California recently enacted an amendment to the California Consumer Privacy Act (CCPA) to clarify how the law interacts with the Health Information Portability and Accountability Act (HIPAA). This change may affect: (1) employers who sponsor group health plans that cover California residents; (2) health care providers, insurers and other HIPAA covered entities who treat or cover California residents; and (3) HIPAA business associates who have information about California residents.
The CCPA applies to certain for-profit businesses that collect personal information about California residents. A business that is subject to the CCPA must disclose its data collection and sharing practices; must respond to certain requests by California residents about their information; and, if the business sells personal information, must give California residents the right to opt out of the sale of their information. For more information about the CCPA, and which businesses are subject to its requirements, see our prior article here.
Under the recent amendment:
- Medical information governed by the California Confidentiality of Medical Information Act (CMIA) or by HIPAA, including deidentified data derived from the medical information, is exempt from the CCPA’s requirements.
- To the extent that deidentified data derived from medical information is reidentified, the reidentified data loses its exemption under the CCPA and also becomes subject to HIPAA and the CMIA.
- In situations involving sale or licensing of deidentified data derived from medical information, the business selling or licensing the deidentified data: Must disclose to California residents the fact that it sells or licenses deidentified data derived from medical information and whether the information was deidentified under one of the methods described in HIPAA regulations.
- If one of the parties to the sale or licensing agreement is residing in or doing business in California, then by January 1, 2021, the contract must include certain restrictions on the reidentification of the information.
Note that the CCPA broadly defines “sale” to include any disclosure or sharing of data for monetary or other consideration. While the CCPA does not define “license,” the term can broadly refer to any kind of contractual consent. Some HIPAA business associate agreements authorize a business associate to deidentify the covered entity’s information and then grant permission to the business associate to use that deidentified information for the business associate’s own purposes. A court could construe a HIPAA business associate agreement that grants the business associate express or implied permission to use deidentified data as authorizing a “sale” or a “license” of deidentified medical information, requiring the additional disclosures and the contractual terms described above.
Businesses should move quickly to evaluate the potential impact of the new law, as it is effective immediately and requires that agreements be amended by January 1, 2021. A business should consider whether it is subject to the CCPA or does business with a customer that is subject to the CCPA, whether it shares or receives deidentified information derived from medical information, or whether it shares medical information with or receives medical information from another business that is then deidentified. Even businesses that are not subject to HIPAA may have to comply with these new requirements.
If you need assistance with this new law or with the CCPA generally, please contact Norbert Kugele, Kelly Hollingsworth, Stephanie Grant or any other member of Warner’s Cybersecurity and Privacy or Employee Benefits/Executive Compensation Practice Groups.