Gov. Gavin Newsom recently approved A.B. 713, a bill that creates further CCPA exceptions for healthcare and research information. The bill is especially potent in the COVID-19 era where the need for medical research is greater than ever.
A.B. 713 presents a few notable changes from prior versions of the CCPA. First, the amendment expands the prior exemption for clinical trials to now include information that is collected, used, or disclosed in “research.” Research is broadly defined in Section 164.501 of HIPAA as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”
Second, the amendment expressly exempts information that is deidentified pursuant to either the expert determination method or safe harbor method provided for in Section 164.514 of HIPAA. It is also a requirement that the information is “collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.” Furthermore, an entity that sells or discloses deidentified patient information must disclose in its online privacy policy which method was used to deidentify the information.
Third, the amendment makes clear that information that is “reidentified shall no longer be eligible for the exemption” except under the following circumstances:
- Treatment, payment, or healthcare operations conducted by a covered entity or business association acting in accordance with HIPAA;
- Research, as defined in Section 164.501 of HIPAA, that is consistent with the Common Rule;
- Public health activities as described in Section 164.512 of HIPAA;
- Pursuant to contract; or
- If otherwise required by law.
Finally, the amendment provides that beginning January 1, 2021, any contract for the sale or license of deidentified information must include language that (1) the information being sold or licensed includes deidentified information; (2) a statement that reidentification is prohibited; and (3) a statement that the purchaser or licensee may not further disclose the deidentified information to a third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
In a time of unprecedented changes, expect to see additional developments in state privacy laws —especially privacy laws that concern healthcare. Stay informed as we continue to monitor those developments.