State Regulatory Developments

California Creates Exemption from CCPA for Healthcare Information

On September 25, 2020, California Governor Gavin Newsom signed Assembly Bill 713 (the Amendment), which amends and establishes new exceptions from the California Consumer Privacy Act (CCPA).  The Amendment is designed to bring California’s requirements for de-identified health information in line with federal requirements, create new obligations when de-identified patient data is sold, and creates a ban on re-identification of de-identified patient data.  The Amendment took effect on September 30, 2020.  

In general, the Amendment:

  • Exempts from the CCPA information that was de-identified in accordance with specified federal law (e.g., HIPAA), or was derived from medical information, protected health information, individually identifiable health information, or identifiable private information, consistent with specified federal policy.
  • Exempts from the CCPA a business associate of a HIPAA covered entity that is governed by federal privacy, security, and data breach notification rules if the business associate maintains, uses, and discloses patient information in accordance with specified requirements.
  • Exempts from the CCPA certain information that is collected for, used in, or disclosed in medical research.
  • Prohibits a business or other person from re-identifying information that was de-identified, unless a specified exception is met (e.g., treatment, payment and operations as permitted by HIPAA and public health activities).
  • Requires a business that sells or discloses information derived from patient information that was de-identified to disclose in their privacy policy whether the business sells or discloses such de-identified data and if so, whether the patient information was de-identified pursuant to one or more of the permissible HIPAA de-identification methods (i.e., the HIPAA Safe Harbor or expert determination method).  

Additionally, beginning January 1, 2021, the Amendment will impose three new requirements on the sale of de-identified information:

  • A statement that the de-identified information being sold or licensed includes de-identified patient information.
  • A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited.
  • A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.