Despite intensive lobbying from industry groups, multiple amendments before its effective date, and extensive proposed regulations from the California attorney general, the California Consumer Privacy Act (CCPA) went into effect earlier this month with still many questions left unanswered:
- What compromises will be made regarding employee and business-to-business data?
- Will there be further insight into loyalty programs?
- Does the use of third-party cookies constitute a sale?
- What is the extent of the health care and research exemptions?
While these questions are on many businesses’ – and privacy attorneys’ – radar, one issue that may be resolved soon relates to clinical research data. If passed, proposed amendment AB 713 would harmonize the CCPA with the de-identification standards set forth in the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”) and provide other important clarifications for life sciences companies, medical researchers, and health care providers. Specifically, AB 713 covers five major principles:
- HIPAA De-identification. Although the CCPA already excludes de-identified data from its definition of personal information if general technical safeguards and business processes are used, the CCPA does not provide further insight into the specific standards required for de-identification. AB 713 specifically excludes personal information if that information (a) has been de-identified pursuant to the two methodologies permitted under HIPAA: by expert determination or by removal of the specified 18 identifiers, (b) is derived from protected health information (PHI) as defined by HIPAA, “medical information” as defined by the California Confidentiality of Medical Information Act (CMIA), individually identifiable health information as defined by HIPAA, or identifiable private information subject to the Federal Policy for the Protection of Human Subjects (Common Rule), and (c) a business or its business associates does not reidentify or attempt to reidentify the de-identified personal information.
- Business Associates. AB 713 exempts HIPAA business associates to the extent that they use and disclose PHI in accordance with the requirements of HIPAA, even if the underlying PHI was not technically subject to HIPAA (for example, if the medical provider gathering PHI does not accept insurance).
- Medical Research. AB 713 provides an exception to the CCPA for personal information collected for or used in biomedical research that is subject to institutional review board (IRB) standards and the ethics and privacy laws of the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the Food and Drug Administration. AB 713 also revises the existing clinical trial exemption to make it clear that either of the three listed standards could apply. Together, the proposed new language and revisions would provide much-needed clarity and relief to health care and life sciences companies who have had ongoing questions about the scope of the clinical research exemptions to the CCPA.
- Product and Medical Device Tracking. AB 713 also provides a limited carveout for personal information collected by a business for product registration and tracking consistent with U.S. Food and Drug Administration (FDA) regulations, activities related to quality, safety or effectiveness regulated by the FDA, or for other federally regulated public health activities and purposes. This exemption, however, applies only to some of the provisions of the CCPA; the disclosure and breach enforcement provisions would still apply.
At the time of this writing, AB 713 passed unanimously out of the California Senate Health Committee and has been referred to the judiciary committee. AB 713 currently has significant support from life sciences, pharmaceutical, and medical research groups and no apparent opposition.
As businesses seek to substantially comply with an ambiguous new law, the legislature’s amendment process will hopefully be a source of guidance over the coming year. It is promising that the legislature is already working to find a balance between consumer data protections and medical innovations that could lead to more effective medications, less invasive procedures, easier disease detection, and life-saving treatments. While we wait for additional guidance, businesses should continue their CCPA compliance efforts, but they should also watch the amendment process to see what the legislature does next.