California Bill Proposes Further Health Data Exemptions for CCPA

On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data.

Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations.

A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month.

The change to the exemption for deidentified health data is required as the definitions of deidentified data differ under HIPAA and CCPA and data de-identified in accordance with HIPAA could still contain data covered by CCPA. HIPAA only require identifiers to be removed that could be used to identify patients. It does not require the removal of identifiers for workforce members or providers, which is covered by CCPA.

AB 713 adds a new exemption for health data that is deidentified in accordance with HIPAA, provided the following three conditions are met:

Data is deidentified through either the safe harbor or expert determination method detailed in 45 CFR § 164.514 (b); data is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify individuals from the data.

The exemption applies to information deidentified in accordance with HIPAA. This exemption would therefore also apply to entities not covered by HIPAA.

While AB 713 would exempt deidentified information, a business will be required to disclose, via a consumer-facing public notice, if deidentified information will be provided to third parties and the method used to deidentify the data.

CCPA does not cover certain types of personal information used for research, such as data collected for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information collected or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also added for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).

AB 713 also adds an exemption for personal information that is only used for the following purposes, provided the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state law:

  • Product registration and tracking consistent with applicable FDA regulations and guidelines.
  • Public health activities and purposes detailed in 45 CFR § 164.512
  • FDA-regulated quality, safety, and effectiveness activities

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.