On September 28, California Governor Gavin Newsom signed AB-713 into law, which relaxes some of the California Consumer Privacy Act (CCPA) compliance challenges faced by the health care and life science industries — more closely harmonizing the California law with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). In particular, the amended law provides (1) further exemptions for de-identified patient information, (2) expanded consumer privacy notice requirements concerning de-identified patient information, (3) a research exemption, and (4) a limited exemption for HIPAA business associates.

Importantly, the signed law is classified as an “urgency statute,” which means the law immediately goes into effect as of September 28, 2020.

De-Identified Information Exemption (§ 1798.146(a)(4))

Before this recent amendment, de-identified information under HIPAA potentially still constituted “personal information” under the CCPA since the definitions of de-identification under the respective laws did not align. Under the amended law, HIPAA de-identified information is expressly excluded under the law, so long as particular conditions are met:

• De-identification is performed in accordance with HIPAA (45 CFR § 164.514).
• The information is derived from patient information originally collected, created, transmitted, or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects (Common Rule).

Re-identification of PHI (§ 1798.148)

Information that is re-identified would no longer be eligible for the above exemption and any re-identified information would be regulated under the CCPA, unless such re-identification is for:

• Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity;
• Public health activities or purposes as described in 45 C.F.R. § 164.512;
• Research, as defined in 45 C.F.R. § 164.501, conducted in accordance with the Common Rule;
• Under a contract, where the lawful holder of the de-identified information expressly engages a person or entity to attempt to re-identify the de-identified information to conduct testing, analysis, or validation of de-identification, or related statistical techniques, if the contract bans any other use or disclosure of the re-identified information and requires the return or destruction of the information that was re-identified upon completion of the contract; or
• If otherwise required by law.

Contractual Requirements for the Sale or License of De-Identified Information (§ 1798.148(b))

AB-713 also creates new contractual requirements for the sale or license of de-identified information. Beginning January 1, 2021, any contract for the sale or license of de-identified information, where one of the parties is a person residing or doing business in California, must include:

• A statement that the de-identified information being sold or licensed includes de-identified patient information;
• A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited; and
• A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

Health care providers deploying AI and machine learning solutions using platform providers that use data from multiple customers to train algorithms and enhance related service offerings will need to amend vendor contracts to ensure appropriate language is included.

Expanded Notice Requirements (§ 1798.130(a)(5)(D))

Consistent with the spirit of the CCPA, while de-identified patient information is excluded, regulated businesses that sell or otherwise disclose de-identified patient information must provide a privacy statement describing whether the business sells or discloses de-identified patient information, as well as the HIPAA sanctioned method used to de-identify the patient information.

Research Exemption (§ 1798.146(a)(5))

The amendment explicitly excludes information that is collected, used, or disclosed in research, as defined in HIPAA (45 CFR § 164.501),“including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of HIPAA, the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.”

Limited Business Associate Exemption (§ 1798.146(a)(3))

Previously, the CCPA explicitly exempted PHI and “medical information” governed by the CMIA from CCPA requirements. The CCPA also exempted patient information maintained by HIPAA-covered entities and providers of health care governed by the CMIA, so long as the entity extends the HIPAA and CMIA protections to such patient data. A similar exemption was not provided for business associates. As amended, the CCPA now exempts business associates to the extent such business associate maintains, uses, or discloses patient information in the same manner as protected health information. 

There has always been confusion about the scope of the equivalent exemption for covered entities. However, bill analyses presented to the legislature with the amendment make clear the legislative intent of this exemption is not to exempt health care entities from CCPA compliance obligations on an organization-wide basis, but rather exempt certain kinds of regulated information. This expansion would exempt from the CCPA only non-PHI patient information collected by business associates or covered entities. For example, personal information collected directly from patients through mobile medical apps would be covered by the exemption, so long as the business associate protected such information consistent with HIPAA requirements for PHI. This could significantly reduce operational burden for health care entities that previously needed to comply with both HIPAA for the PHI data they process and CCPA for non-PHI patient personal information they process. Of course, the exemptions would not cover employee personal information, certain marketing-related personal information, and other types of personal information held by health care entities.

Compliance Tips

• Businesses regulated by the CCPA should continue to closely monitor all developments relating to the CCPA, including the potential adoption of the CPRA, which is set to appear on the November ballot and will further amend the CCPA. For information on how to comply with the CCPA, see Troutman Pepper’s six-part article series on CCPA enforcement available here.
• Health care entities regulated by HIPAA should continue to conduct thorough data inventories to determine whether they hold patient information not covered by HIPAA and evaluate whether such patient information is used and protected in the same manner and subject to the same controls as PHI held by the business.
• Health care entities that license or otherwise transfer de-identified information to third parties, such as vendors, should evaluate contracts governing the transfers to determine whether the requisite restrictions on use and disclosure of such de-identified information are included.
• Businesses that license or otherwise transfer de-identified information to third parties should evaluate whether additional disclosures are required in their CCPA privacy policies and contracts.