Regulatory change is nothing new to healthcare executives. But the changes to the California Consumer Privacy Act (CCPA) this year require you to do more than just comply. You’ll need to prove it.
If your organization is like most, you are already facing pressure to manage HIPAA compliance, cybersecurity risk, and digital transformation at breakneck speed. New CCPA regulations add yet another layer of obligation: demonstrable, defensible privacy risk management tied to actual risk to individuals. And they want proof. Privacy regulators are gearing up to hold organizations accountable.
Here’s what you need to know about CCPA’s new direction, and how to get ahead of it.
Meeting New Regulatory Demands: The Shift to Provable Risk Decisions
California’s Privacy Rights Act (CPRA) amendments to CCPA mark a shift toward regulator enforcement centered on justifying risk.
The California Privacy Protection Agency (CPPA) requires organizations to:
- Conduct Privacy Risk Assessments for high-risk processing activities
- Perform Cybersecurity audits based on data sensitivity and scale
- Govern Automated decision-making technologies (ADMT)
Requirements go beyond policy statements and vendor contracts. Organizations need to be able to produce documentation for regulators (on demand, in some cases) that proves risks to individuals were considered and addressed.
Why Healthcare Organizations Should Care About CCPA
HIPAA covers protected health information (PHI). CCPA covers consumers’ personal data that falls outside HIPAA.
That means any digital interaction with patients is potentially subject to CCPA regulations, from your:
- Patient portal / Patient engagement platform
- Website analytics
- Telehealth tools
- Remote monitoring applications
- AI-driven clinical decision tools
Many healthcare organizations aren’t familiar with CCPA because they think it doesn’t apply to patient data. But healthcare data can fall under CCPA if it includes behavioral, locational, and other data elements that rise to the level of consumer privacy—not just health information.
With increased digitization in healthcare, it’s more likely than ever before that your organization holds data that is subject to CCPA regulations. And once regulators realize it, your organization will be on the hook.
HIPAA and “Reasonable Security” Requirements Are about to Get Real
Under CCPA enforcement, healthcare organizations will be required to have “reasonable security procedures and practices.” Sounds vague, right? It used to. Not anymore.
California regulators have made it clear they expect organizations to be able to prove their security and risk decisions are reasonable, and they have a framework for doing that:
- Your risks must be reduced to a level that won’t cause foreseeable harm
- Your safeguards must be commensurate with the potential risk of that harm
- You must be able to justify why you chose one course of action over another
That last point is where DoCRA (Duty of Care Risk Analysis) comes in.
Know Your Risks: CCPA Privacy Risk Assessment Meets DoCRA
DoCRA is a framework for determining and documenting what “reasonable security” should look like for your organization.
According to DoCRA:
- Cybersecurity risks must be reduced to a level that does not create a foreseeable risk of harm to individuals
- Cybersecurity controls protecting those risks must be commensurate with the potential risk of that harm
- Business decisions about cybersecurity must balance the organization’s needs with the need to protect consumers
These points align closely with new CCPA guidance around privacy risk assessments, which will require organizations to consider:
- Purpose of processing
- Sensitivity of data
- Severity of potential harm to consumers
- A balancing test of benefits vs. risk
In other words, conducting privacy risk assessments that meet CCPA requirements is how you’ll be able to prove you’ve made defensible cybersecurity decisions under CCPA.
Breaches Highlight if You are Reasonable or Not
Recent high-profile healthcare breaches are perfect examples of regulators taking action against organizations that cannot prove they managed cybersecurity risk appropriately.
Attackers are exploiting vulnerabilities in third-party risks and intrinsic weaknesses in healthcare security controls. When a major ransomware attack or data exposure happens, we learn three things:
- Healthcare data is spread far and wide
- Security practices vary wildly between partners
- Most organizations can’t actually prove they made reasonable security decisions
We’ve already seen California’s CPPA issue fines and enforcement notices related to poor data security, and there are many more to come. In healthcare, breaches have two impacts:
- They harm your organization and your patients
- They attract the attention of regulators when your privacy risk management practices are found lacking
How to Prepare for CCPA Privacy Risk Assessments
Privacy risk assessments aren’t one-time documentation projects. They should be an integral part of your organization’s ongoing cybersecurity governance.
CCPA-driven privacy risk assessments require you to:
- Understand what data you collect
- Understand why you’re collecting it
- Document decisions about high-risk processing activities
- Evaluate potential real-world harm to individuals as a result of processing that data
- Put controls in place to mitigate that risk
- Demonstrate clearly why your organization chose to accept that risk
That last step is crucial. Regulators are going to require you to do privacy risk assessments. If you can’t tie it back to your cybersecurity decisions, your security program will be hard-pressed to stand up to scrutiny.
The HALOCK Advantage: Turning Compliance into Strategy
HALOCK Security Labs’ Privacy Risk Assessment offers repeatable processes grounded in defensible risk analysis in DoCRA to help you:
- Identify high-risk processing across your clinical and business systems
- Put real numbers around privacy risk that executives and regulators will understand
- Define “reasonable security” for your organization, defensibly
- Document your risk analysis so it stands up to regulator requests
- Align privacy risk with your overall security and governance efforts
Take Action Before the Regulators Get Involved
If you want to get ahead of CCPA enforcement, start by:
- Cataloging data processing activities—Not just PHI or ePHI
- Mapping where CCPA requirements apply to your digital health initiatives
- Implementing a formal risk analysis process like DoCRA
- Making privacy risk assessments a regular part of your cybersecurity program
- Aligning your legal, security, and executive teams around risk-based decision making
The healthcare organizations that take these steps now will survive the coming wave of regulatory enforcement. They will also build better relationships with their patients by protecting their privacy in a world where cyberattacks are personal.
Conclusion
Here are the key takeaways on CCPA’s upcoming focus on privacy risk:
- California regulators want you to prove your data privacy risk decisions.
- Risk decisions should be based on a thorough understanding of your data processing activities and potential harm to individuals.
You must be able to demonstrate why your organization accepted certain risks. HALOCK Security Labs’ Privacy Risk Assessment is rooted in defensible risk analysis. Contact us to learn more about how you can defend your risk decisions.
References
- California Privacy Protection Agency. “CPPA Regulatory Updates and Enforcement Activity.” 2025.
- Electronic Privacy Information Center. “California Consumer Privacy Act (CCPA).”
- U.S. Department of Health & Human Services. “Health Insurance Portability and Accountability Act (HIPAA).”
- National Institute of Standards and Technology. “Risk Management Framework.”
- HALOCK Security Labs. “Privacy Risk Assessment Services.”
- HALOCK Security Labs. “What’s New in Healthcare Risk and AI.”
Review Your CCPA Privacy Risk Posture
Read more AI (Artificial Intelligence) Risk Insights and
