Amendment to CCPA Harmonizes Data Privacy and Healthcare Information Requirements - Exemptions for de-Identified Patient Information Under AB 713 Address HIPAA and CCPA Standards

| Philip M. Nelson

An amendment to the California Consumer Privacy Act (“CCPA”) was signed in September 2020. The CCPA regulates how large companies[1] treat their customers’ personal information. However, the CCPA and healthcare information regulations, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) do not always agree. The CCPA targets for-profit companies, so non-profit healthcare systems and hospital networks were not the focus of the law. However, many healthcare entities were still affected because they license data to pharmaceutical and medical device companies. This data is typically provided for research (not marketing) purposes and is therefore “de-identified” (anonymized or otherwise masked to preserve scientific value while preserving individual privacy).

When a hospital contracts with a for-profit entity for this purpose it should include agreement provisions requiring the for-profit company to comply with all applicable privacy laws, including the CCPA. While such provisions remain a best practice for hospitals and other non-profit healthcare entities, this new law (AB 713, signed into law by Governor Gavin Newsom on September 25, 2020), alleviates some concerns of for-profit entities receiving de-identified patient data.

AB 713 creates a new healthcare-related exemption based on concerns over the CCPA’s perceived adverse impact on healthcare research and operations. The exemption removes data from the scope of the CCPA if it meets both of the following requirements in Cal. Civ. Code § 1798.146(a)(4)(A):

(1) the information is deidentified in accordance with the deidentification requirements of the Privacy Rule of HIPAA, as set forth in 45 C.F.R. § 164.514; and

(2) the information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects (the “Common Rule”).

This exception applies to de-identified data held by pharmaceutical, medical device, life sciences, or similar companies not directly subject to HIPAA, CMIA, or the Common Rule. Re-identification of the data is not permitted (with some exceptions).[2]

Specifically, AB 713 provides a path forward for healthcare and life sciences companies, which have been trying to balance previously inconsistent de-identification standards under HIPAA and the CCPA. Absent AB 713’s exemption, it was possible for data de-identified under the HIPAA standard to constitute “personal information” under the CCPA, because the CCPA and HIPAA Privacy Rule include differing language for their respective de-identification standards. CCPA-regulated businesses commercializing or licensing HIPAA de-identified data faced challenges complying with two sets of de-identification standards. Previously, the CCPA only included such an exemption for clinical trials. AB 713 expands the scope of the exemption to the types of entities listed above.

The full text of the bill outlines requirements for specific contract language and expanded consumer privacy notices. Provisions of AB 713 will go into effect on January 1, 2021. Licensees and purchasers of de-identified patient information from healthcare entities should contact a qualified California data privacy attorney to ensure their data collection practices, license agreements, and consumer privacy notices are all in order.

[1] As a reminder, the CCPA applies to for-profit companies conducting business in California with gross revenues exceeding $25 million, or receiving or disclosing the personal information of 50,000 or more Californians, or generating 50 percent or more of their annual revenues from selling Californians’ personal information.

[2] See Cal. Civil Code Sec. 1798.148(a)(1)-(5).