CCPA Amendment Update: California Legislature Approves Exceptions for HIPAA De-Identified Information and Other Health Data
On August 31, 2020, the California legislature passed California AB 713, which amends the California Consumer Privacy Act (CCPA) to except from its requirements certain health information, including information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If Governor Gavin Newsom signs the bill, it would ease some of the CCPA compliance challenges experienced by the health care and life sciences industries, by more closely aligning the CCPA with HIPAA and other laws governing human subjects research.
On August 31, 2020, the California legislature passed California AB 713, which amends the California Consumer Privacy Act (CCPA) to create expanded exceptions for HIPAA business associates; information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and information collected, used or disclosed in certain human subjects research. AB 713 reflects an intense lobbying effort by medical technology, pharmaceutical, and other health and life sciences industry stakeholders.
If Governor Gavin Newsom signs AB 713, it would ease some of the CCPA compliance challenges experienced by the health care and life sciences industries, by more closely aligning the CCPA with HIPAA and other laws governing human subjects research, effective January 1, 2021. However, AB 713 also creates new compliance obligations by requiring entities subject to requirements for “businesses” under the CCPA, as well as other entities residing or doing business in California, to include certain provisions in license agreements or other contracts for the sale or license of de-identified information.
We summarize below the salient features of AB 713.
Exception for De-identified Patient Information
AB 713 provides relief to health care, life sciences and other organizations that have been grappling with how to achieve compliance with the potentially inconsistent de-identification standards under HIPAA and the CCPA. Currently, without the CCPA amendment included in AB 713, it is possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data. For example, HIPAA protected health information that has been de-identified under HIPAA may still contain identifiers of California physicians or other individuals who serve patients. These identifiers may constitute “personal information” under the CCPA when held by a CCPA-regulated business, and create a right under the CCPA for the individuals to opt out of sales of the personal information. For more information about the inconsistent HIPAA and CCPA de-identification standards, see our On the Subject.
AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:
The information has been de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method).
The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “Patient information” means protected health information or individually identifiable health information under HIPAA, identifiable private information under the Common Rule or medical information under the CMIA.
The information has not been re-identified.
This exception would apply to HIPAA de-identified data held by entities that are not themselves directly regulated by HIPAA, the Common Rule or the CMIA, such as certain pharmaceutical, medical device or life sciences companies, provided that the de-identified data is derived from patient information that was originally collected, created, transmitted or maintained by an entity regulated by HIPAA, the CMIA or the Common Rule.
Prohibition Against Re-Identification of De-identified Patient Information
AB 713 also prohibits a CCPA-regulated business or other person from re-identifying, or attempting to re-identify, any de-identified patient information unless the re-identification activity is for one of the following purposes:
A HIPAA-regulated entity’s treatment, payment or health care operations purposes
Public health activities or purposes set forth in HIPAA
Research, as defined by HIPAA and carried out in accordance with the Common Rule
Performance of a contract that engages an entity to re-identify the de-identified patient information for testing, analysis or validation of the de-identification
Compliance with legal requirements.
Thus, CCPA-regulated businesses and other persons that seek to re-identify any de-identified patient information need to evaluate whether the CCPA applies to it and permits the re-identification.
New Contracting Requirements
AB 713 requires a contract for the sale or license of de-identified patient information, where one of the parties resides or does business in California, to include the following provisions:
A statement that the de-identified information being sold or licensed includes de-identified patient information
A statement that the CCPA prohibits the purchaser or licensee from re-identifying, or attempting to re-identify, the de-identified patient information
A statement that prohibits the purchaser or licensee from further disclosing the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
While the CCPA generally only applies to “businesses” that process the personal information of California consumers and have an annual revenue of at least $25 million (or meet another threshold), the new contracting requirements under AB 713 also apply where “one of the parties is a person residing or doing business in” California even if the business is not based in California. To learn more about whether a company is a CCPA-regulated business, see “Your Guide to CCPA Compliance.”
A party to a contract involving the sale or license of de-identified patient information that resides or does business in California should:
Identify all such contracts.
Assess whether any of the contracts need to be amended to add the new required contract provisions.
Develop a plan for requesting and securing the amendments from the other party by January 1, 2021, the effective date of AB 713.
Moreover, purchasers or licensees of de-identified patient information from a CCPA-regulated business or other entity that resides or does business in California should evaluate whether they can comply with the contract provisions and should flow down the restrictions on re-identification to third parties with whom they further share the de-identified patient information.
Expanded Consumer Privacy Notice Requirements
Although AB 713 excepts de-identified patient information from the CCPA’s applicability, it requires a CCPA-regulated business that sells or discloses de-identified patient information to include in its CCPA consumer privacy notice a statement describing the sale or disclosure and the HIPAA de-identification method used to de-identify the information (i.e., safe harbor or expert determination). Companies that sell, license or transfer HIPAA de-identified data to third parties should consider whether they will need to update their CCPA consumer privacy notices to comply with this requirement.
Exception for HIPAA Business Associates
Currently, the CCPA excepts from its applicability any protected health information collected by a HIPAA covered entity or business associate. The CCPA also contains an exception for all HIPAA covered entities to the extent that they maintain, use or disclose patient information in the same manner as protected health information subject to HIPAA. However, the CCPA does not presently include a similar entity-based exception for HIPAA business associates and the patient information they protect in the same manner as protected health information.
AB 713 amends the CCPA to except all business associates to the extent that they maintain, use or disclose patient information in the same manner as protected health information. Accordingly, a CCPA-regulated business associate that collects patient information through a service line that is not subject to HIPAA, such as a direct-to-consumer offering, would not need to comply with the CCPA with respect to such information if the business associate applies HIPAA protections to the information.
The CCPA currently includes an exception for personal information collected as part of clinical trials that are subject to the Common Rule, international good clinical practice guidelines, or the human subject protection regulations of the US Food and Drug Administration (FDA). AB 713 expands the exception to except any personal information collected, used or disclosed in anyresearch (as defined by HIPAA) that is carried out in accordance with applicable ethics, confidentiality, privacy and security rules of 45 CFR Part 164 (e.g., the HIPAA Privacy and Security Rules), the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation or FDA human subject protection requirements. Thus, the CCPA’s research exception will no longer be limited to clinical trials.
If AB 713 is signed by Governor Newsom, CCPA-regulated businesses that license or otherwise disclose de-identified patient information, and licensees and purchasers of the information, should assess whether their contracts covering the information must be amended, revise their consumer privacy notices as needed to comply with the new de-identification disclosure requirement and consider updating their de-identification policies and procedures to reflect the new flexibility created by AB 713.