On September 28, California Governor Gavin Newsom signed AB-713 into law, which more closely aligned the California Consumer Privacy Act (CCPA) with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). While AB-713 provides additional exemptions for certain types of medical information and health care entities already regulated by federal law, it also seems to expand the applicability of the CCPA.
The CCPA currently applies only to for-profit “businesses” that meet one or more of the following thresholds:
Has annual gross revenues in excess of $25 million.
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
Derives 50% or more of its annual revenues from selling consumers’ personal information.
However, AB-713 seems to extend the CCPA’s reach beyond these thresholds, specifically for contractual requirements for the sale or license of information originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (aka the Common Rule) that has been de-identified in accordance with 45 C.F.R. §164.514. As previously reported, beginning January 1, 2021, AB-713 requires any contract for the sale or license of de-identified information, where one of the parties is a person residing or doing business in California, to include:
A statement that the de-identified information being sold or licensed includes de-identified patient information;
A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited; and
A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
Note: The text does not refer to a “business,” but to a “person,” which the CCPA defines more broadly as “any … organization or group of persons acting in concert.” Cal. Civ. Code § 1798.140(n). This may mean nonprofit health care organizations, which were once exempt from the CCPA, may still be obligated to comply with the contractual requirements of AB-713, even if the entities they are contracting with are also nonprofits.
Moreover, health care entities and their business associates are used to flow-downs safeguarding protected health information and personally identifiable information, but not information that is properly de-identified.
The legislative intent of AB-713 is to provide necessary clarifications for the discrepancies between the CCPA and existing medical privacy and confidentiality laws “to ensure that California's life science industry and biomedical research are not adversely affected by the rollout of new privacy standards established by the CCPA.” However, it is unclear whether the California Legislature understood the possible consequence of AB-713’s contractual requirements expanding the CCPA’s applicability — especially since AB-713 was hastily passed into law as an “urgency statute” and with previous versions of the law not differing in substance.
With the passage of the California Privacy Rights Act (CPRA), it seems that cleanup legislation will be necessary. However, AB 713’s drafters protected most of its provisions by implementing them in new sections of the state civil code, meaning the CPRA will largely not disturb AB 713’s requirements. In the meantime, entities residing in or doing business in California that are parties to a contract involving the sale or license of de-identified information (e.g., health care providers deploying AI and machine learning solutions through platform providers that use data from multiple customers to train algorithms and enhance related service offerings) should identify all such contracts, assess whether any of the contracts must be amended, and develop a plan for requesting and securing the amendments by January 1, 2021. Purchasers or licensees of de-identified information should also evaluate whether they can comply with the contractual provisions required under AB-713, and whether they can flow down the restrictions on re-identification to third parties with whom they further disclose the de-identified information.