HB Ad Slot
HB Mobile Ad Slot
CCPA Amendment Exempts Deidentified Medical
Thursday, September 24, 2020

The California legislature recently passed AB 713 which is an amendment to the California Consumer Privacy Act of 2018 (CCPA). This bill will take effect immediately on September 30,  2020 once Governor Gavin Newsom signs the legislation. The effect of AB 713 is that it adds Section 1798.146 to the CCPA, and states that the CCPA shall not apply to medical  information that is governed by the California Confidentiality of Medical  Information Act  (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH).

Section 4 (A) of AB 713 states that to be exempt, the information must meet both of the following conditions:

  1. i) It is deidentified in accordance with the requirements for deidentification as set forth in Section 164.514 of Part 164  of Title 45 of the Code of Federal Regulations (HIPAA regulations).

  1. ii) It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, CMIA, or the Federal Policy for the  Protection of Human Subjects, also known as the Common Rule.

Additional provisions of the bill prohibit a business or other person from reidentifying information that was deidentified, unless a specific exception is met. Beginning January 1, 2021, the bill requires  that contracts for the sale or license of deidentified information must include specific provisions relating to the prohibition of reidentification of information.

Specifically, Section 2 of the bill requires that businesses that sell or disclose medical information that was “deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business sells or discloses deidentified patient information derived from patient information and, if so, whether that information was deidentified pursuant to specified methods.”

So, what are the key takeaways from this amendment? Businesses that sell or license deidentified medical information will be required to update their privacy policies and to add specific provisions to contractual agreements regarding the prohibition of reidentification of medical information.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins