California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data
On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators.
Exemption for HIPAA Business Associates
Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate.
The CCPA also exempts covered entities to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. The CCPA does not, however, currently include a similar entity-based exemption for business associates.
AB 713 would add an exemption for business associates to the extent that they maintain, use and disclose patient information consistent with HIPAA requirements applicable to PHI. For example, if a business associate maintains consumer-generated health information that is not PHI, but processes the information in accordance with HIPAA requirements for PHI, then the information would not be regulated by the CCPA. While the practical import of the new exemption may be limited because business associates may not want to apply HIPAA requirements to consumer-generated health information, AB 713 offers business associates another potential exception to CCPA requirements for patient information about California consumers.
Exception for De-Identified Health Information
AB 713 would except from CCPA requirements de-identified health information when each of the following three conditions are met:
The information is de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method) at 45 CFR § 164.514(b).
The information is derived from PHI or “individually identifiable health information” under HIPAA, “medical information” as defined by the California Confidentiality of Medical Information Act (CMIA), or “identifiable private information” subject to the Common Rule.
The business (or its business associate) does not actually, or attempt to, re-identify the information.
By explicitly providing that the CCPA does not apply to HIPAA de-identified information, AB 713 would alleviate the compliance challenges posed by potential inconsistencies between the HIPAA de-identification standard and the CCPA’s definition of de-identified information. Currently, it is not clear whether HIPAA de-identified information would also be considered de-identified under the CCPA. For a detailed analysis of the potential disconnect between the HIPAA and CCPA de-identification standards and possible compliance strategies, please see McDermott’s recent On the Subject.
Because the exception for de-identified information under AB 713 applies to de-identified information rather than HIPAA covered entities or business associates, the exception would be available to businesses that are not HIPAA-regulated entities but create de-identified data sets in accordance with the HIPAA de-identification standard and otherwise meet the three conditions above. For instance, this exception could be available to a research institution or life sciences company that is subject to the Common Rule or CMIA, but is not regulated by HIPAA, when it de-identifies identifiable private information or medical information and does not subsequently re-identify the resulting de-identified data set.
Exceptions for Personal Information Used in Research
The CCPA currently does not apply to personal information collected as part of a clinical trial subject to Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the US Food and Drug Administration’s (FDA’s) human subject protection requirements.
AB 713 would create additional CCPA exceptions for personal information that a business collects for, or uses in:
Biomedical research studies that are subject to institutional review board standards, the Common Rule’s ethics and privacy requirements, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements
Any research, subject to all applicable ethics and privacy laws, if the information is either “individually identifiable health information” under HIPAA or “medical information” as defined by the CMIA.
For the purposes of these research exceptions, AB 713 adopts the definition of “research” under HIPAA, which is a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” The HIPAA definition is arguably broader than the CCPA definition of “research” as used in other CCPA provisions.
Exceptions for Personal Information Used for Public Health and Safety
AB 713 also creates partial CCPA exceptions for personal information used by a business in connection with certain public health and safety activities, so long as the business protects the privacy of the information under other applicable federal or state privacy laws and does not sell or use the information for other purposes. These activities are:
Registration and tracking of products in accordance with applicable FDA regulations and guidance
Public health activities and purposes as described in the HIPAA Privacy Rule at 45 CFR § 164.512
FDA-regulated activities related to quality, safety or effectiveness.
AB 713 would still require a business to comply with certain CCPA requirements, such as those relating to consumer notice and access, with respect to personal information used for public health and safety activities.
New Privacy Notice Requirements
While AB 713 provides that the CCPA does not apply to de-identified information, it would still impose transparency requirements on a business that sells or discloses de-identified information. Namely, AB 713 requires a business to disclose in a consumer-facing privacy notice the following information:
Whether the business discloses de-identified health information derived from “personal information” under the CCPA to third-parties
Whether the business used the HIPAA safe harbor or expert determination method to create the de-identified health information.
If AB 713 becomes law, it would reduce CCPA compliance burdens for many life sciences companies, research organizations and other health care businesses by eliminating potential conflicts between the HIPAA and CCPA de-identification standards and excepting additional categories of health information from the CCPA.