Probably not.

The CCPA exempts any health care provider or “covered entity” that is governed by the Health Insurance Portability and Accountability Act (“HIPAA”),1 and it exempts “protected health information that is collected by a covered entity or business associate” subject to the HIPAA Security Rule.2  Unlike the exemption provided to other industries (e.g., financial institutions), the exemption provided to health care providers, other covered entities, and business associates appears to cover all aspects of the CCPA including the ability of a Californian to bring a private right of action following a data breach, or seek statutory damages. 

For more information and resources about the CCPA visit 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.145(c)(1)(A).

2. CCPA, Section 1798.145(c)(1)(B).