On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.
De-Identified Information and Re-Identification
The CCPA states that “Personal information” “does not include consumer information that is de-identified or aggregate consumer information.” AB-713 was first introduced in March 2019 and was intended to amend the CCPA to specifically address de-identified health information, noting that such information is outside the scope of the CCPA if (1) it is de-identified in accordance with the requirements for de-identification set forth in the HIPAA Privacy Rule, (2) it is derived from patient information (which includes identifiable private information, protected health information, individually identifiable health information or medical information), and (3) the information is not subsequently re-identified.
AB-713 also prohibits re-identification of de-identified patient information except for (1) a covered entity’s treatment, payment or health care operations; (2) public health activities or purposes; (3) research; (4) pursuant to a contract to conduct testing, analysis or validation of de-identification, or related statistical techniques (and only if the contract bans other uses or disclosures of the information and requires the return or destruction of the information upon completion of the contract); and (5) where otherwise required by law.
The Senate’s June 2020 Amendments to AB-713 add important new contractual requirements for de-identified patient information. Beginning in 2021, contracts for the sale or license of de-identified information that involve one or more parties residing or doing business in California must include:
- A statement that the de-identified information being sold or licensed includes de-identified patient information;
- A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited pursuant to the CCPA; and
- A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
Information Used in Research
The CCPA currently exempts from its scope “information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.”
AB-713, which was not modified in this regard by the Senate’s June 2020 amendments, expands that exemption to include “information that is collected, used, or disclosed in research, as defined in [the HIPAA Privacy Rule], including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.”
The revised exemption to the CCPA exemption in the original AB-713 for research purposes will cover a broader scope of activities, such as secondary research involving health information or biological specimens.
Use of Information for Public Health Activities
In response to the COVID-19 pandemic, the Senate modified the CCPA exemption for information used for public health purposes. The Senate’s version of AB-713 exempts information used for public health activities in accordance with the HIPAA Privacy Rule from many of the CCPA’s requirements such as the requirement to delete individuals’ personal information upon request. In contrast, the House’s version had exempted from the definition of “personal information” any information collected by a business that is used only for the following purposes:
- Product registration and tracking of products in accordance with applicable FDA regulations and guidance;
- Public health activities and purposes as described in the HIPAA Privacy Rule; and
- FDA-regulated activities related to quality, safety or effectiveness.
The amendment exempting information used for public health activities is particularly important given the COVID-19 pandemic. As we previously have noted, the Department of Health and Human Services has emphasized the permissibility under HIPAA of using and disclosing information for public health purposes in order to combat this pandemic.
If AB-713 is passed by both houses of the California legislature and signed into law by Governor Gavin Newsom, its provisions will take effect immediately except for the de-identification contractual requirements.