CCPA Amended to Address HIPAA Exemption, Deidentified Data Rules
Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely.
What has changed?
AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data that can be particularly helpful in the area of research. Importantly, AB 713 solves the disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards. Absent this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.
AB 713 also expands the current CCPA research exception for clinical trials to include personal information collected, used, or disclosed in any research (as defined by HIPAA) that is carried out in accordance with applicable ethics, confidentiality, the privacy and security rules of 45 CFR Part 164 (i.e., the HIPAA Privacy and Security Rules), the Common Rule, good clinical practice guidelines issued by the International Council for Harmonization, or FDA human subject protection requirements.
However, AB 713 also creates new obligations by requiring certain provisions in contracts in order to sell or license de-identified information. These new requirements are similar to HIPAA’s existing “data use agreement” requirements when sharing “limited data sets” for research and other purposes, creating a complex web of interrelated obligations. It also requires businesses that sell or disclose de-identified patient information include specific disclosures in their CCPA consumer privacy notices describing the sale or disclosure and the HIPAA de-identification method used to de-identify the information (i.e., safe harbor or expert determination).
When will the changes be effective?
AB 713 immediately went into effect upon signature because it was deemed “an urgency statute necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution.” However, the provision requiring certain terms in contracts to sell or license deidentified PHI does not take effect until January 1, 2021.
What should businesses do?
Businesses that sell, license, or transfer HIPAA de-identified data to third parties should review their CCPA consumer privacy notices and contracts and update them to comply with the new requirements as soon as possible. Businesses should also review and consider updating their de-identification policies and procedures to reflect the new rules.