On September 25, 2020, California Governor Gavin Newsom signed AB 713 (the “Amendment”) into law, amending the California Consumer Privacy Act (“CCPA”) to implement exceptions related to consumer health data. Specifically, the CCPA amendment addresses inconsistencies between data protection afforded under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the CCPA, respectively. The Amendment took effect on September 30, 2020. 

What does the CCPA Amendment cover?

Analyzing the CCPA Amendment

The latest CCPA amendment helps align the CCPA with HIPAA so that the health care and life science industries do not remain uncertain as to their respective compliance obligations. Here are some of the key Amendment provisions:

  • Prior to the Amendment, it was possible for de-identified data under HIPAA to still be considered “personal information” under the CCPA. Under the CCPA, the definition of “Personal Information” excludes “consumer information that is de-identified.” With enactment of the Amendment, the CCPA will, effectively, defer to the de-identification standard contained in HIPAA, as long as: 1) the applicable information was originally collected by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects; and 2) the information at issue has not been subsequently re-identified;
  • Businesses regulated by the CCPA are prohibited from re-identifying de-identified information, except for one of the following purposes: 1) treatment, payment, or health care operations conducted by a HIPAA regulated entity; 2) public health activities or purposes described under HIPAA; 3) research; 4) pursuant to a contract in order to conduct testing, analysis, or validation of de-identification, or related statistical techniques; or 5) as required by law;
  • Effective January 1, 2021, businesses selling or licensing personal health information must include the following provisions in their contracts: 1) a statement that the de-identified information that is being sold or licensed contains de-identified patient information; 2) a statement that the purchaser or licensee of the information cannot re-identify, or attempt to re-identify, the de-identified information; and 3) that the purchaser or licensee cannot share the de-identified information with any third party unless the third party is bound by the same restrictions contained in the contract; and
  • CCPA privacy policies must be updated by businesses that sell or share information that was de-identified to disclose to their consumers the method by which the information was de-identified.

CCPA Compliance

Readers of this blog know that we have been monitoring CCPA implementation and providing necessary compliance updates. Amendments like this one, and future enforcement actions brought by the California Attorney General’s Office, will help provide regulatory compliance clarity to the marketing industry. By now, businesses should already be CCPA compliant. If they are not, companies should be working diligently to get complaint as soon as possible.