DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


HIPAA Exclusion and the California Consumer Privacy Act (CCPA)

 
The California Consumer Privacy Act (CCPA) provides a broad exclusion for organizations handling health and medical information under HIPAA, the federal privacy law governing such information, and the Confidentiality of Medical Informatioon Act (CMIA), the California state law expanding on those protections. However, despite the expansion of the CCPA exclusion by the California legislature in SB 1121 concerning the HIPAA exception and a new exception for clinical trial information, there remains a small area of personal information that such organizations will need to protect pursuant to the new California privacy law.

The CCPA excludes:

1. Medical information governed by the Confidentiality of Medical Information Act.

2. Protected Health Information collected by a covered entity or business associated governed by the HHS regulations on privacy, security and breach notifications established as a result of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

3. Covered entities or business associates under HIPAA and health care providers under the Confidentiality of Medical Information Act with respect to patient information that is maintained similar to medical information under FMIA or PHI under HIPAA.

4. Clinical trial information collected pursuant to Federal Policy for the Protection of Human Subjects (“Common Rule”) pursuant to the specified good clinical practice guidelines or human subject protection requirements.

The HIPAA and CMIA exclusions were initially introduced in AB-375 which passed in June and then expanded in SB-1121 which was adopted by the California legislature in August 2018 and signed by the California Governor in September.

SB 1121

Here is the current version of the CCPA with respect to patient information and health care organizations:

(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

AB 375

This is the original (previous) version of the CCPA with respect to the exclusion:

(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.

 
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:

californiaconsumerprivacyactwhitepaper

 

Contact Clarip for Help with Your Privacy Program

The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.