Client Alert: California Governor Signs CCPA Amendment Giving Clarity for HIPAA-Regulated Entities
Governor Gavin Newson signed a bill on Friday, September 25 to amend the California Consumer Privacy Act (CCPA) to exempt certain health information from the CCPA, among other things. While the amendment provides some much needed clarity, it also places some new obligations on businesses sharing or selling de-identified protected health information (PHI). Certain components of the bill are effective immediately.
Clarity on the PHI De-identification Issue
Under the CCPA, the definition of “Personal Information” excludes “consumer information that is de-identified.” Since the enactment of the CCPA, there has been some debate about whether PHI (typically exempt from the CCPA) actually becomes “Personal Information” once it is de-identified. The reason for this paradox is due to the differing standards of what it means to “de-identify” information under the CCPA and HIPAA. With the passage of AB 713, any PHI de-identified in accordance with the HIPAA Privacy Rule remains exempt from the CCPA so long as the information is not subsequently re-identified.
Changes to Privacy Policy for Businesses Selling or Sharing De-Identified PHI
The CCPA requires businesses to make certain disclosures to consumers in its online privacy policy. Under this amendment, if a business sells or shares de-identified PHI, it must notify consumers in its privacy policy and disclose the method through which the information was de-identified.
New Requirements for Contracts with Vendors Receiving De-identified PHI
The amendment requires that if a business sells or licenses de-identified PHI to a third party, it must have a contract with the third party which includes: (1) a statement that de-identified information being sold or licensed contains de-identified PHI; (2) a statement that the purchaser cannot re-identify, or attempt to re-identify, the de-identified information; and (3) a prohibition on the further sharing of the de-identified PHI unless the third-party is subject to the same use restrictions. Although most of AB 713 is effective immediately, this change will not become effective until January 1, 2021.
Restrictions on the Re-identification of De-identified PHI
AB 713 prohibits the re-identification of de-identified information unless it is for one of the following purposes: (1) a HIPAA regulated entity’s treatment, payment, or health care operations; (2) public health activities or purposes set forth in HIPAA; (3) research; (4) compliance with legal requirements; or (5) performance of a contract that engages an entity to re-identify the information for testing, analysis, validation, or related statistical techniques.
New HIPAA Business Associate Exception
PHI collected by a “covered entity” or a “business associate” under HIPAA is excepted from the CCPA. Additionally, if a covered entity uses or discloses patient information in the same manner as it uses or discloses PHI subject to HIPAA, that covered entity is excepted from the CCPA. AB 713 extends that exception to all business associates that maintain, use, or disclose patient information consistent with the requirements of HIPAA as are applicable to PHI.
For assistance with your CCPA compliance program or privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, or your Vorys attorney.