Update: The Governor signed the law on Friday, September 25, 2020.
Life science and healthcare companies operating in California face unique challenges regarding California Consumer Privacy Act (CCPA) compliance because of existing inconsistencies between the CCPA and the Health Insurance Portability and Accountability Act (HIPAA). California Assembly Bill (AB) 713 addresses these inconsistencies by easing burdens imposed by the CCPA on medical research and by bringing certain provisions of the CCPA in line with HIPAA and other federal and state health data regulations. At the same time, the bill will impose additional requirements on the use of deidentified health data. AB 713 has passed the California legislature unanimously and will be signed or vetoed by Governor Newsom by September 30, 2020. If signed, the bill will immediately go into effect.
AB 713 addresses inconsistencies between the CCPA and existing federal regulations for health data by (i) providing that data is exempt from the CCPA if it was deidentified in accordance with HIPAA and was derived from patient information originally governed by HIPAA, the California Confidentiality of Medical Information Act, or the federal Common Rule for federally funded research; (ii) broadening the exemption in the CCPA for clinical trial data to apply more broadly to research data; and (iii) clarifying that business associates of covered entities are exempt in the same manner as covered entities to the extent that they maintain patient information in the same manner as protected health information or medical information.
In addition, AB 713 also creates new obligations with respect to health data. It is the first legislation in the United States to ban the reidentification of previously deidentified health data, subject to certain exceptions. For businesses that sell or disclose deidentified data derived from patient information, AB 713 requires them to include notice of such practice, as well as a statement about the HIPAA deidentification methods used, in their privacy policies. Finally, for contracts entered into after January 1, 2021, for the sale or license of deidentified patient information, AB 713 imposes new requirements if a party to the contract is a California resident or does business in California. Importantly, the scope of this new contractual requirement is broader than the scope of the CCPA itself, which applies only to “businesses,” as defined by the CCPA.
If finalized, the provisions of AB 713 will be added as new code sections to the California Civil Code, a move intended to prevent such provisions from being superseded by the possible enactment of the California Privacy Rights and Enforcement Act, which is on the November ballot. Organizations doing business in California should therefore start preparing themselves for the implications of AB 713 (should it go into effect) rather than waiting to see what happens in November. Entities collecting or processing health data should take steps to:
- Update their existing privacy policies to disclose whether they sell or disclose deidentified health data, and if so, which HIPAA-approved deidentification methods they use.
- Update their template contracts and ensure that new contracts entered into beginning in January 2021 for the sale or license of deidentified patient information include these terms (or substantially similar ones):
- A statement that the deidentified information being sold or licensed includes deidentified patient information;
- A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited; and
- A requirement that, unless otherwise required by law, the purchaser or licensee not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
- Evaluate business practices to ensure that deidentified health information is not reidentified unless one of the exceptions in AB 713 applies. Note that AB 713 contains a new definition of “reidentify.” If reidentified, deidentified health data will no longer be eligible for the exception to the CCPA, and such data will again be subject to applicable law, including HIPAA, the CCPA, and/or other law.