In a little-noticed amendment, California legislators responded to the call of health-care companies and privacy advocates and recently expanded the California Consumer Privacy Act’s exemptions of patient information to include research data and more information handled by business associates, and harmonized the law’s de-identification exemption with the federal Health Insurance Portability and Accountability Act.
However, in doing so, AB 713 also created a novel restriction on re-identification and introduced public disclosure and contract obligations that may be surprising to health-care entities unaccustomed to CCPA compliance.
It is a common misconception that health-care companies enjoy a blanket exemption from the CCPA, California’s groundbreaking consumer privacy law. In fact, the CCPA exempts no health companies at the entity level and instead employs a clutter of exemptions targeting health-related data sets.
While the effect may sometimes be similar to that of a blanket exemption, peripheral data sets often remain subject to CCPA regulation, which can include marketing lists, web tracking data, and employee information. By adding obligations that linger even after data has been deidentified, AB 713 only adds to the often subtle compliance risks that the CCPA poses to the health industry.
How Does AB 713 Expand CCPA’s Exemptions of Patient Information?
The California Legislature answered calls from an alliance of providers, medical researchers and privacy groups by expanding and simplifying the CCPA’s current exemptions relating to patient information. Before AB 713, the CCPA utilized the following patchwork of exemptions relevant to patient information:
- Information collected by a covered entity or business associate and regulated as protected health information (PHI) by HIPAA or its California corollary, the California Medical Information Act.
- Other information collected by a covered entity—but not a business associate—and “maintained in the same manner” as PHI.
- Information collected as part of a clinical trial subject to the Common Rule.
- Information that is de-identified under the CCPA’s novel de-identification standard which does not incorporate HIPAA’s own long-standing de-identification rule.
In response to requests to better align the CCPA with existing health privacy regulations, AB 713 enhances these exemptions in three ways. First, the narrow exemption for clinical research is broadened to cover any information that is collected, used or disclosed in any medical research, if conducted in accordance with applicable laws and ethics.
Second, information that a business associate “maintains in the same manner” as PHI is now exempted, expanding the important exemption previously available only to covered entities. This fix cures the original CCPA’s puzzling protection of such information maintained by a covered entity but not its business associate.
Third, personal information that is de-identified pursuant to the HIPAA Privacy Rule’s two available de-identification methods—expert determination and safe harbor—is now exempt, fixing a theoretical gap between the two laws’ de-identification standards. Information that is subsequently re-identified is no longer exempt and re-identification is now largely prohibited.
The Surprise of New Obligations
The cleaned-up de-identification exemption comes with strings attached. Whereas HIPAA is largely silent on the use or disclosure of de-identified PHI, this information is subject to new constraints under AB 713. Health-care companies are well advised to revisit their CCPA compliance efforts to ensure they are meeting these new obligations.
In what appears to be a first-of-its-kind prohibition, under AB 713, California law now explicitly bans any re-identification of de-identified patient information (DPI) unless certain exceptions apply. These exceptions include where data is re-identified for purposes of HIPAA-regulated health care or payment operations or pursuant to regulated public health activities or research or as otherwise permitted by law.
AB 713 now also requires public disclosure of any sale or sharing of DPI and new contractual restrictions covering the sale or license of such information.
- Businesses must publicly disclose any selling or sharing of DPI and that the information was de-identified pursuant to HIPAA standards.
- Contracts for the sale or license of DPI must:
- State that the sold or licensed data includes DPI.
- Prohibit any re-identification or attempted re-identification.
- Prohibit further disclosure of DPI to third parties unless the third party is contractually bound by the same or stricter restrictions, unless otherwise required by law.
These new requirements mean that a surprise may be in store for health-care companies that have assumed that their data sets are largely unregulated by the CCPA but regularly share, sell or license their DPI.
Impact of the California Ballot Initiative
A new privacy law, the California Privacy Rights Act (CPRA), is being presented to California voters even as the CCPA remains in its infancy. If enacted, the CPRA would replace and enhance the CCPA. How would AB 713 be impacted?
Fortunately for health-care businesses, AB 713’s drafters protected most of its provisions in brand-new sections of the state civil code that will remain even if the CPRA replaces the CCPA. As a result, programmatic changes implemented by companies in response to AB 713 can largely remain.
The requirement to disclose DPI sales or sharing, however, appears in an existing CCPA provision and would appear to be nullified if the CPRA passes.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Brandon Reilly is a partner with Manatt, Phelps & Phillips LLP in its privacy and data security practice where he counsels clients on a wide array of consumer protection and privacy matters, including data privacy and security compliance and procedure and data breach response.