` California Approves CCPA Exceptions for HIPAA De-Identified Information and Other Health Data - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

California Approves CCPA Exceptions for HIPAA De-Identified Information and Other Health Data

hipaa and ccpa

On September 25, 2020, the California Governor approved AB-713 which amends the California Consumer Privacy Act.  The amendment should simplify compliance challenges by the health care and life sciences industries and more closely align the CCPA with the HIPAA and other laws governing medical research.

AB-713 exempts from the CCPA information de-identified in accordance with the HIPAA requirements if the information is derived from the certain protected health and medical information and the business does not attempt to reidentify nor actually reidentifies the information.  This exemption is intended to address inconsistencies between the HIPAA and the CCPA de-identification standards and could be available to research institutions and life science companies which process the protected medical information but are not themselves subject to the HIPAA.

AB-713 further exempts from the CCPA all HIPAA business associates to the extent that they maintain, use or disclose patient information in the same manner as protected health information.  Thus, if business associates collect patient information through a channel that is not regulated by the HIPAA, they would not need to comply with the CCPA if they apply HIPAA protections to such information.  AB-713 also expands an exception for information collected as part of clinical trials to all information that is collected for, used in, or disclosed in medical research carried out in accordance with the applicable rules and regulations.

AB-713 additionally prohibits a business or other person from reidentifying information that was deidentified, unless a specified exception is met. It would, beginning January 1, 2021, require a contract for the sale or license of deidentified information to include specified provisions relating to the prohibition of reidentification.

AB-713 also requires a business that sells or discloses information that was deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business sells or discloses deidentified patient information derived from patient information and, if so, whether that information was deidentified pursuant to specified methods.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons