privacy and CCPA and CPRA Risk Assessments
Cybersecurity

CCPA and CPRA Risk Assessments

SHARE THIS
Prepare for 2026 CCPA and CPRA privacy risk assessment rules affecting healthcare employers, employee data governance, and compliance.
TABLE OF CONTENTS
    Add a header to begin generating the table of contents
    TABLE OF CONTENTS
      Add a header to begin generating the table of contents
      TABLE OF CONTENTS
        Add a header to begin generating the table of contents

        What California’s New Privacy Rules Mean for Healthcare Employers

        By Teddy Ansink, LBMC Cybersecurity Manager

        Key Takeaways

        • California’s evolving CCPA/CPRA requirements are shifting privacy compliance from a policy-focused exercise to an operational governance responsibility, with formal privacy risk assessments beginning in 2026.
        • Healthcare employers, especially those managing sensitive employee and operational data across multiple systems and vendors, must establish documented data inventories, governance processes, vendor oversight, and risk assessment procedures.
        • Organizations that proactively build scalable privacy governance now will be better prepared for future regulatory scrutiny, workforce expectations, and expanding data privacy requirements nationwide. 

        California Privacy Compliance Is Entering a New Phase

        For years, many organizations approached California privacy compliance as a disclosure exercise. Publish a privacy notice. Update policies. Create a process for handling consumer requests.

        That’s changing.

        Under evolving California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) requirements, organizations are moving into a more operational and defensible compliance environment. Regulators increasingly expect businesses to demonstrate how personal information is collected, used, protected, retained, and governed across the organization.

        The next major shift is formal privacy risk assessments.

        According to the California Privacy Protection Agency and census-based workforce estimates, thousands of multi-state employers — including many healthcare systems — are expected to fall under CPRA employee-data governance requirements beginning in 2026.

        Beginning in 2026, certain businesses subject to CCPA/CPRA will be required to perform documented privacy risk assessments for higher-risk processing activities. In addition, starting April 1, 2028, organizations will need to submit attestation and summary-level reporting to the California Privacy Protection Agency (CPPA).

        This is more than a policy update. It is a governance and operational readiness issue.

        For healthcare organizations, particularly behavioral health providers managing large workforces, sensitive employee records, patient-adjacent data, and complex vendor ecosystems, the time to prepare is now.

        Organizations operating across multiple facilities and programs often maintain significant volumes of employee and operational data across HR platforms, payroll systems, benefits providers, workforce management applications, recruiting tools, and third-party vendors. Regulators increasingly expect organizations to understand and document how that information moves throughout the enterprise.

        What Businesses Are Subject to CCPA and CPRA?

        Any company that does business in California and meets certain thresholds may fall under CCPA/CPRA. Some of the parameters include those:

        • Having annual revenues over $25 million
        • Handling large volumes of personal information (e.g., 100,000+ consumers or employees)
        • Deriving revenue from selling or sharing personal data

        With the expansion of CPRA to fully include employee data, many organizations that weren’t considering compliance will now need to formalize their privacy programs, perform risk assessments, and prepare for upcoming reporting requirements.

        That means many healthcare organizations that historically focused privacy efforts primarily on HIPAA compliance must now evaluate broader workforce and operational privacy obligations. Below is a high-level summary of what should be established and maintained, especially in preparation for a regulatory inquiry or audit:

        Items that should be ready and available (audit/inquiry readiness):

        • Inventory of employee personal information (PI) and sensitive personal information (SPI), including data flows (collection, use, storage, sharing, retention, and deletion)
        • Identification of all systems and third parties that process employee data (e.g., HR systems, payroll, benefits providers, workers’ compensation vendors)
        • Formal privacy risk assessment evaluating how employee data is processed and associated risks
        • Documented vendor agreements with appropriate data protection and use limitations
        • Internal policies and procedures, including:
          • Data retention and deletion standards
          • Data subject rights request (DSR) procedures (access, deletion, correction, etc.)
          • Privacy-related incident response processes
        • Evidence of operational execution, such as:
          • Logs of privacy requests and responses
          • Employee training records
          • Enforcement of access controls and retention practices
        • Security controls aligned with the sensitivity of employee data (leveraging existing HIPAA safeguards where applicable)

        Items that must be actively maintained (regardless of audit):

        • Employee privacy notice provided at or before data collection
        • Public-facing privacy policy outlining data collection, use, and sharing practices
        • Defined method for submitting privacy/data subject requests
        • Documented determination regarding whether “selling” or “sharing” of data applies
        • Handling and justification for the use of sensitive personal information (SPI)

        However, the organization must be able to demonstrate compliance through documentation and evidence if requested.

        This requirement is evolving. Based on the California Privacy Protection Agency’s recent announcement, organizations will be required to perform formal risk assessments beginning in 2026 and submit an attestation and summary of those assessments to the CPPA starting April 1, 2028. Organizations need to provide executive-level attestation and summary-level reporting of the assessment. Also, it must be maintained and made available upon request.

        To qualify as a CCPA/CPRA compliant risk assessment, the assessment should:

        • Evaluate specific data processing activities (e.g., employee onboarding, HR systems, benefits administration, workers’ compensation)
        • Identify and document categories of personal information (PI) and sensitive personal information (SPI) involved in each processing activity
        • Clearly define the purpose of the processing and how the data is being used
        • Assess the necessity and proportionality of the processing (i.e., whether the data collected and used is appropriate and not excessive for the stated purpose)
        • Analyze potential risks to individuals (in this case, employees), including risks related to privacy, misuse, unauthorized access, or over-collection
        • Include a risk vs. benefit analysis, weighing the business need for the processing against the potential impact to individuals
        • Document safeguards and controls in place to mitigate identified risks (administrative, technical, and physical)
        • Specifically address the handling and use of sensitive personal information (SPI), particularly where higher-risk data is involved
        • Be formally documented, version-controlled, and repeatable, with clear ownership and approval
        • Be structured in a way that supports future reporting and attestation requirements (e.g., summary-level outputs for regulatory submission)

        For many healthcare employers, CPRA readiness is becoming less about privacy policies and more about proving operational governance over employee data across complex vendor ecosystems.

        Why Privacy Risk Assessments Matter Now

        California regulators are now signaling a different expectation: organizations must proactively evaluate risk.

        The upcoming rules require businesses to formally assess how personal information is processed and whether those activities create risks to consumers or employees.

        Organizations will also need to maintain evidence supporting those conclusions.

        For healthcare leadership teams, this creates a new operational reality. Privacy compliance is no longer solely a legal or IT issue.

        California Is Leading, but Other States Are Moving in the Same Direction

        While California remains the most aggressive privacy regulator, it is not alone. States such as Virginia and Colorado already require privacy risk assessments for certain processing activities. Today, those assessments generally must be maintained and produced upon request rather than proactively submitted.

        Still, the trend is clear.

        Regulators increasingly expect organizations to prove they understand their data environments and associated risks.

        Preparing for 2026 and Beyond

        Organizations do not need to wait for formal submission deadlines to begin preparing.

        Strong preparation now can reduce future disruption and position organizations to respond more effectively to regulatory inquiries, workforce expectations, and evolving privacy standards.

        Privacy Compliance Is Becoming a Business Operations Issue

        The organizations that respond most effectively to these evolving requirements will not treat privacy compliance as a checkbox exercise.

        They will approach it as part of operational maturity.

        Employees, regulators, business partners, and patients increasingly expect transparency around how organizations handle data. That expectation will continue to grow as AI, automation, workforce analytics, and digital transformation accelerate across healthcare.

        The organizations that build strong governance now will be better positioned to scale responsibly later.

        How LBMC Can Help

        LBMC helps organizations evaluate privacy readiness, strengthen governance processes, assess operational risk, and prepare for evolving regulatory expectations.

        Our teams work alongside leadership, legal, HR, cybersecurity, compliance, and operational stakeholders to help organizations create practical, scalable privacy compliance strategies aligned with business objectives.

        If your organization is evaluating CCPA/CPRA readiness or preparing for future privacy risk assessment requirements, connect with an LBMC professional to discuss your current environment and next steps.

        Content provided by Teddy Ansink, LBMC Cybersecurity Manager. Contact him at teddy.ansink@lbmc.com.

        Talk to an Expert

        CCPA and CPRA Risk Assessment FAQs

        When do California privacy risk assessment requirements take effect?

        Formal privacy risk assessments are expected to begin in 2026, with attestation and summary reporting requirements starting April 1, 2028.

        Which organizations may be subject to CCPA/CPRA requirements?

        Businesses operating in California that meet certain thresholds, such as annual revenue over $25 million or handling large volumes of personal information, may be subject to compliance obligations.

        Why are healthcare employers particularly impacted by these rules?

        Healthcare organizations often manage extensive employee and sensitive operational data across HR, payroll, benefits, and third-party systems, increasing compliance and governance expectations.

        What should a compliant privacy risk assessment include?

        A compliant assessment should evaluate processing activities, identify risks, document safeguards, assess proportionality, and support future regulatory reporting requirements.

        Are other states adopting similar privacy requirements?

        Yes. States such as Virginia and Colorado already require privacy risk assessments for certain data processing activities, signaling a broader national trend toward stronger privacy governance.

        Subscribe to Get Insights In Your Inbox 

        Stay Informed

        Related Posts

        Healthcare audit services for growing healthcare organizations
        Leadership in Healthcare Audit: What Laura McGregor’s Recognition Means for the Industry
        READ MORE
        CMMC Compliance Strategy: Start Smart, Avoid Costly Mistakes
        Why CMMC Strategy Matters Before You Start
        READ MORE
        Simplifying ISO Certification: A More Integrated Approach for Growing Organizations
        Simplifying ISO Certification: A More Integrated Approach for Growing Organizations
        READ MORE
        LBMC Perspectives: 2026 Healthcare AI and Automation Outlook
        LBMC Perspectives: 2026 Healthcare AI and Automation Outlook
        READ MORE
        The Complete Guide to Outsourced Accounting
        The Complete Guide to Outsourced Accounting Services
        READ MORE
        Business Outlook for the Healthcare Industry
        2026 Business Outlook Trends for Healthcare Industry
        READ MORE
        BACK TO INSIGHTS & PERSPECTIVES
        Scroll to Top