On January 1, 2020, the implementation of the California Consumer Protection Act (CCPA) began. CCPA gave state residents more privacy protections and new rights relating to their personal data.
Healthcare data that is protected by California’s Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA) Rules are not covered by the CCPA nonetheless CCPA can still give healthcare companies some compliance problems.
The objective of the new bill (AB 713) is to make compliance simpler by adding more categorizations of data to the CCPA exemptions, specifically de-identified health data based on HIPAA Rules, personal information used associated with public health and safety, medical research data, and health data that business associates of HIPAA-covered entities compiled, retained, or used. It was a unanimous decision by the State Senate Health Committee to approve the bill for implementation this January 2020.
The changes to exempt deidentified health information is essential considering the varying definitions of deidentified information by the HIPAA and CCPA. De-identified information under HIPAA can still contain information protected by CCPA. HIPAA just necessitates the removal of identifiers that could serve to identify patients. It is not required to take away identifiers for providers or employees that the CCPA covers.
AB 713 has a new exemption for de-identified medical data according to HIPAA if the data meets three conditions:
Data is de-identified as spelled out in 45 CFR § 164.514 through the safe harbor or expert determination approach (b); data comes from medical data, protected health information, individually identifiable medical data, or identifiable private data, in keeping with the Federal Policy for the Protection of Human Subjects (Common Rule); there’s no attempt by the business or business associate to re-identify individuals using the information.
The exemption is applied to data deidentified as per HIPAA. This exemption will similarly apply to entities not covered by HIPAA.
Even if de-identified data is exempted by AB 713, a business has to give consumers a public notice if sharing de-identified data with third parties and the notice must mention the method used for deidentifying the information.
The new bill doesn’t cover particular types of personal data such as when used for research or obtained for clinical trials under the Common Rule. AB 713 exemptions also include personal data collected or used in
- biomedical research studies determined by institutional review board standards
- the FDA’s human subject protection specifications
- research determined by all applicable ethics and privacy laws
- Common Rule ethics and privacy standards
- medical data protected by the California Confidentiality of Medical Information Act (CMIA)
- individually identifiable health information (45 CFR § 160.103)
- the International Council for Harmonization’s good clinical practice guidelines
AB 713 furthermore exempts personal data used for the purposes listed below, as long as the data is covered by the confidentiality and privacy provisions following federal or state laws:
- Product registration and monitoring consistent with pertinent FDA rules and regulations
- FDA-controlled quality, safety, and efficiency activities
- Public health activities and functions described in 45 CFR § 164.512