CCPA Amendment and Business Associates
Currently, the CCPA does not regulate protected health information (PHI), if that PHI is collected by either a HIPAA covered entity or business associate. In August of 2020, the California Attorney General (“AG”) announced that its Office of Administrative Law (“OAL”) had approved the long awaited California Consumer Privacy Act (“CCPA”) regulations. These regulations have clarified some of the CCPA’s terms and the applications. However, the regulations did not address a seeming gap left by the CCPA’s text: Covered entities are exempt from CCPA compliance, to the extent that they maintain patient information in the same manner as PHI subject to HIPAA. However, as originally rewritten, business associates were not given the same exemption. That is, business associates were not exempt from CCPA compliance to the extent they maintained patient information in the same manner as PHI subject to HIPAA.
The CCPA amendment closed this gap by providing an exemption from CCPA coverage to business associates. Under this amendment, business associates are exempt from CCPA to the extent that they maintain, use, or disclose patient information consistent with HIPAA requirements applicable to PHI.
CCPA Amendment and Deidentified Information
Before the CCPA amendment, the CCPA’s text was not clear on whether the law applied to
information that was deidentified under HIPAA. The amendment clarifies that information deidentified under HIPAA is exempt from CCPA coverage. The amendment, by making it clear that the CCPA does not apply to HIPAA deidentified information, reduces the compliance burden on providers, since the HIPAA definition of “deidentified information” and CCPA’s definition are not consistent.
California entities should note that the CCPA exception for deidentified information under AB 713 applies to the deidentified information itself rather than to entities (business associates or covered entities). Therefore, the exception is available to businesses that are not HIPAA-regulated entities, but which create deidentified data sets in accordance with the HIPAA deidentification standard and otherwise meet certain conditions.
CCPA Amendment: New Notice Obligations for Deidentified Information
The CCPA amendment adds a new requirement to privacy policies. Under the amendment, businesses must now disclose whether they sell or disclose deidentified patient information that was derived from PHI. If they do sell or disclose this information, they must disclose whether the deindentification was performed in accordance with one of the two HIPAA Privacy Rule deidentification methods: the “expert determination” method or the HIPAA “safe harbor” method.
CCPA Amendment: New Contract Provisions
The amendment requires applicable businesses to include contract provisions, between the business and the buyer or licensee of information, whenever there is a sale or license of deidentified information. A business must include a provision in the license agreement or contract of sale, to the effect that the deidentified information may not be reidentified by the buyer or licensee. The contract must also contain a provision that prohibits the receiving party (buyer or licensee) from further disclosing the deidentified information to third parties, unless they are contractually bound to do so by equal or stricter confidentiality measures.
Finally, the CCPA amendment clarifies what constitutes “research” information exempt from the CCPA’s terms. Per the CCPA amendment, information is exempt from the CCPA to the extent that information is:
◈ Collected, used, or disclosed in research (as that term is defined by the Privacy Rule); and
◈ Conducted in accordance with applicable federal rules and regulations on ethics, confidentiality, privacy, and security.
The main effect of the amendment is that registry studies conducted with Institutional Review Board (IRB) ethical oversight, but that do not constitute “clinical trials,” are exempted from the CCPA.