The California legislature recently passed AB 713 which is an amendment to the California Consumer Privacy Act of 2018 (CCPA). This bill will take effect immediately on September 30, 2020 once Governor Gavin Newsom signs the legislation. The effect of AB 713 is that it adds Section 1798.146 to the CCPA, and states that the CCPA shall not apply to medical information that is governed by the California Confidentiality of Medical Information Act (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH).
Section 4 (A) of AB 713 states that to be exempt, the information must meet both of the following conditions:
- i) It is deidentified in accordance with the requirements for deidentification as set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations (HIPAA regulations).
- ii) It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, CMIA, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
Additional provisions of the bill prohibit a business or other person from reidentifying information that was deidentified, unless a specific exception is met. Beginning January 1, 2021, the bill requires that contracts for the sale or license of deidentified information must include specific provisions relating to the prohibition of reidentification of information.
Specifically, Section 2 of the bill requires that businesses that sell or disclose medical information that was “deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business sells or discloses deidentified patient information derived from patient information and, if so, whether that information was deidentified pursuant to specified methods.”
So, what are the key takeaways from this amendment? Businesses that sell or license deidentified medical information will be required to update their privacy policies and to add specific provisions to contractual agreements regarding the prohibition of reidentification of medical information.