Determining the extent of California’s new privacy law’s application has been challenging for the medical and research communities. The law excepts “de-identified” information, but its definition of “de-identified” does not mirror that found within the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The California Consumer Privacy Act (CCPA), which took effect Jan. 1, imposes new requirements for businesses, including medical and research entities, that process personal information of California residents. These requirements include providing notice to consumers regarding use of their personal data and affording consumers several rights.
The CCPA excepts personal information collected during “clinical trials,” an undefined term, leaving uncertainty about the extent of the exception.
On Jan. 6, the California Senate Health Committee unanimously approved AB 713, which would amend the CCPA to, among other things, provide clarity regarding the definition of “de-identified” and the law’s application to research activities. AB 713 would also introduce new transparency requirements for sales and disclosures of de-identified information.
AB 713 has been referred to California’s Senate Judiciary Committee. As businesses seek to comply with the CCPA by the July 1 enforcement deadline, they should monitor developments related to AB 713 to understand the scope of available exceptions and whether they will need to provide notice of sales and disclosures of de-identified information in their online privacy policies.
An earlier version of the bill unanimously passed the California Assembly in May 2019, suggesting that it has broad support, though it remains unclear at this time if AB 713 will ultimately become law.
Bill Eliminates HIPAA Ambiguity
Currently, the CCPA excludes de-identified data from its definition of personal information, defining “de-identified” as information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business [implements certain safeguards].”
This definition does not clarify whether information de-identified pursuant to HIPAA would be considered de-identified under the CCPA. AB 713 would eliminate this ambiguity by excepting from the CCPA personal information de-identified pursuant to HIPAA if certain conditions are met. AB 713 also excepts personal information gathered for medical research and personal information used for certain public health and safety activities.
Exception for De-Identification
Under AB 713, personal information is excepted from the requirements of the CCPA if it:
- is de-identified pursuant to HIPAA;
- is derived from protected health information or individually identifiable information as defined in HIPAA, medical information as defined in the California Confidentiality of Medical Information Act (CMIA), or identifiable private information as defined in the Federal Policy for the Protection of Human Subjects (the Common Rule); and
- is not re-identified or subject to re-identification attempts by a business or its business associate.
AB 713 would appear to eliminate any conflicts between the de-identification standards in HIPAA and the CCPA. This would reduce the burden of CCPA compliance and help not only covered entities and business associates, but also other types of businesses that hold de-identified health information.
Notice of Sale or Disclosure of De-Identified Personal Information
AB 713 imposes new notice requirements on entities that leverage de-identified health information. It requires that businesses that sell or disclose de-identified health information indicate in their online privacy policies:
- that they engage in such sale or disclosure; and
- whether the information was de-identified pursuant to the HIPAA safe harbor or expert determination methods.
If enacted, this would require many HIPAA covered entities to state in their online privacy policies that they sell or disclose de-identified health information. For many such entities this would be a new practice, given that HIPAA does not require covered entities to discuss disclosures of de-identified information in their notices of privacy practices.
Moreover, AB 713 would affect non-HIPAA covered entities, including life science and health information technology companies, many of which use and disclose de-identified health information for a wide variety of purposes, including data monetization initiatives.
Given the recent focus on disclosures of health information to information technology companies in the media, such a disclosure requirement may lead to increased scrutiny on companies’ uses of de-identified information by privacy advocates and regulators.
Exceptions for Research
Currently, the CCPA contains an exception for information collected in clinical trials, which states: “Information collected as part of a clinical trial subject to the [Common Rule], pursuant to good clinical practice guidelines issued by the International Council for Harmonisation [ICH GCP] or pursuant to human subject protection requirements of [FDA].”
Because the term “clinical trial” is not defined in the CCPA, the precise contours of this exception are unclear.
AB 713 excepts: (1) personal information collected for or used in biomedical research that is subject to institutional review board (IRB) standards and the requirements of the Common Rule, ICH GCP, or the human subject protection requirements of the FDA, and (2) personal information collected for or used in research subject to all applicable ethics and privacy laws if the information is either “individually identifiable health information” as defined in HIPAA or “medical information” as defined in CMIA.
These two exceptions would significantly ease the burden that the CCPA presents for the research community.
The first exception would exempt activities such as registry studies that are conducted with IRB oversight and that are subject to federal research regulations or ICH GCP, but that are not “clinical trials.”
The second exception would apply to research involving health information, even if IRB oversight is not required. This would be helpful for research that meets a Common Rule exemption, such as secondary research on existing data, which is not required to undergo IRB review.
It should be noted that because the first research exception focuses on “biomedical research” and the second applies only when “individually identifiable health information” or “medical information” is used in the research, other types of research, such as social science research, would not qualify for these exceptions, even when such research is subject to IRB oversight or the Common Rule.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Christine Moundas is a partner in Ropes & Gray’s health care practice in New York. She is also a co-head of the firm’s Digital Health Initiative. She provides strategic, regulatory, compliance, and transactional advice to health care providers, academic medical centers, digital health companies, pharmaceutical companies, medical device manufacturers, and investors. She also advises on data privacy, security, and breach matters.
David Peloquin is an associate in Ropes & Gray’s health care practice in Boston. He focuses his practice on advising universities, academic medical centers, pharmaceutical companies, medical device manufacturers, and information technology companies on issues related to human subjects research, animal research, and data privacy. His practice includes advising clients both in connection with transactional matters and compliance investigations.
Elana Bengualid is a law clerk in Ropes & Gray’s health care practice in New York.