California amends consumer privacy act on medical information and health privacy

Gavin Newsom, the governor of California, USA has signed amendments of the California Consumer Privacy Act (CCPA) into law. The bill A.B. 713, which came into force immediately, addresses the CCPA’s exemptions and requirements related to both patient medical information and businesses that are subject to the Health Insurance Portability and Accountability Act (HIPPA); the California’s Confidentiality of Medical Information Act (CMIA); and other laws on medical privacy and human subject research. 

With the enactment of A.B. 713, the CCPA does not apply to any information that is both: (a) derived from personal health information, medical information covered by the CMIA, or identifiable private information under with the Federal Common Rule for human research subjects; (b) deidentified pursuant to the HIPAA standards. The amendment may help reduce the compliance burden for businesses that are not regulated by the HIPAA but receive HIPAA deidentified information for their own research or business purposes. 

In addition, while A.B. 713 requires that CCPA covered businesses must not reidentify or attempt to reidentify any information that was deidentified pursuant to the HIPAA rules, the amendment permits reidentification of deidentified patient information, pursuant to contract. Such a contract must provide that (a) the purpose of the data processing is limited only to testing, statistical analysis, or validation of deidentified data; (b) the deidentified data must be returned or destroyed at the end of the contract term. 

Moreover, A.B. 713 also requires a CCPA covered business that sells or discloses deidentified patient information to state the following in its online privacy notice: (a) a statement that the business sells or discloses deidentified patient information; (b) which HIPAA permitted methods were used to deidentify the patient information.