answer that permits account access is subject to unauthorized access, exfiltration, theft, or disclosure.

The improperly obtained information cannot be encrypted or redacted, and must be due to the failure of the business to provide reasonable security practices to protect the information.

You can seek either:

• The actual damages
• Statutory damages of between $100 and $750 per consumer per incident

Recoverable damages depend on the nature of the breach and judicial interpretation, and courts may limit recovery to economic harm in some cases. Recoverable damages may include:

• The amount of any funds that are taken, such as bank accounts
• Any other reasonably foreseeable damages
• Loss of income if the breach affects your employment
• The cost to restore any damage to your credit
• Non-economic damages, such as emotional distress and any damage to your reputation, may depend on judicial interpretation
• Other applicable damages, such as punitive damages, may apply if a defendant engaged in oppression, fraud, or malice under Civ. Code § 3294

In some cases, courts may limit recoverable damages to economic losses.