On September 25, 2020, Governor Gavin Newsom signed into law California AB 713, which amends the California Consumer Privacy Act (CCPA) to create expanded exceptions for: HIPAA business associates; information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and information collected, used or disclosed in certain human subjects research. AB 713 reflects an intense lobbying effort by medical technology, pharmaceutical, and other health and life sciences industry stakeholders. AB 713 became effective immediately following Governor Newsom’s signature, as the bill included an urgency clause calling for immediate action to mitigate the CCPA’s potential negative impact on health-related research.
AB 713 eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. However, AB 713 also creates new compliance obligations by requiring entities subject to requirements for “businesses” under the CCPA, as well as other entities residing or doing business in California, to include certain provisions in license agreements or other contracts for the sale or license of de-identified patient information. While AB 713 becomes effective immediately, as discussed below, it requires compliance with the new contracting requirement beginning January 1, 2021.
We summarize below the salient provisions of AB 713.
Exception for De-identified Patient Information
AB 713 provides relief to health care, life sciences and other organizations that have been grappling with how to achieve compliance with the previously inconsistent de-identification standards under HIPAA and the CCPA. Without AB713’s CCPA amendment, it was possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data. For example, HIPAA protected health information that has been de-identified under HIPAA may still contain identifiers of California physicians or other individuals who serve patients. These identifiers may have constituted “personal information” under the CCPA when held by a CCPA-regulated business, creating a right under the CCPA for the individuals to opt out of sales of the personal information. For more information about the inconsistent HIPAA and CCPA de-identification standards, see our On the Subject.
AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:
- The information has been de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method).
- The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “Patient information” means protected health information or individually identifiable health information under HIPAA, identifiable private information under the [...]