On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements:

  • (1) the information is deidentified in accordance with the deidentification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as set forth in 45 C.F.R. § 164.514; and
  • (2) the information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.

Importantly, this new patient-specific deidentification exemption is in addition to, and separate from, the CCPA’s current language that excludes from the scope of “personal information” certain “deidentified” information.  For purposes of the CCPA, deidentified information is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that a business has implemented certain safeguards and processes detailed by the statute to limit the risk of reidentification.  See Cal. Civ. Code § 1798.140(h).

Thus, there is now an alternative basis to argue that patient information that has been deidentified for HIPAA purposes is also exempt from the CCPA.  However, the new patient-specific deidentification exemption is subject to several conditions.  Most notably, a business that sells or discloses deidentified patient information is required to inform consumers, in its privacy policy or any California-specific description of consumers’ privacy rights, the fact that it sells or discloses such information and under which HIPAA method the information has been deidentified.

In addition, there are express prohibitions against reidentification, except for specific purposes enumerated in the bill (e.g., treatment, payment, or healthcare operations conducted by a HIPAA-covered entity or business associate).  The bill also requires that, beginning on January 1, 2021, contracts for the sale or license of deidentified patient information must include specific provisions prohibiting the purchaser or recipient from reidentifying the information and limiting redisclosure of the information to third parties unless  the third parties are also contractually bound by the same or more strict restrictions and conditions.  See Cal. Civ. Code § 1798.148.

Finally, the bill specifies that any deidentified patient information which is subsequently reidentified is no longer eligible for the exemption and would be subject to applicable state and federal data privacy and security laws, such as HIPAA and the CMIA.  See Cal. Civ. Code § 1798.146(a)(4)(B).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Tara Carrier Tara Carrier

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and…

Tara Carrier advises clients on a variety of health care compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. She routinely advises on regulatory compliance and enforcement risk, commercial transactions, and administrative and legislative policy opportunities. Tara also has experience counseling clients on investigations and compliance matters, including implementing and operating under HHS OIG Corporate Integrity Agreements.