California Bills Would Expand and Clarify Consumers' Privacy Rights Regarding Health Information

Holland & Knight LLP
Contact

Holland & Knight LLP

Highlights

  • Two bills related to personal privacy have been passed by the California State Legislature: the Genetic Information Privacy Act (GIPA) and a bill that amends the California Consumer Privacy Act of 2018 (CCPA) to clarify the scope of the exemption for certain types of health information. Both laws will become effective immediately upon the signature of Gov. Gavin Newsom or will automatically take effect on Sept. 30, 2020, if Newsom doesn't sign.
  • GIPA requires direct-to-consumer genetic testing companies to provide certain clear and complete information regarding the company's policies and procedures for the collection, use, maintenance and disclosure of such data.
  • Assembly Bill 713 amends CCPA to clarify the scope of CCPA's exemption for health data, specifying that the CCPA does not apply to medical information governed by the Confidentiality of Medical Information Act (CMIA) or protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA) to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA.

Two bills related to personal privacy have been passed by the California State Legislature and are awaiting signature from Gov. Gavin Newsom: the Genetic Information Privacy Act (GIPA) and a bill that amends the California Consumer Privacy Act of 2018 (CCPA) to clarify the scope of the exemption for certain types of health information. Both laws will become effective immediately upon Newsom's signature or will automatically take effect on Sept. 30, 2020, if Newsom doesn't sign, according to California's "pocket pass" provision.

GIPA Imposes New Restrictions on Genetic Testing Companies

GIPA updates the disclosure and deletion rights that genetic companies must provide to California residents, irrespective of whether such companies are also covered under the CCPA. Specifically, the Act requires direct-to-consumer genetic testing companies — as well as all other companies that collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product — to provide certain clear and complete information regarding the company's policies and procedures for the collection, use, maintenance and disclosure of such data. Prior to collection, companies must obtain express consent from the consumer and obtain additional, separate, consent for certain specified actions, such as for storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled or for transfer of the consumer's genetic data or sample to a third party other than to a service provider.

Companies subject to GIPA must allow a consumer to easily revoke consent, and must honor the revocation as soon as practicable but not later than 30 days after receipt. Companies may not discriminate against a consumer for exercising his or her rights under GIPA.

Finally, testing companies may not disclose a consumer's genetic data to any entity responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance or employment, or to any entity that provides advice to an entity that is responsible for performing these functions.

GIPA does not provide for a private right of action. Violations will be prosecuted only by the California attorney general or local authorities, with negligent violations punishable by a civil penalty of up to $1,000 and willful violations with a penalty between $1,000 and $10,000.

Notably, the Act makes clear that any contract or agreement between a consumer and a GIPA-covered entity that would delay or limit access to a legal remedy will not apply to the exercise of rights or enforcement of GIPA.

Importantly, however, GIPA does not apply to medical information governed by the state's Confidentiality of Medical Information Act (CMIA) or protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), nor does GIPA apply to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA. Likewise, certain scientific research or educational activities are exempt, as well as the California newborn screening program.

Amendment to CCPA Clarifies Exemption for Health Information

Assembly Bill 713 amends CCPA to clarify the scope of CCPA's exemption for health data, specifying that the CCPA does not apply to medical information governed by the CMIA or protected health information covered by HIPAA to a provider of healthcare governed by CMIA or to covered entities and their business associates covered by HIPAA. Additionally, CCPA now expressly does not apply to information that is deidentified in accordance with HIPAA or is collected for, used in or disclosed in research.

Nevertheless, a business that sells or discloses deidentified patient information — even if otherwise exempt from CCPA — must now state in its privacy policy whether such information is derived from patient information and, if so, whether that patient information was deidentified pursuant to HIPAA.

Furthermore, the amendment prohibits businesses from reidentifying, or attempting to reidentify, protected health information or medical information, unless the reidentification falls under a specific exemption, including treatment, payment or healthcare operations, public health activities under HIPAA or research.

Finally, any contract for the sale or license of deidentified information must now include certain provisions, including a statement that the deidentified information being sold includes deidentified patient information, that reidentification is prohibited, and that the purchaser or licensee may not further disclose the deidentified information to any third party unless said third party is contractually bound by the same or stricter conditions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP
Contact
more
less

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.