On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements:

  • (1) the information is deidentified in accordance with the deidentification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as set forth in 45 C.F.R. § 164.514; and
  • (2) the information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.

Importantly, this new patient-specific deidentification exemption is in addition to, and separate from, the CCPA’s current language that excludes from the scope of “personal information” certain “deidentified” information.  For purposes of the CCPA, deidentified information is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that a business has implemented certain safeguards and processes detailed by the statute to limit the risk of reidentification.  See Cal. Civ. Code § 1798.140(h).

Thus, there is now an alternative basis to argue that patient information that has been deidentified for HIPAA purposes is also exempt from the CCPA.  However, the new patient-specific deidentification exemption is subject to several conditions.  Most notably, a business that sells or discloses deidentified patient information is required to inform consumers, in its privacy policy or any California-specific description of consumers’ privacy rights, the fact that it sells or discloses such information and under which HIPAA method the information has been deidentified.

In addition, there are express prohibitions against reidentification, except for specific purposes enumerated in the bill (e.g., treatment, payment, or healthcare operations conducted by a HIPAA-covered entity or business associate).  The bill also requires that, beginning on January 1, 2021, contracts for the sale or license of deidentified patient information must include specific provisions prohibiting the purchaser or recipient from reidentifying the information and limiting redisclosure of the information to third parties unless  the third parties are also contractually bound by the same or more strict restrictions and conditions.  See Cal. Civ. Code § 1798.148.

Finally, the bill specifies that any deidentified patient information which is subsequently reidentified is no longer eligible for the exemption and would be subject to applicable state and federal data privacy and security laws, such as HIPAA and the CMIA.  See Cal. Civ. Code § 1798.146(a)(4)(B).