The California Consumer Privacy Act of 2018 (“CCPA”) took effect on January 1, 2020. Days later on January 8, 2020, the California Senate Health Committee unanimously approved Senate bill A.B. 713 (the “Bill”) to establish new exemptions particularly relevant to the health care and life sciences industries. The Bill is currently with the Senate Judiciary Committee and would need to be passed by the full Senate and signed by the Governor before being enacted into law.
The Bill would increase flexibility and bring some needed clarification on the scope of CCPA requirements for life sciences and pharmaceutical companies conducting medical research. It would also significantly expand upon the current exemption in the CCPA that applies to information collected as part of a “clinical trial.” The term “clinical trial” is not defined in the law and it is unclear how it will ultimately be interpreted by the California Office of the Attorney General; however, if the Bill were enacted, it would clarify that personal information collected for other types of research that do not qualify as a clinical trial may be exempt as well. Under the Bill, the following two types of personal information would be exempt:
- Personal information that is collected for, or used in biomedical research subject to institutional review board standards and the ethics and privacy requirements under the Federal Policy for the Protection of Human Subjects also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the U.S. Food and Drug Administration (“FDA”); and
- Personal information that is collected for, or used in research, subject to all applicable ethics and privacy laws, provided that the information is either individually identifiable health information, as defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”).
The Bill specifies that “research,” as used above, shall have the meaning given that term in the HIPAA Privacy Rule.
Regulatory Oversight and Public Health Activities
Additionally, the Bill includes an exemption for personal information used by life sciences companies in connection with oversight and safety activities conducted to meet regulatory obligations. That new exemption would apply to:
- Personal information that the business uses only for the following purposes: (i) product registration and tracking consistent with applicable FDA regulations and guidance; (ii) public health activities and purposes as described in the HIPAA Privacy Rule; and (iii) activities related to quality, safety, or effectiveness regulated by the FDA, provided that the information is subject to all confidentiality and privacy provisions applicable under federal or state law (besides the CCPA), and it is not sold or used except as stated above.
HIPAA De-Identified Information
Another new exemption included in the Bill would apply to HIPAA de-identified information which is significant due to the fact that, currently, data sets that satisfy the HIPAA de-identification standard may not necessarily meet the standard for de-identification under the CCPA. That exemption would apply to:
- Information that is (i) de-identified in accordance with the requirements of the HIPAA Privacy Rule and (ii) derived from protected health information, medical information, individually identifiable health information, or identifiable private information, provided that the business or its business associates do not attempt to re-identify the information and do not actually re-identify the information.
Notably, the Bill defines the various terms used in this proposed exemption by reference to their meaning in the underlying laws (e.g., HIPAA Privacy Rule, the CMIA, and the Common Rule).
Unlike the other newly proposed exemptions which apply to personal information that meets certain specified criteria, the final proposed exemption would exempt a particular type of business. It would apply to:
- A business associate of a covered entity governed by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, to the extent that the business associate maintains, uses and discloses patient information only in accordance with the legal requirements of such Rules applicable to protected health information.
In addition to the newly proposed exemptions, the Bill would also create a new requirement for businesses that sell or disclose personal information that has been de-identified in accordance with the HIPAA Privacy Rule. Such businesses would be required to state in their online privacy notice whether information de-identified under HIPAA had been disclosed in the previous 12 months and if so, whether the de-identified information had been de-identified using the “HIPAA expert determination method” or the “HIPAA safe harbor method.”
Although this Bill is intended to broaden the current exemptions in the CCPA and harmonize the CCPA with other federal and state medical privacy and confidentiality laws, its text creates additional interpretation questions that will need to be explored. Further, the Bill would create a new requirement that businesses may find administratively burdensome to implement. We will continue to monitor the progression of this Bill and the CCPA’s overall implementation. For questions or if you would like to discuss this matter, please reach out to your regular Verrill attorney.