Wednesday, September 16, 2020
On August 31, 2020, the California legislature handed California AB 713, which amends the California Client Privateness Act (CCPA) to besides from its necessities sure well being info, together with info that has been de-identified in accordance with the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA). If Governor Gavin Newsom indicators the invoice, it will ease a number of the CCPA compliance challenges skilled by the well being care and life sciences industries, by extra intently aligning the CCPA with HIPAA and different legal guidelines governing human topics analysis.
On August 31, 2020, the California legislature handed California AB 713, which amends the California Client Privateness Act (CCPA) to create expanded exceptions for HIPAA enterprise associates; info that has been de-identified in accordance with the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA); and knowledge collected, used or disclosed in sure human topics analysis. AB 713 displays an intense lobbying effort by medical know-how, pharmaceutical, and different well being and life sciences trade stakeholders.
If Governor Gavin Newsom indicators AB 713, it will ease a number of the CCPA compliance challenges skilled by the well being care and life sciences industries, by extra intently aligning the CCPA with HIPAA and different legal guidelines governing human topics analysis, efficient January 1, 2021. Nonetheless, AB 713 additionally creates new compliance obligations by requiring entities topic to necessities for “companies” below the CCPA, in addition to different entities residing or doing enterprise in California, to incorporate sure provisions in license agreements or different contracts for the sale or license of de-identified info.
We summarize under the salient options of AB 713.
Exception for De-identified Affected person Info
AB 713 supplies reduction to well being care, life sciences and different organizations which were grappling with tips on how to obtain compliance with the possibly inconsistent de-identification requirements below HIPAA and the CCPA. At the moment, with out the CCPA modification included in AB 713, it’s attainable for information that has been de-identified below the HIPAA de-identification normal to represent “private info” below the CCPA as a result of CCPA and the HIPAA Privateness Rule embrace totally different language for his or her respective de-identification requirements. This has sophisticated CCPA-regulated companies’ methods for licensing or in any other case commercializing HIPAA de-identified information. For instance, HIPAA protected well being info that has been de-identified below HIPAA should comprise identifiers of California physicians or different people who serve sufferers. These identifiers might represent “private info” below the CCPA when held by a CCPA-regulated enterprise, and create a proper below the CCPA for the people to decide out of gross sales of the non-public info. For extra details about the inconsistent HIPAA and CCPA de-identification requirements, see our On the Topic.
AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification requirements by expressly offering that the CCPA doesn’t apply to info that meets the next circumstances:
The knowledge has been de-identified in accordance with a HIPAA de-identification technique (i.e., the protected harbor or professional willpower technique).
The knowledge was derived from affected person info that was initially collected, created, transmitted or maintained by an entity topic to HIPAA, the California Confidentiality of Medical Info Act (CMIA) or the Federal Coverage for the Safety of Human Topics (Frequent Rule). “Affected person info” means protected well being info or individually identifiable well being info below HIPAA, identifiable non-public info below the Frequent Rule or medical info below the CMIA.
The knowledge has not been re-identified.
This exception would apply to HIPAA de-identified information held by entities that aren’t themselves instantly regulated by HIPAA, the Frequent Rule or the CMIA, comparable to sure pharmaceutical, medical system or life sciences corporations, offered that the de-identified information is derived from affected person info that was initially collected, created, transmitted or maintained by an entity regulated by HIPAA, the CMIA or the Frequent Rule.
Prohibition Towards Re-Identification of De-identified Affected person Info
AB 713 additionally prohibits a CCPA-regulated enterprise or different individual from re-identifying, or trying to re-identify, any de-identified affected person info until the re-identification exercise is for one of many following functions:
A HIPAA-regulated entity’s therapy, fee or well being care operations functions
Public well being actions or functions set forth in HIPAA
Analysis, as outlined by HIPAA and carried out in accordance with the Frequent Rule
Efficiency of a contract that engages an entity to re-identify the de-identified affected person info for testing, evaluation or validation of the de-identification
Compliance with authorized necessities.
Thus, CCPA-regulated companies and different individuals that search to re-identify any de-identified affected person info want to judge whether or not the CCPA applies to it and permits the re-identification.
New Contracting Necessities
AB 713 requires a contract for the sale or license of de-identified affected person info, the place one of many events resides or does enterprise in California, to incorporate the next provisions:
An announcement that the de-identified info being bought or licensed consists of de-identified affected person info
An announcement that the CCPA prohibits the purchaser or licensee from re-identifying, or trying to re-identify, the de-identified affected person info
An announcement that prohibits the purchaser or licensee from additional disclosing the de-identified info to any third get together until the third get together is contractually sure by the identical or stricter restrictions and circumstances.
Whereas the CCPA typically solely applies to “companies” that course of the non-public info of California shoppers and have an annual income of at the least $25 million (or meet one other threshold), the brand new contracting necessities below AB 713 additionally apply the place “one of many events is an individual residing or doing enterprise in” California even when the enterprise will not be primarily based in California. To study extra about whether or not an organization is a CCPA-regulated enterprise, see “Your Information to CCPA Compliance.”
A celebration to a contract involving the sale or license of de-identified affected person info that resides or does enterprise in California ought to:
Establish all such contracts.
Assess whether or not any of the contracts should be amended so as to add the brand new required contract provisions.
Develop a plan for requesting and securing the amendments from the opposite get together by January 1, 2021, the efficient date of AB 713.
Furthermore, purchasers or licensees of de-identified affected person info from a CCPA-regulated enterprise or different entity that resides or does enterprise in California ought to consider whether or not they can adjust to the contract provisions and may stream down the restrictions on re-identification to 3rd events with whom they additional share the de-identified affected person info.
Expanded Client Privateness Discover Necessities
Though AB 713 excepts de-identified affected person info from the CCPA’s applicability, it requires a CCPA-regulated enterprise that sells or discloses de-identified affected person info to incorporate in its CCPA shopper privateness discover an announcement describing the sale or disclosure and the HIPAA de-identification technique used to de-identify the knowledge (i.e., protected harbor or professional willpower). Corporations that promote, license or switch HIPAA de-identified information to 3rd events ought to think about whether or not they might want to replace their CCPA shopper privateness notices to adjust to this requirement.
Exception for HIPAA Enterprise Associates
At the moment, the CCPA excepts from its applicability any protected well being info collected by a HIPAA lined entity or enterprise affiliate. The CCPA additionally comprises an exception for all HIPAA lined entities to the extent that they keep, use or disclose affected person info in the identical method as protected well being info topic to HIPAA. Nonetheless, the CCPA doesn’t presently embrace an identical entity-based exception for HIPAA enterprise associates and the affected person info they shield in the identical method as protected well being info.
AB 713 amends the CCPA to besides all enterprise associates to the extent that they keep, use or disclose affected person info in the identical method as protected well being info. Accordingly, a CCPA-regulated enterprise affiliate that collects affected person info by a service line that’s not topic to HIPAA, comparable to a direct-to-consumer providing, wouldn’t have to adjust to the CCPA with respect to such info if the enterprise affiliate applies HIPAA protections to the knowledge.
The CCPA presently consists of an exception for private info collected as a part of scientific trials which can be topic to the Frequent Rule, worldwide good scientific observe pointers, or the human topic safety laws of the US Meals and Drug Administration (FDA). AB 713 expands the exception to besides any private info collected, used or disclosed in anyresearch (as outlined by HIPAA) that’s carried out in accordance with relevant ethics, confidentiality, privateness and safety guidelines of 45 CFR Half 164 (e.g., the HIPAA Privateness and Safety Guidelines), the Frequent Rule, good scientific observe pointers issued by the Worldwide Council for Harmonisation or FDA human topic safety necessities. Thus, the CCPA’s analysis exception will now not be restricted to scientific trials.
If AB 713 is signed by Governor Newsom, CCPA-regulated companies that license or in any other case disclose de-identified affected person info, and licensees and purchasers of the knowledge, ought to assess whether or not their contracts masking the knowledge have to be amended, revise their shopper privateness notices as wanted to adjust to the brand new de-identification disclosure requirement and think about updating their de-identification insurance policies and procedures to mirror the brand new flexibility created by AB 713.