Category: NurseAssist · Privacy & Compliance · United States
Audience: Partners, System Integrators, Healthcare Facilities
Last updated: May 2026
Why This Article Exists
If you are deploying MOBOTIX c71 NurseAssist in a California healthcare facility (or in places where the same rules apply) — or if your customer is asking you about privacy compliance — you will encounter questions about the California Consumer Privacy Act (CCPA) and its 2023 amendment, the California Privacy Rights Act (CPRA). This article explains what these laws require, who carries which responsibility in the deployment chain, and how the technical design of MOBOTIX NurseAssist supports compliant deployments.
This article is for informational purposes only and does not constitute legal advice. Compliance with CCPA/CPRA depends on the specifics of each deployment. We strongly encourage all Partners and End Customers to consult qualified legal counsel admitted to practice in California before deploying in regulated environments.
1. What Is CCPA/CPRA and Why Does It Matter for Senior Care?
The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act of 2020, is the most comprehensive US state privacy law currently in force. Unlike HIPAA — which applies specifically to Protected Health Information (PHI) — CCPA/CPRA applies broadly to any personal information of California residents, including information that is not medical in nature.
For senior care facilities deploying a video-based fall detection system, this matters for three reasons:
-
Video footage captured in a resident’s room may constitute Sensitive Personal Information (SPI) under CPRA if it can be used to identify an individual. SPI carries heightened protections, including the resident’s right to limit its use.
-
Residents are “Consumers” under CCPA/CPRA — they have statutory rights including the right to know, the right to delete, the right to correct, and the right to limit use of sensitive personal information. These rights apply regardless of cognitive capacity (a legal guardian or authorized representative may exercise them on behalf of a resident).
-
Facilities are “Businesses” under CCPA/CPRA if they meet the relevant thresholds. As a Business, the facility bears primary responsibility for ensuring that all technology it deploys is used in a manner consistent with residents’ privacy rights.
The good news: the architecture of MOBOTIX c71 NurseAssist was designed with exactly these considerations in mind.
2. The Deployment Chain — Who Is Who Under CCPA/CPRA
Understanding the legal roles is essential before any California deployment. The chain looks like this:
MOBOTIX AG (Manufacturer)
↓
Authorized Distributor
↓
Partner / System Integrator
↓
End Customer (Healthcare Facility)
↓
Residents (Consumers under CCPA/CPRA)
MOBOTIX AG — Manufacturer, Not a Data Processor
MOBOTIX designs and manufactures the c71 NurseAssist. Once a product is shipped through the distribution channel and installed at a facility, MOBOTIX has no access to, and does not receive, store, or process any data generated by the deployed system — not video footage, not event notifications, not recordings, not streams of any kind.
The c71 NurseAssist system operates on a cloud-free, on-device AI architecture by default. All fall detection or other event inference runs locally on the sensor. No data is routed through MOBOTIX infrastructure or any MOBOTIX-controlled backend. There is no persistent connection between deployed devices and MOBOTIX systems.
The sole exception is when a Partner or End Customer voluntarily submits technical support data to MOBOTIX to diagnose a specific device issue. In that case, MOBOTIX handles that data exclusively for support purposes and deletes it promptly upon case resolution.
As a result: MOBOTIX does not function as a “Service Provider” or “Third Party” under CCPA/CPRA in connection with standard product deployments. MOBOTIX has issued a formal Data Minimization and No-Access Statement confirming this position, which is available upon request.
The Healthcare Facility — “Business” Under CCPA/CPRA
The facility that deploys and operates the system is the “Business” under CCPA/CPRA. This is the entity that:
-
Determines the purpose and means of using the NurseAssist system
-
Decides whether video recording is activated (it is off by default — see Section 3)
-
Is responsible for providing appropriate notice to residents
-
Is responsible for obtaining consent where required (particularly if recording is activated)
-
Must respond to Consumer Rights Requests from residents or their representatives
-
Bears primary responsibility for ensuring the system is configured in accordance with applicable law
The facility cannot delegate this responsibility to its technology vendor. Compliance is an operational obligation that lives with the facility.
The MOBOTIX Partner / System Integrator — Potential “Service Provider”
If a Partner installs, configures, or provides ongoing support for a NurseAssist deployment on behalf of a facility, the Partner may have access to system data in the course of that work — and may therefore qualify as a “Service Provider” under CCPA/CPRA (Cal. Civ. Code §1798.140(ag)).
A Service Provider may only process personal information for the purposes specified in a written agreement with the Business. Without a written agreement, a Partner risks being classified as a “Third Party” — which carries significantly broader restrictions and potential liability under CCPA/CPRA.
Partners deploying in California should:
-
Assess whether their activities constitute “processing” of personal information on behalf of the facility
-
Enter into an appropriate written agreement with the facility that reflects Service Provider obligations
-
Ensure that any system access is limited to what is necessary for the contracted service
-
Seek independent legal advice on their specific situation
MOBOTIX is available to discuss these questions with our Partners and to share our experience with privacy-compliant deployments. Please reach out to your MOBOTIX contact or post in this community.
3. How NurseAssist Is Designed to Support Compliance
The following features are part of the c71 NurseAssist default configuration and directly support CCPA/CPRA compliance for the facility and its Partners.
3.1 No Video Leaves the Sensor by Default
The NurseAssist application runs on-device. All AI inference — fall detection, bed exit monitoring, position analysis — is performed on the camera hardware. No video frames, images, or streams are transmitted over the network as part of the standard detection workflow.
“MOBOTIX c71 NurseAssist makes an essential contribution to improving patient safety without having to transmit or store a single video image.” — NurseAssist Privacy Whitepaper v1.2, p. 7
3.2 Recording Is Disabled by Default
The video recording function of the c71 sensor is switched off at factory default. No footage is captured or stored unless explicitly activated by the authorized administrator at the facility. This is a critical safeguard: it means that in the standard operating mode, no Sensitive Personal Information (video footage) is generated at all.
If recording is activated by the facility — for legitimate purposes such as post-incident documentation — the facility assumes responsibility for the appropriate use, protection, consent, and retention of that footage in accordance with CCPA/CPRA.
3.3 Event Data Contains No Biometric Information
When a fall or any other safety event is detected, the sensor transmits an MxMessage notification to downstream systems designated by the facility or Partner. This payload contains exactly six fields:
| Field | Content | Privacy Assessment |
|---|---|---|
cameraName |
Device name (e.g. “Room13”) | Device identifier — not personal information |
cameraSerial |
Device serial number | Device identifier — not personal information |
notificationType |
Event label (e.g. “FallDetected”) | Classification string — not biometric data |
timestamp |
UTC timestamp | Timestamp — not personal information |
timestampUnix |
Unix timestamp | Timestamp — not personal information |
uuid |
Event UUID | Event identifier — not personal information |
There are no body coordinates, no pose measurements, no biometric data, no confidence scores, and no resident identifiers in this payload. This has been publicly documented in the MOBOTIX Community (see: Understanding MxMessages of NurseAssist Events).
Under CPRA §1798.140(e), “biometric information” means data generated by automatic measurements of an individual’s biological characteristics used to uniquely identify a person. The NurseAssist event payload does not meet this definition.
3.4 Privacy Mask — Irreversible Image Suppression
When the privacy mask is configured, images processed under an active mask cannot be reverse-engineered. This protection cannot be bypassed by software or network means. AI-based detection continues to operate normally while no identifiable image data is generated or transmitted.
“This protection measure cannot be bypassed.” — NurseAssist Privacy Whitepaper v1.2, p. 8
3.5 Opt-In Event Transmission
With the exception of the core fall detection feature, only notification types explicitly enabled by the administrator will generate outbound MxMessages. If an event type is not activated, the system detects it internally but transmits nothing downstream. This is a Privacy by Default principle: data only flows when the authorized user has made a deliberate configuration decision.
3.6 Federal-Grade Encryption
Remote connections to deployed devices can be configured to use the on-board OpenVPN client with the OpenSSL 3.1.2 FIPS Provider — validated under FIPS 140-3 (NIST CMVP Certificate #4985, valid until March 10, 2030). This is the same cryptographic standard required for US Federal Government and HIPAA-sensitive systems. Furthermore the sensor is capable of using custom X.509 certificates (TLS) for all HTTPS connections. On-device recordings, when activated, can be AES-encrypted.
Full technical security documentation is available in the MOBOTIX Cyber Protection Guide (October 2024).
4. The Relationship Between HIPAA and CCPA/CPRA
Many healthcare deployments are already subject to HIPAA. It is important to understand how HIPAA and CCPA/CPRA interact:
-
HIPAA governs Protected Health Information (PHI). Certain categories of information collected in the context of patient care may qualify as PHI and fall under HIPAA rather than CCPA/CPRA (see CCPA exemption at Cal. Civ. Code §1798.145(c)).
-
CCPA/CPRA applies to personal information that is not PHI, or where CCPA/CPRA imposes additional obligations beyond HIPAA. Video footage in a resident room may not always qualify as PHI — but it can qualify as SPI under CPRA.
-
Both frameworks can apply simultaneously. Facilities should not assume that HIPAA compliance automatically satisfies CCPA/CPRA, or vice versa.
MOBOTIX supports compliance with both frameworks. For HIPAA, a Business Associate Agreement (BAA) is the appropriate vehicle for structuring the relationship between a covered entity and its technology partner. For CCPA/CPRA, the relevant instrument is a Service Provider Agreement between the facility and its Partners.
5. Summary of Responsibilities
| Responsibility | MOBOTIX | Distributor | Mx Partner | Facility |
|---|---|---|---|---|
| No-access to resident data (standard deployment) | ✓ Confirmed | ✓ No access | Depends on role | Operates system |
| Provide privacy-by-design hardware/software | ✓ | -– | -– | -– |
| Configure system in compliance with law | -– | -– | ✓ During installation | ✓ Ongoing |
| Provide notice to residents | -– | -– | -– | ✓ |
| Obtain consent (if recording activated) | -– | -– | -– | ✓ |
| Respond to Consumer Rights Requests | -– | -– | Assist | ✓ Primary |
| Enter into Service Provider Agreement with facility | -– | -– | ✓ Recommended | -– |
| Ensure lawful use of system | -– | -– | ✓ | ✓ |
6. What MOBOTIX Provides to Support Your Compliance
While compliance obligations rest with the facility and the MOBOTIX Partner, MOBOTIX is committed to making that work as straightforward as possible. The following resources are available:
-
NurseAssist Privacy Whitepaper v1.2 — comprehensive privacy and security documentation for the c71 NurseAssist system
-
Cyber Protection Guide — 22 configurable hardening measures with step-by-step guidance
-
MOBOTIX Cactus Concept — MOBOTIX cybersecurity framework including certifications and compliance references
-
MxMessage Payload Documentation — Community article documenting the exact event data structure
-
Data Minimization and No-Access Statement — formal manufacturer’s declaration of MOBOTIX’s role and data practices; available upon request from your MOBOTIX contact
-
Confirmation Letter (HIPAA / GDPR / CCPA/CPRA) — signed statement from MOBOTIX AG confirming the security design and compliance framework; available upon request from your MOBOTIX contact
If you have specific questions about deploying NurseAssist in a California healthcare facility (or in places where the same rules apply), or if you would like to discuss CCPA/CPRA considerations for your particular situation, we invite you to reach out directly. Post your question in this community thread or contact your MOBOTIX account manager or regional sales contact. We are happy to talk through the specifics.
7. Further Reading and References
-
California Consumer Privacy Act — full text: oag.ca.gov/privacy/ccpa
-
California Privacy Rights Act — CPPA resources: cppa.ca.gov
-
NIST CMVP — OpenSSL 3.1.2 FIPS Provider Certificate #4985: csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4985
-
MOBOTIX NurseAssist Privacy Whitepaper v1.2 (May 2025)
-
MOBOTIX Cyber Protection Guide (October 2024)
This article was prepared by the MOBOTIX Product Management team. For questions or corrections, please reply to this thread or contact your MOBOTIX regional contact.
This article does not constitute legal advice.