Lawmakers Propose CCPA Amendment to Further Except Healthcare and Research Information

Cybersecurity and Privacy Alert

Firm Alert

Author(s) ,

A little more than a week after California’s groundbreaking California Consumer Protection and Privacy Act (CCPA) went into effect on January 1, the Senate Health Committee unanimously approved A.B. 713, introduced by Assembly Member Kevin Mullin (D). If signed by Gov. Gavin Newsom, the proposed amendment will create further exceptions under the CCPA for personal information used for research and safety purposes.

Currently, the CCPA contains exceptions for certain categories of information. Notably, the CCPA presently excepts medical information and providers of healthcare governed by the Confidentiality of Medical Information Act. It also excepts protected health information collected by covered entities governed by the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. In addition, the CCPA excepts information collected as part of certain clinical trials.

Proponents of A.B.713 seek to create further exceptions for covered entities, thereby clarifying the extent of the exemption for research. Specifically, the bill seeks to except information that meets all of the following conditions: (1) the information is deidentified in accordance with the HIPAA expert determination method or the HIPAA safe harbor method as set forth in Title 45 of the Code of Federal Regulations, meaning that the personal information cannot be linked to a consumer; (2) the information is consistent with the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, which is a rule of ethics regarding biomedical and behavioral research; and (3) neither the entity nor a business associate of the entity attempts to reidentify the information.

The bill also contains a section excepting personal information collected for, or used in, biomedical research, and personal information collected for, or used in, other types of healthcare-related research. Further, the amendment would except personal information that is used for research, product registration and tracking consistent with applicable United States Food and Drug Administration (FDA) regulations and guidance, as well as public health activities, and activities related to quality, safety, or effectiveness as regulated by the FDA. Moreover, the bill seeks to create an exception for a business associate of a covered entity if the business associate maintains, uses, and discloses patient information in accordance with applicable federal laws.

In alignment with the CCPA’s proclivity toward open disclosure to consumers, the bill would require a covered business to note in its online privacy policy whether the business discloses deidentified health information, and whether the deidentified health information was deidentified pursuant to the HIPAA expert determination method or the HIPAA safe harbor method.

As we move into 2020, expect to see additional developments in state privacy laws, including additional clarifications of the CCPA. Stay tuned as we continue to monitor those developments, including the progression of A.B. 713.