The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come.
We describe below these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact.
1. Some, but not all, health and life science entities are exempt from the CCPA. Determine what data is covered by the CCPA.
The CCPA includes several exemptions that may permit health and life sciences companies to limit their compliance obligations or exempt their activities entirely. The exemptions that are particularly important for health and life sciences companies include:
- Non-profit entities.
- HIPAA covered entities and business associates.
- Health care providers subject to CMIA.
- Clinical trials subject to the Common Rule.
Determining the scope of each of these exemptions and how they apply to a company will require careful analysis.
As a starting point, determine whether the company qualifies as a business under the CCPA’s definition or if it may be subject to the CCPA by its relationships with for-profit businesses.
The CCPA imposes obligations on for-profit “businesses” that meet specific threshold requirements. The CCPA does not appear to apply to non-profit entities, which may include hospitals and research institutions that do not operate “for the profit or financial benefit” of their owners.
However, even organizations that do not qualify as a “business” may nonetheless need to evaluate their data sharing arrangements and partnerships with CCPA-covered entities. For example, a non-profit research institution that is controlled by a for-profit business and shares common branding or a non-profit charitable subsidiary of a for-profit parent company may be subject to the CCPA.
Depending on the nature of the relationship and types of activities the non-profit engages in, the non-profit could also be subject to certain requirements under the CCPA as a third party.
As part of a company’s assessment, identify what types of personal information the company collects and the different manners in which it maintains the data.
The CCPA exempts all “protected health information” (PHI) collected by “Covered Entities” and “Business Associates” subject to HIPAA. It also exempts any patient information maintained by a Covered Entity to the extent the Covered Entity maintains the patient information in the same manner as PHI.
Together, these exemptions emphasize the need to clearly identify whether and how HIPAA applies to a company’s operations. As a company evaluates how the HIPAA exemption may apply to its activities consider:
- Is the company a Covered Entity? Covered Entities include many health plans, health care clearinghouses, and health care providers that transmit PHI electronically in connection with a HIPAA-regulated transaction (e.g., claims, benefit eligibility inquiries, or referral authorization requests).
- Is the company a Business Associate? Business Associates do not have to be a particular type of entity or engage in certain transactions. Rather, a company can become a Business Associate based on its relationship with a Covered Entity involving the receipt, creation, maintenance, or transmission of PHI.
- Is the data PHI? Under HIPAA, PHI is broadly defined to include individually identifiable health information transmitted or maintained by a Covered Entity or its Business Associates in any form or medium that may identify an individual and relates to the individual’s health care.
Importantly, the CCPA does not categorically exempt all data-related operations of Covered Entities and Business Associates. Instead, the CCPA expressly exempts PHI collected by a Covered Entity or Business Associate that is governed by HIPAA. Data that is not PHI is not automatically exempted even if it is maintained by a Covered Entity or Business Associate. Data that is maintained by a Covered Entity “in the same manner” as PHI under HIPAA also is exempt, but the scope of this exemption is not clear—and Business Associates are not expressly listed in this exemption.
As a result, companies subject to HIPAA should carefully analyze what patient information they maintain as PHI and what patient information they maintain outside of HIPAA. For example, information obtained pursuant to certain authorizations, types of research data, or other HIPAA-exempt information like workers’ compensation data may not be governed by HIPAA or maintained in the same manner as PHI. This data may not be eligible for the CCPA exemption.
Revisit determinations of what data and portions of a company are subject to the CMIA and re-evaluate this analysis in light of the CCPA.
The CCPA also exempts “medical information,” as well as a “provider of health care” covered by the CMIA to the extent the provider maintains patient information in the same manner as medical information. Determining what is medical information and who is a provider of health care under the CMIA have long been complicated assessments for health and life science companies such as pharmaceutical and device manufacturers.
It will be important for a company to assess the scope of the CMIA’s application to its activities and various types of data. Some considerations in making that assessment:
- Is the company a provider of health care? The CMIA generally applies to health care providers, health insurers, and individuals or businesses they contract with that have access to medical information. The CMIA defines provider of health care broadly to include pharmacies, health care facilities, doctors, dentists, psychologists, therapists, hospices, outpatient health facilities, and home health entities.
- Does the company maintain medical information on behalf of a health care provider? The CMIA applies to entities beyond traditional health care providers. For example, entities such as pharmaceutical companies may be subject to CMIA requirements but unable to benefit from the CMIA exemption of the CCPA if they do not fall within the CMIA’s definition of a provider of health care.
- Is the data medical information? The CMIA defines medical information as any individually identifiable information in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. Individually identifiable information includes the patient’s name, address, email address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
Similar to HIPAA, the CCPA does not exempt all data-related operations of a CMIA-covered provider of health care. Instead, the CCPA expressly exempts medical information collected by a provider of health care that is governed by the CMIA. Patient information is exempt only if it is maintained by a provider of health care in the same manner as medical information under the CMIA.
Clinical Trial Exemption
For companies that conduct research, evaluate research studies and clinical trials to determine the extent to which the clinical trial exemption applies.
The CCPA exempts information collected “as part of a clinical trial,” to the extent the clinical trial is subject to the Federal Policy for the Protection of Human Subjects (the Common Rule), pursuant to the clinical practice guidelines issued by the International Council for Harmonisation or the human subject protection requirements of the U.S. Food and Drug Administration.
Common Rule requirements generally apply to biomedical and/or behavioral research involving human subjects and outline the criteria and mechanisms for Institutional Review Boards’ evaluation of human subjects research. The Common Rule, however, does not automatically apply to all clinical trials, but rather to human subjects research conducted or supported by a federal department or agency.
Non-government-funded clinical trials and research organizations often adhere to the Common Rule voluntarily. The CCPA does not identify if voluntary adherence to the Common Rule will bring the clinical trial data within the scope of the exemption. Some may wish to clarify this through further legislative amendments or future guidance.
In the meantime, identify the types of research and clinical trials the company engages in and determine whether these activities are subject to, or comply with, the Common Rule’s requirements.
2. The CCPA grants individuals additional rights. Assess whether the company needs to develop or update policies and procedures for individual rights requests.
While the company may have existing practices for accommodating individual rights, evaluate existing procedures for responding to new individual rights requests and develop additional policies where necessary.
The CCPA grants individuals new rights with respect to their personal information including the right to access, request deletion, be informed of certain transactions, opt-out of or opt-in to sales, and receive equal service and price even if they exercise their rights. It also provides a limited private right of action related to data breaches.
Covered Entities and Business Associates are familiar with responding to individuals’ rights requests under HIPAA and have processes in place to receive, verify, and respond to rights requests that are likely more advanced than companies not subject to HIPAA.
These HIPAA obligations will likely remain unaffected because PHI maintained by Covered Entities or Business Associates is eligible for the CCPA exception. As noted above, however, Covered Entities and Business Associates may maintain data not subject to HIPAA that may be subject to the new CCPA rights requirements. In these cases, Covered Entities and Business Associates may need to reevaluate their processes for compliance with individual rights requests to adhere to HIPAA, CCPA, and other applicable requirements. And, entities not subject to HIPAA will need to institute procedures for responding to the individual rights granted by the CCPA.
3. The CCPA’s definition for “deidentified” data differs from traditional standards. Evaluate existing processes for deidentification and definition of deidentified data.
If the company collects and maintains deidentified data, identify and evaluate the methods for deidentification and map the resulting deidentified data to the CCPA’s definitions and requirements.
The CCPA and HIPAA articulate different standards for deidentified data. As a result, it is possible to read the two standards and identify circumstances where data may be considered deidentified according to HIPAA’s Privacy Rule, yet not deidentified under the CCPA’s definition. Additionally, deidentified health information that meets HIPAA’s standard of deidentification is no longer PHI and may then fall out of the HIPAA exemption and into the CCPA if it is not considered deidentified under the CCPA.
The CCPA does not apply to “deidentified” data, defined by the CCPA as information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a company that uses deidentified information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
- Has implemented business processes that specifically prohibit reidentification of the information.
- Has implemented business processes to prevent inadvertent release of deidentified information.
- Makes no attempt to reidentify the information.
While aspects of this definition will be familiar to those used to the HIPAA standard for deidentification, the two standards do not entirely overlap, and the CCPA does not explicitly acknowledge that information considered deidentified by HIPAA would be sufficient to meet its definition. There may be circumstances and types of data where information could be considered deidentified under HIPAA, while not deidentified under the CCPA.
4. The CCPA’s broad definition of “sale” may encompass routine disclosures. Determine if the company’s disclosures could now be considered sales of data.
Nearly all health and life sciences companies engage in data sharing in one form or another, assess the company’s data sharing arrangements and agreements with third parties and service providers in light of the CCPA’s expansive definition.
As discussed in the Key Terms blog post, the CCPA defines a “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” This definition is sweeping and may potentially pick up routine disclosures in the health and life sciences industry.
Data sharing and other types of service provider relationships are common in health care, and, unless an exemption applies, disclosures in those relationships may be considered “sales,” especially when there is monetary or other valuable consideration involved. If these disclosures are “sales,” a number of individual rights will attach.