While both HIPAA and the Indiana Data Privacy Act share a focus on privacy and personal data protection, they differ in scope, the industries they apply to, and the types of data they cover.
Understanding the Indiana Consumer Data Privacy Act
The Indiana Consumer Data Protection Act (ICDPA) is a state-level data privacy law that aims to regulate how businesses handle and protect the personal data of Indiana residents. It sets rules and requirements for companies that collect, control, or process data of consumers in Indiana.
See also: How frequently should you revise policies for HIPAA compliance?
Who does it apply to?
The ICDPA applies to companies that conduct business in Indiana or offer products/services targeted at Indiana residents and meet threshold requirements related to the number of consumers' personal data they control or process. These threshold requirements include:
- If a company controls or processes personal data of at least 100,000 Indiana residents in a calendar year, acting in a personal, family, or household capacity.
- If a company controls or processes personal data of at least 25,000 consumers and derives more than 50 percent of its gross revenue from the sale of personal data.
HIPAA and ICDPA
HIPAA and the ICDPA both focus on protecting individual privacy and personal data, but they apply to different contexts and industries. HIPAA and other federal laws provide protection at a wider scope. The implementation of consumer privacy state laws allows for the protection of personal data in a broader context, covering businesses that handle the personal data of Indiana residents. It applies to various industries beyond healthcare and addresses personal data handling and privacy rights fully.
The ICDPA provides for exemptions from its requirements for including government entities, nonprofits, HIPAA covered entities and business associates, higher educational institutions, and entities regulated by the Gramm Leach Bliley Act.
See also: The role of audit logs in HIPAA compliance
Rights provided
- Right to confirmation and access: Consumers can submit authenticated requests to controllers (entities that collect and process personal data) to confirm whether their personal data is being processed and to access that data.
- Right to correction: Consumers can request corrections to inaccuracies in their personal data previously provided to a controller. This right considers the nature of the data and the purposes of processing.
- Right to deletion: Consumers can request the deletion of personal data that they provided, or that was obtained about them.
- Right to obtain a copy or summary: Consumers can get either a copy or a representative summary of their personal data that they previously provided to a controller. This information must be provided in a portable and readily usable format, allowing them to transmit the data or summary to another controller.
- Right to opt out: Consumers can opt out of the processing of their personal data for specific purposes, including targeted advertising, the sale of personal data, or profiling that leads to significant legal or similar effects concerning the consumer.
- Right to appeal: If a controller refuses to take action on a consumer's request to exercise their rights, the consumer has the right to appeal. Controllers must respond to these appeals within 60 days.
See also: HIPAA Compliant Email: The Definitive Guide