AB-713 CCPA Requirements Take Effect January 1, 2021 for Use of De-identified Health Data Sets

Troutman Pepper
Contact

Troutman Pepper

On September 28, California Governor Gavin Newsom signed  AB-713 into law, which more closely aligned the California Consumer Privacy Act (CCPA) with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). While AB-713 provides additional exemptions for certain types of medical information and health care entities already regulated by federal law, it also seems to expand the applicability of the CCPA.

The CCPA currently applies only to for-profit “businesses” that meet one or more of the following thresholds:

  • Has annual gross revenues in excess of $25 million.

  • Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

  • Derives 50% or more of its annual revenues from selling consumers’ personal information.

However, AB-713 seems to extend the CCPA’s reach beyond these thresholds, specifically for contractual requirements for the sale or license of information originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (aka the Common Rule) that has been de-identified in accordance with 45 C.F.R. §164.514. As  previously reported, beginning January 1, 2021, AB-713 requires any contract for the sale or license of de-identified information, where one of the parties is a person residing or doing business in California, to include:

  • A statement that the de-identified information being sold or licensed includes de-identified patient information;

  • A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited; and

  • A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

Note: The text does not refer to a “business,” but to a “person,” which the CCPA defines more broadly as “any … organization or group of persons acting in concert.” Cal. Civ. Code § 1798.140(n). This may mean nonprofit health care organizations, which were once exempt from the CCPA, may still be obligated to comply with the contractual requirements of AB-713, even if the entities they are contracting with are also nonprofits.

Moreover, health care entities and their business associates are used to flow-downs safeguarding protected health information and personally identifiable information, but not information that is properly de-identified.

The legislative  intent of AB-713 is to provide necessary clarifications for the discrepancies between the CCPA and existing medical privacy and confidentiality laws “to ensure that California's life science industry and biomedical research are not adversely affected by the rollout of new privacy standards established by the CCPA.” However, it is unclear whether the California Legislature understood the possible consequence of AB-713’s contractual requirements expanding the CCPA’s applicability — especially since AB-713 was hastily passed into law as an “urgency statute” and with previous versions of the law not differing in substance.

With the passage of the  California Privacy Rights Act (CPRA), it seems that cleanup legislation will be necessary. However, AB 713’s drafters protected most of its provisions by implementing them in new sections of the state civil code, meaning the CPRA will largely not disturb AB 713’s requirements. In the meantime, entities residing in or doing business in California that are parties to a contract involving the sale or license of de-identified information (e.g., health care providers deploying AI and machine learning solutions through platform providers that use data from multiple customers to train algorithms and enhance related service offerings) should identify all such contracts, assess whether any of the contracts must be amended, and develop a plan for requesting and securing the amendments by January 1, 2021. Purchasers or licensees of de-identified information should also evaluate whether they can comply with the contractual provisions required under AB-713, and whether they can flow down the restrictions on re-identification to third parties with whom they further disclose the de-identified information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.