Article written by Haim Ravia and Dotan Hammer
On September 25, 2020, the Governor of California signed into law an amendment to the California Consumer Privacy Act (CCPA) that deals with de-identified health information. According to the newly amended provisions of the CCPA, protected health information originally subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or other similar medical data laws, which is subsequently de-identified per the HIPAA standard for de-identification, is exempted from most CCPA obligations, so long as it is not re-identified.
Second, the amendment to the CCPA generally bans re-identification of previously de-identified health data, except where such re-identification is needed for HIPAA-governed activities, is required by law, or where necessary for testing, analysis, or validation of de-identification techniques.
Third, the new amendment to the CCPA requires that a business’s privacy policy state whether the business sells or discloses de-identified patient information derived from patient information and if so, whether that patient information was deidentified according to HIPAA’s expert-determination method or the HIPAA safe-harbor method.
Additionally, as of January 1, 2021, any contract for the sale or license of de-identified health information, where one of the parties resides or does business in California, must include provisions prohibiting actual or attempted reidentification of the de-identified information, and must flow-down the same restriction to any onward recipient of the data.
Separately, on September 12, 2020, the California Senate passed the Parent’s Accountability and Child Protection Act, but on September 29, California Governor Gavin Newsom vetoed it, explaining that because of the overlap with the federal Children’s Online Privacy Protection Act (COPPA), “the bill would not meaningfully expand protections for children and it may result in unnecessary confusion”. The bill would have prohibited a social media service from allowing a person who it knows is under 13 years of age to create an account absent parental consent.
CLICK HERE to read the amendments to the California Consumer Privacy Act regarding de-identified patient information.
CLICK HERE to read California’s Parent’s Accountability and Child Protection Act, and CLICK HERE to read the Governor of California’s veto.