An amendment to the CCPA recently passed through the legislature, adding some much needed clarity to HIPAA-regulated entities, research institutions and other life science and medical device companies. CCPA in its current form left open uncertainty for business associates, de-identified information, and information collected in the course of medical research. AB 713 helps clarify certain exemptions and applicability of CCPA to organizations in the health and research space.
CCPA and Business Associates: Currently, CCPA does not regulate protected health information (PHI) that is collected by either a HIPAA covered entity or business associate. CCPA also exempts covered entities to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. CCPA does not, however, currently include a similar entity-based exemption for business associates. However, AB 713 adds an exemption for business associates to the extent that they maintain, use and disclose patient information consistent with HIPAA requirements applicable to PHI.
Applicability of CCPA to De-Identified Information: There was confusion about the applicability of CCPA to information that was de-identified pursuant to HIPAA. The bill clarifies that information de-identified pursuant to HIPAA would be exempt from CCPA. By explicitly providing that CCPA does not apply to HIPAA de-identified information, this alleviates the compliance challenges posed by potential inconsistencies between the HIPAA de-identification standard and CCPA’s definition of de-identified information. Further, because the exception for de-identified information under AB 713 applies to de-identified information rather than HIPAA covered entities or business associates, the exception would be available to businesses that are not HIPAA-regulated entities but create de-identified data sets in accordance with the HIPAA de-identification standard and otherwise meet certain conditions.
New Notice Obligations for De-Identified Information: The amendment adds a new requirement to privacy policies. Businesses are now required to disclose if it sells or discloses deidentified patient information derived from personal patient information. If so, the disclosure must also state whether that deidentified health patient information was deidentified in accordance with the HIPAA “expert determination” (45 CFR 164.514(b)(1)) method or the HIPAA “safe harbor” (45 CFR 164.514(b)(2)) method.
Contractual Requirements for Sale of De-Identified Information: The amendment requires applicable businesses to include contract provisions whenever there is a sale or license of deidentified information. Businesses would need to represent that the deidentified information in the transaction includes patient information. The contract must prohibit the receiving party from reidentifying the deidentified patient information. The receiving party, subject to applicable law, must also be prohibited from further disclosing the deidentified to third parties unless contractually bound by equal or stricter confidentiality measures.
Exceptions for Research Data: In its original form, CCPA excepts personal information collected during “clinical trials.” Because this term was undefined, it left uncertainty about the extent of the exception. With the amendment, information will be exempt from CCPA to the extent it is:
“…collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.”
This exception will ease the burden that CCPA presents for the research community. For example, this exempts activities such as registry studies that are conducted with IRB oversight and that are subject to federal research regulations, but that are not “clinical trials.”
Putting it Into Practice: Like the CCPA B2B and employee exception amendment (which we covered here) this bill is now before the Governor to sign by the end of September. This bill should hopefully streamline CCPA compliance for many organizations in the health and research space. It helps eliminate some of the conflicts between HIPAA and CCPA de-identification standards. It also clarifies and broadens certain exemptions.