September 20, 2021

Volume XI, Number 263


September 20, 2021

Subscribe to Latest Legal News and Analysis

CCPA Amended to Address HIPAA Exemption, Deidentified Data Rules

Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely.

What has changed?

AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data that can be particularly helpful in the area of research. Importantly, AB 713 solves the disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards.  Absent this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.

AB 713 also expands the current CCPA research exception for clinical trials to include personal information collected, used, or disclosed in any research (as defined by HIPAA) that is carried out in accordance with applicable ethics, confidentiality, the privacy and security rules of 45 CFR Part 164 (i.e., the HIPAA Privacy and Security Rules), the Common Rule, good clinical practice guidelines issued by the International Council for Harmonization, or FDA human subject protection requirements.

However, AB 713 also creates new obligations by requiring certain provisions in contracts in order to sell or license de-identified information. These new requirements are similar to HIPAA’s existing “data use agreement” requirements when sharing “limited data sets” for research and other purposes, creating a complex web of interrelated obligations. It also requires businesses that sell or disclose de-identified patient information include specific disclosures in their CCPA consumer privacy notices describing the sale or disclosure and the HIPAA de-identification method used to de-identify the information (i.e., safe harbor or expert determination).

When will the changes be effective? 

AB 713 immediately went into effect upon signature because it was deemed “an urgency statute necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution.” However, the provision requiring certain terms in contracts to sell or license deidentified PHI does not take effect until January 1, 2021.

What should businesses do?

Businesses that sell, license, or transfer HIPAA de-identified data to third parties should review their CCPA consumer privacy notices and contracts and update them to comply with the new requirements as soon as possible. Businesses should also review and consider updating their de-identification policies and procedures to reflect the new rules.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 301

About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Lauren Kitces Data Privacy & Cybersecurity Attorney Squire Patton Boggs Washington DC

Lauren Kitces is a member of our Data Privacy & Cybersecurity Practice, where she provides business-oriented privacy and cybersecurity advice to a wide range of clients, leveraging her in-house experience to provide mindful guidance. She has strong international experience, which she uses to help translate pre-existing international efforts into US regulatory compliance. Lauren enjoys the nuance and complexities that come with being in a field that is still evolving and forming both nationally and internationally.

Lauren utilizes her analytical thought-process and over 10 years...