By Cindy Kaplan

Privacy risk management is undergoing a fundamental change for healthcare organizations. Traditionally, privacy and security efforts are focused on compliance with the HIPAA Security Rule and electronic protected health information (ePHI).

Increasing state privacy legislation, including the California Consumer Privacy Act (CCPA) and recent amendments, is establishing new standards for how healthcare organizations evaluate, document, and justify their privacy and security practices.

The new standard? Transition from compliance-focused programs to risk-based, defendable privacy practices that are rooted in CCPA Privacy Risk Assessments and backed by penetration testing and continuous validation.

 

The Importance of Risk Analysis Under HIPAA and CCPA

HIPAA has always required healthcare organizations to perform risk analyses to protect the confidentiality, integrity, and availability of ePHI, but CCPA takes things a step further by requiring organizations to formally assess risk vs. benefit when processing personal information that could affect consumer privacy rights.

In HALOCK’s description of its CCPA Privacy Risk Assessment service, for example, businesses are advised to determine if the processing of personal information is “reasonable, necessary, and proportionate” when weighing business benefit against potential risk to consumers.

Translated into healthcare:

  • HIPAA mandates assessments to protect ePHI
  • CCPA requires an assessment of whether processing PHI actually creates risk to consumers
  • Both HIPAA and CCPA require documented and defensible decision-making.

This means healthcare providers, health plans, and digital health companies will need documented analysis to help justify how they use PHI (protected health information) in everyday business functions ranging from analytics/AI to patient engagement tools to third-party website integrations.

 

Why PHI and ePHI Are at Greater Risk Than Ever

Healthcare data remains one of the most sensitive and valuable data types. As digital transformation accelerates, the exposure of PHI and ePHI is increasing across:

  • Patient portals and mobile health applications
  • Connected medical devices and remote monitoring systems
  • AI-driven diagnostics and decision support tools
  • Third-party billing, analytics, and cloud platforms

Research continues to highlight that health information technologies introduce complex privacy risks due to data aggregation, sharing, and a lack of transparency in how data is used.

At the same time, regulators are focusing on whether organizations fully understand:

  • Where sensitive data resides
  • How it is processed and shared
  • Whether safeguards are proportionate to the risk

This is precisely where traditional HIPAA programs often fall short.

 

A CCPA Privacy Risk Assessment Is NOT A Check Box Exercise

It’s a formal, documented process that reviews data processing activities to determine if they adversely affect individuals and if the risk is warranted.

HALOCK Privacy Risk Assessment services:

  • Document how systems, including AI algorithms and digital health technologies, collect and handle personal data.
  • Highlight potential risks to patients/consumers.
  • Understand business and clinical justifications for using data.
  • Document safeguards in place that mitigate risk.
  • Run a formal risk vs. benefit analysis.

Think of it as HIPAA risk analysis on steroids applied to privacy overall. It helps answer questions like:

  • Should we be using this patient information for this purpose?
  • What risk does this processing pose to our patients?
  • Do we have adequate and justifiable controls in place?

 

 

Penetration Testing Is Important to Privacy Compliance: Here’s Why

CCPA requires reasonable safeguards, while HIPAA talks about implementing “appropriate” safeguards. But regulators are expecting more proof that those safeguards work.

Penetration testing can help.
Testing can identify vulnerabilities present in production environments that put PHI and ePHI at risk, such as:

  • Patient portal account takeovers
  • Vulnerabilities in APIs used by healthcare applications
  • Improperly configured cloud storage containing PHI
  • Weak authentication and identity verification practices

Pen testing can prove that safeguards are effective, so don’t leave it out of your compliance plan. Performing testing as part of a risk-based approach, such as HALOCK risk assessment methodology (DoCRA), ensures vulnerabilities are weighed appropriately based on how they impact the patient and organization.

 

 

Establishing “Reasonable Security” in Healthcare

Both HIPAA and CCPA rely on the concept of reasonable security, yet neither provides a precise definition. This creates risk for healthcare organizations. In the event of a breach, regulators and courts will evaluate whether security controls were appropriate given the circumstances. HALOCK’s approach, grounded in the Duty of Care Risk Analysis (DoCRA) framework, provides a clear method for defining and demonstrating reasonable security.

In the DoCRA methodology:

  • Security decisions must balance business needs with the potential harm to others
  • Controls must be proportionate to the level of risk
  • Decisions must be documented and justifiable

This is particularly important in healthcare, where the impact of a breach can include:

  • Patient harm
  • Regulatory penalties
  • Legal liability
  • Loss of trust

A documented, risk-based approach provides evidence that the organization exercised due care.

 

How HALOCK’s CCPA Privacy Risk Assessment Applies to Healthcare Organizations

HALOCK’s Privacy Risk Assessment perfectly addresses HIPAA-covered entities and business associates who also have CCPA obligations.

HALOCK’s CCPA Privacy Risk Assessment will allow you to:

Map Data Flows
Identify where PHI/patient health information and personal data are stored, used, and flow throughout your organization. This includes assessing any AI tools your organization uses as well as any third-party platforms that store patient data.

Assess Impact on Patients
Evaluate how your use of personal data will impact patients’ privacy, rights, and expectations.

 

HIPAA Compliance vs CCPA Privacy Risks: 

BALANCE RISK VS VALUE. Show how data initiatives (AI diagnostics, population health analytics, etc.) provide value and appropriately manage risk.

VALIDATE SAFEGUARDS. Test technical, administrative, and governance controls to confirm they are reasonable and effective.

PRODUCE DEFENSIBLE DOCUMENTATION. Generate documented risk assessments that demonstrate how your organization meets HIPAA and CCPA requirements.

 

Why HIPAA Compliance is no longer enough. Learn how to build a defensible risk management program that prepares your organization for today’s regulatory environment. Gone are the days of static HIPAA compliance programs. Under current HIPAA and evolving state privacy regulations, organizations are expected to actively and continuously evaluate their privacy practices using a risk-based approach.

That means having a program built around…

As HALOCK’s comprehensive risk management program illustrates, security, legal, and business units need to work together to determine what’s reasonable and appropriate.

 

Risk-Based Privacy will be the future of healthcare compliance.

You will need to be able to defend how and why you use patient data.

HIPAA and CCPA are coming together to create new standards of what consumers expect from organizations around privacy.

Under CCPA, it’s not enough to just prove that you have controls in place to protect data. You need to be able to prove that the decisions you make around collecting, using, and sharing personal information are well thought out and defensible.

CCPA Privacy Risk Assessments allow you to map out your thought process. Pen Testing ensures that the controls you have are effective. DoCRA shows you how to prove that the decisions you make are defensible and reasonable.

Privacy and Security doesn’t have to be complicated. Implementing these 3 things will allow you to have a defense-ready approach to compliance.

 

Review Your AI Security and Risk Posture

Review Your CoPilot Security Position

 

Read more AI (Artificial Intelligence) Risk Insights and 

More HIPAA Insights and Resources