Question: Does the California Consumer Privacy Act (CCPA) apply to non-profits or HIPAA covered entities?
Answer: No. Nonprofit businesses are not required to comply with the CCPA. The CCPA applies to "businesses." The Act defines that term to include any "legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners."
See CAL. CIV. CODE @ 1798.140(c)(1) for complete definition of Business.
A non-profit entity is not subject to CCPA because it does not operate "for the profit or financial benefit" of its owners.
More importantly CCPA does not apply to HIPAA PHI or a HIPAA covered entity to the extent that the data is PHI. Here is the regulation from the HIPAA point of view:
1798.145(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of "medical information" and "provider of health care" in Section 56.05 shall apply and the definitions of "business associate," "covered entity," and "protected health information" in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
So we see that the CCPA is not intended nor is it applicable to PHI, which is covered by HIPAA. It also explicitly excludes HIPAA covered entities. It clearly is not intended to apply to HIPAA organizations at all.
We've been told by outside counsel, and this has been the message by attorneys at CCPA workshops I attended, that the CCPA does not exclude HIPAA covered entities only PHI and patient information of the CE. Basically, CCPA applies to the type of data collected, whether your are a CE or not. So for example, if you are a for profit hospital and collect info on individuals who visit your website via cookies that data is personal information covered under the law for California residents. If you collect data personal information that pertains to consumers or households and an exemption does not apply (such as PHI) the law applies. Here is an article that discusses the difficulty regarding this issue https://www.carltonfields.com/insights/publications/2019/ccpa-health-care-hipaa-exemption-apps-data