In late September, California’s Governor Gavin Newsom signed into law two bills to amend the California Consumer Privacy Act (CCPA). He also vetoed two other consumer privacy bills based on concerns about potential conflicts with existing state and federal law.
As one of the two new CCPA amendments, AB713 includes substantive changes to the law. It relaxes some of the CCPA compliance challenges faced by the healthcare and life science industries, thus harmonizing the California law with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered information.
AB713 – CCPA Amendments of Health Information
AB713 is most notable for the following CCPA amendments:
- further exemptions for de-identified patient information,
- expanded consumer privacy notice requirements concerning de-identified patient information,
- a research exemption, and
- a limited exemption for HIPAA business associates.
Passed as an urgency statute under California law, all but one provision of AB713 went into effect on September 25, 2020. The only exception is the portion of the law that requires new contractual disclosures. That provision went into effect on January 1, 2021.
De-Identified Information Exemption
Prior to the Amendment, it was possible for de-identified data under HIPAA to still be considered personal information under the CCPA. Under the CCPA amendments, HIPAA de-identified information is expressly excluded under the law, as long as particular conditions are met:
- De-identification is performed in accordance with HIPAA, and
- The information is derived from patient information originally collected, created, transmitted, or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects (Common Rule).
Businesses regulated by the CCPA are prohibited from re-identifying de-identified information, except for one of the following purposes:
- Treatment, payment, or health care operations conducted by a HIPAA regulated entity,
- Public health activities or purposes described under HIPAA,
- Pursuant to a contract in order to conduct testing, analysis, or validation of de-identification, or related statistical techniques, or
- If otherwise required by law.
Requirements for the Sale or License of De-Identified Information
CCPA amendments also create new contractual requirements for the sale or license of de-identified information. Effective January 1, 2021, businesses selling or licensing personal health information need to include the following provisions in their contracts:
- a statement that the de-identified information that is being sold or licensed contains de-identified patient information,
- a statement that the purchaser or licensee of the information cannot re-identify, or attempt to re-identify, the de-identified information,
- the purchaser or licensee cannot share the de-identified information with any third party unless the third party is bound by the same restrictions contained in the contract, and
- CCPA privacy policies have to be updated by businesses that sell or share information that was de-identified to disclose to their consumers the method by which the information was de-identified.
In accordance with this, healthcare providers deploying AI and machine learning solutions that use data from multiple customers need to amend vendor contracts to ensure appropriate language is included.
CCPA amendments explicitly exclude information that is collected, used, or disclosed in research, as defined in HIPAA. This includes, but is not limited to, a clinical trial conducted in accordance with HIPAA, the Common Rule, the International Council for Harmonisation, or the United States Food and Drug Administration.
Limited Business Associate Exemption
Previously, the CCPA explicitly exempted personal health information and medical information governed by the CMIA from CCPA requirements. The CCPA also exempted patient information maintained by HIPAA-covered entities and providers of healthcare governed by the CMIA, so long as the entity extends the HIPAA and CMIA protections to such patient data. However, a similar exemption was not provided for business associates. With the CCPA amendments, business associates are exempted to the extent that they maintain, use, or disclose patient information in the same manner as protected health information.
Maintaining CCPA Compliance
Healthcare providers, medical researchers, and their vendors have been limited by some of the CCPA’s requirements and exemptions. Now, with the CCPA amendments, they get greater clarity regarding the de-identification of patient information and health information collected for research purposes. However, they need to closely monitor all developments relating to the CCPA, including the adoption of the California Privacy Rights Act.
Businesses that sell, license, or transfer HIPAA de-identified data to third parties should review their consumer privacy notices and contracts and update them to comply with the CCPA amendments. Businesses should also review and consider updating their de-identification policies and procedures to reflect the new rules.
By now, businesses should already be CCPA compliant. If not, companies should be working diligently to achieve compliance as soon as possible. In an environment of intense regulatory change, it is necessary to take a proactive approach to data privacy. With a secure electronic platform, businesses can simplify compliance efforts, ensure the maximum security of employees, customers, or the company’s data while implementing the required consumer protections on time.