The California Consumer Protection Act (CCPA) became effective beginning January 1, 2020. CCPA increased privacy protections for state residents and provided Californians with new rights concerning their personal information.
Healthcare information that is covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were not covered by the CCPA however it is still possible for CCPA to bring about compliance problems for healthcare companies.
The purpose of the new bill AB 713 is to make compliance easier by including more categories of data to the exemptions of CCPA, particularly health information that were de-identified according to HIPAA Rules, personal data employed for public health and safety reasons, medical research information, and health data gathered, maintained, or utilized by business associates of HIPAA-covered entities. The Health Committee of the State Senate unanimously approved the bill this month.
The modification to the exemption for deidentified health information is necessary because the definitions of deidentified information vary with the HIPAA and CCPA and information de-identified according to HIPAA could still consist of information covered by CCPA. HIPAA simply requires taking away identifiers that can be utilized to identify patients. There is no requirement to remove identifiers for employees or providers that are covered by CCPA.
AB 713 includes a new exemption for health information that is deidentified according to HIPAA, as long as these three conditions are satisfied:
Data is deidentified by means of the safe harbor or expert determination approach explained in 45 CFR § 164.514 (b); data is obtained from protected health information, medical data, individually identifiable health data, or identifiable private data, in line with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate doesn’t attempt to or really re-identify people from the information.
The exemption is applicable to data deidentified according to HIPAA. This exemption would consequently likewise be applicable to entities not under HIPAA.
Although AB 713 will exempt deidentified data, a business needs to disclose, through a consumer-facing public notice, when deidentified data is shared with third parties and the method employed to deidentify the information.
CCPA doesn’t cover certain types of personal data utilized for research, like data gathered for clinical trials governed by the Common Rule. AB 713 provides more exemptions for personal data gathered or employed in
- biomedical research studies governed by institutional review board standards
- the International Council for Harmonization’s good clinical practice guidelines
- the ethics and privacy standards of the Common Rule
- the FDA’s human subject protection requirements
- research, governed by all applicable ethics and privacy laws,
- individually identifiable health data (45 CFR § 160.103)
- medical data covered by the California Confidentiality of Medical Information Act (CMIA)
AB 713 additionally includes an exemption for personal data that is employed for the purposes below, given the data is covered according to all confidentiality and privacy provisions pertinent under federal or state regulation:
- Public health activities and purposes explained in 45 CFR § 164.512
- Product registration and tracking in line with applicable FDA rules and regulations
- FDA-regulated quality, security, and efficiency activities