On January 1, 2020, the California Consumer Protection Act (CCPA) came became enforceable. CCPA enhanced privacy security for state residents and gave Californians new rights in relation to their personal data.
Healthcare data governed by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to inflict compliance headaches for healthcare groups.
A new bill – AB 713 – has now been formulated which aims to make compliance easier by adding additional categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal data used for public health and safety purposes, medical research data, and health information gathered, maintained, or used by business associates of HIPAA-covered groups. The bill was unanimously approved by the State Senate Health Committee in January.
The amendment to the exemption for de-identified health data is necessary as the definitions of de-identified data are not the same under HIPAA and CCPA and data de-identified in accordance with HIPAA could still include data covered by CCPA. HIPAA only require identifiers to be deleted that could be used to identify patients. It does not need the removal of identifiers for workforce members or providers, which is covered by CCPA.
AB 713 puts in place a new exemption for health data that is de-identified in accordance with HIPAA, once the following three conditions are in place:
Data is de-identified through either the safe harbor or expert determination method listed in 45 CFR § 164.514 (b); data is derived from protected health details, medical data, individually identifiable health information, or identifiable private information, in line with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify people from the data.
The exemption applies to information de-identified in line with HIPAA. This exemption would therefore also apply to entities not governed by HIPAA.
While AB 713 would exempt de-identified data, a business will be required to share, through a consumer-facing public notice, if de-identified information will be given to third parties and the method used to de-identify the data.
CCPA does not include certain types of personal information used for research, such as data gathered for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information gathered or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also put in place for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the data is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).
AB 713 also adds an exemption for personal data that is only used for the following reasons, once the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state legislation:
- Product registration and tracking in line with applicable FDA regulations and guidelines.
- Public health activities and purposes listed in 45 CFR § 164.512
- FDA-regulated quality, safety, and effectiveness jobs