California Seeks to Heal HIPAA & CCPA Divisions with AB 713
On September 5, 2020 the California legislature passed AB 713, amending the California Consumer Privacy Act (CCPA). The bill alleviates some of the burdens imposed on medical research and healthcare operations by the CCPA, and imposes new requirements and restrictions on businesses that sell or disclose de-identified health data. The bill, which was signed into law by California Governor Gavin Newsom on September 25, 2020, contains an emergency clause enabling it to take effect immediately upon the governor’s approval.
Significantly, the bill addresses an inconsistency between the definitions of de-identified data under federal Health Insurance Portability and Accountability Act (HIPAA) and the CCPA, broadens the CCPA’s medical research exemption, and clarifies that the CCPA exemption is applicable to entities that operate as business associates under HIPAA. Additionally, AB 713 largely prohibits re-identification of de-identified patient data and imposes new contractual and notice requirements relating to the sale of de-identified health data.
Alignment of the CCPA and HIPAA De-Identification Standards
HIPAA exempts data that have been de-identified in accordance with the HIPAA de-identification standard. However, when the CCPA came into effect, the California privacy law provided that only data de-identified in accordance with the CCPA de-identification standard were exempt from CCPA regulation. The de-identification standards of the two laws did not initially align, causing confusion around what specific data were exempt from each law.
AB 713 corrects a disparity between the de-identification requirements of the two laws. Specifically, the bill exempts data from the CCPA that have been:
- derived from patient information originally governed by HIPAA, the California Confidentiality of Medical Information Act (CMIA), or the federal Common Rule applicable to federally funded research; and
- de-identified in accordance with the HIPAA de-identification standard.
Critically, this information is only exempt from the CCPA so long as it remains de-identified. If the data are re-identified, the information will be subject to the CCPA once more.
Prohibition on Re-Identification of Previously De-Identified Patient Data
AB 713 largely prohibits the re-identification of previously de-identified health data. The bill defines “re-identification” as the reversal of de-identification techniques, including adding specific pieces of information or data elements that can, individually or in combination, uniquely identify an individual, or usage of any other means that associates de-identified information with an identifiable individual.
Several limited exceptions to this prohibition apply. These exceptions include:
- Re-identification for treatment, payment, or healthcare operations, for public health purposes as defined by HIPAA;
- For research conducted in accordance with HIPAA or the Common Rule;
- As required by law; or
- Pursuant to a contract wherein the legal holder of the de-identified data engages someone to attempt to re-identify the de-identified information in order to conduct testing, analysis, or validation of de-identification, or related statistical techniques.
This last exception is only applicable if the contract bans any use or disclosure of the re-identified data other than for the contractual purpose and requires that the data be returned or destroyed when the contract terminates. Any entity that seeks to “re-identify” data pursuant to these limited exceptions must remember that such re-identified data would once again be subject to the CCPA.
Expansion of the Medical Research Data Exemption
As originally enacted, the CCPA medical research exemption only applied to clinical trial data collected subject to the Common Rule, pursuant to Good Clinical Practice guidelines, or pursuant to the Food and Drug Administration's (FDA) human subject protection requirements. AB 713 broadens that exemption, including data that have been collected, used, or disclosed outside of clinical trials. Specifically, AB 713 exempts data from the CCPA that have been collected, used, or disclosed in research conducted in accordance with the ethics, confidentiality, privacy, and security rules of HIPAA, the Common Rule, Good Clinical Practice Guidelines, or FDA human subject protections.
Expansion of the Business Associate Exemption
AB 713 harmonizes the existing exemption applicable to healthcare providers with the exemption for business associates governed by the privacy, security, and breach rules of HIPAA and HITECH. Under the bill, protected health information (PHI) and other patient data belonging to business associates are exempt from the CCPA to the extent that the business associate maintains, uses, and discloses patient information in the same manner as Medical Information under the CMIA or PHI under HIPAA. This exemption was already available to covered entities under the CCPA – AB 713 extends that exemption to business associates.
Contractual Requirements Relating to the Sale of De-Identified Data
The bill also imposes certain contractual requirements on entities engaged in the sale of de-identified health data if either party to the sale is doing business in California. If de-identified health data are sold or licensed after January 1, 2021, the contract governing the sale of data must include provisions meeting the following requirements:
- Disclosing that the information being sold includes de-identified patient information;
- Prohibiting re-dentification or attempted re-identification of the data, and
- Prohibiting further disclosure of the de-identified data to any third party unless the third party is contractually bound by the same or stricter contractual provisions.
Notice Requirements Relating to the Sale of De-Identified Data
The passage of AB 713 clarifies and streamlines healthcare sector obligations under the CCPA, while imposing enhanced contractual and notice requirements on entities that sell or license de-identified health information. Applicable businesses should carefully assess whether their policies and practices comply with AB 713 and other rapidly evolving privacy laws.
For more information on AB 713, contact the authors of this post.