California Consumer Privacy Act Is Amended to Expand Exemptions for Patient Information, Establish Deidentification Obligations
On September 25, 2020, California Governor Gavin Newsom signed into law California Assembly Bill 713 (AB-713), amending the California Consumer Privacy Act of 2018 (CCPA). The bill, which had passed unanimously in the California Senate, went into effect immediately. It is most notable for three changes to the CCPA: (1) it expands the exemptions from the CCPA's requirements with respect to health information, specifically certain data concerning human research subjects; (2) with respect to health information, it adopts the standards for deidentification of protected health information established under HIPAA; and (3) it imposes new obligations with respect to deidentified patient information.
Expanded Exemptions for Health Information
Prior to its amendment by AB-713, the CCPA provided several exemptions from its scope for health information, including (among others): (1) "protected health information" (PHI) and "individually identifiable health information" as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA); (2) "medical information" as defined by California's Confidentiality of Medical Information Act (CMIA); and (3) "information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration."
AB-713 expands the scope of these exemptions to cover "identifiable private information" as defined by the Federal Policy for the Protection of Human Subjects (the Common Rule). Cal. Civ. Code § 1798.146(b)(6). Pursuant to this amendment, the CCPA now exempts additional types of personal information gathered in the context of medical research—a move public health experts advocated to promote medical research related to COVID-19. Previously, the relevant CCPA provision exempted personal information collected only in clinical trials. Under AB-713, however, the exemption extends to all identifiable private information that is collected, used, or disclosed in research conducted in accordance with the Good Clinical Practice Guidelines, FDA human subject protection guidelines, HIPAA, or the Common Rule. Id. § 1798.146(a)(5). In other words, it also exempts research that involves review of observational and/or preexisting data—a critical component to COVID-19 research. Of further note, AB-713 creates a broad exemption for HIPAA-governed "business associates" to the extent that they maintain, use, and disclose health information in the same way they do PHI and medical information. Id. § 1798.146(a)(3). Before the amendment, only HIPAA-covered entities were clearly exempt at the entity level.
A Harmonized Standard for Deidentification
AB-713 also adopts the standards for deidentification of protected health information established under HIPAA. The CCPA generally defines "deidentified information" as "information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer" subject to certain technical and business process safeguards. Cal. Civ. Code § 1798.135(h). With respect to health information, this definition arguably cannot be squared with the two standards of deidentification permitted under HIPAA: (1) the "expert determination" method (45 C.F.R. § 164.514(b)(1)); and (2) the Safe Harbor (45 C.F.R. § 164.514(b)(2)). Entities subject to HIPAA, whose activities are exempt with respect to PHI but not necessarily other personal information, thus were left with ambiguity about whether they could ever meet both standards simultaneously. AB-713 eliminates the ambiguity by specifically exempting information that is (1) derived from "patient information"1 originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the CMIA or the Common Rule, and (2) has been deidentified pursuant to either the "expert determination" method or the Safe Harbor under HIPAA. Cal. Civ. Code § 1798.146(a)(4)(A). In other words, HIPAA-covered entities (and business associates), as well as a wide array of businesses in the healthcare sector, will be able to rely on the HIPAA standard for deidentification for purposes of exempting deidentified patient information from the CCPA.
Obligations for Deidentified Patient Information
However, AB-713 also imposes new requirements with respect to deidentified data derived from patient information. First, businesses are prohibited from reidentifying deidentified data derived from patient information, except where reidentification is used for: (1) a HIPAA-covered entity's treatment, payment, or healthcare operations; (2) public health activities or purposes; (3) research; (4) activities pursuant to contracts to conduct testing, analysis, or validation of deidentification or related statistical techniques (as long as the contract bans any other use or disclosure of the reidentified data and includes a "return or destroy" clause); or (5) if required by law. Cal. Civ. Code § 1798.148(a).
Second, AB-713 requires that as of January 1, 2021, contracts for the sale or license of deidentified patient information for which one of the parties is a California resident—or even just does business in California—must include terms that ensure the data remains deidentified. Id. § 1798.148(c).
Finally, businesses must notify consumers if they sell or disclose deidentified data derived from patient information using the HIPAA deidentification standards. Under this requirement, those entities must disclose in their consumer-facing privacy policies whether they sell or disclose deidentified data derived from patient information and whether the patient information was deidentified pursuant to either the HIPAA Safe Harbor or expert determination method. Id. § 1798.130(a)(5)(D).
Medical researchers, healthcare providers, and their vendors have been confounded by some of the CCPA's requirements and exemptions. AB-713 should give such businesses greater clarity regarding deidentification of patient information and reduce regulatory burdens with respect to health information collected for research purposes. There is concern, however that this clarity will be short-lived. On November 3, 2020, California voters will decide whether to pass Proposition 24, the "California Privacy Rights Act" (CPRA), which would amend the CCPA extensively, without incorporating any of the CCPA changes effected by AB-713. At least until January 1, 2023, however, when most of the CPRA changes, if adopted, would take effect, AB-713's amendments to the CCPA will remain in place.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
AB-713 adds a new definition of "patient information" to the CCPA, which is: (1) PHI and "individually identifiable health information" as defined under HIPAA); (2) "medical information" as defined by the CMIA; and (3) "identifiable private information" as defined by the Common Rule. Cal. Civ. Code § 1798.146(b)(6).