On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements:

  • (1) the information is deidentified in accordance with the deidentification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as set forth in 45 C.F.R. § 164.514; and
  • (2) the information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.

Importantly, this new patient-specific deidentification exemption is in addition to, and separate from, the CCPA’s current language that excludes from the scope of “personal information” certain “deidentified” information.  For purposes of the CCPA, deidentified information is defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer,” provided that a business has implemented certain safeguards and processes detailed by the statute to limit the risk of reidentification.  See Cal. Civ. Code § 1798.140(h).

Thus, there is now an alternative basis to argue that patient information that has been deidentified for HIPAA purposes is also exempt from the CCPA.  However, the new patient-specific deidentification exemption is subject to several conditions.  Most notably, a business that sells or discloses deidentified patient information is required to inform consumers, in its privacy policy or any California-specific description of consumers’ privacy rights, the fact that it sells or discloses such information and under which HIPAA method the information has been deidentified.

In addition, there are express prohibitions against reidentification, except for specific purposes enumerated in the bill (e.g., treatment, payment, or healthcare operations conducted by a HIPAA-covered entity or business associate).  The bill also requires that, beginning on January 1, 2021, contracts for the sale or license of deidentified patient information must include specific provisions prohibiting the purchaser or recipient from reidentifying the information and limiting redisclosure of the information to third parties unless  the third parties are also contractually bound by the same or more strict restrictions and conditions.  See Cal. Civ. Code § 1798.148.

Finally, the bill specifies that any deidentified patient information which is subsequently reidentified is no longer eligible for the exemption and would be subject to applicable state and federal data privacy and security laws, such as HIPAA and the CMIA.  See Cal. Civ. Code § 1798.146(a)(4)(B).

Tags: California Consumer Privacy Act (CCPA), CCPA, de-identification, Health Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Tara Carrier Tara Carrier

Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a…

Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a variety of regulatory and compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. In addition, Tara has experience representing clients in government investigations and conducting targeted internal investigations covering a broad range of health care compliance issues. She also counsels clients on mitigating compliance risks and implementing and operating under HHS OIG Corporate Integrity Agreements.

Tara is an author of the U.S. chapter of a global treatise on drug pricing and reimbursement.

In addition to her life sciences practice, Tara maintains an active pro bono practice, with a particular focus on reproductive rights.

Read more about Tara CarrierEmail
Show more Show less