New Bill Would Aid CCPA Compliance for HIPAA Business Associates
A new bill in California would amend the CCPA and further health data exemptions - namely data that's been de-identified in the eyes of HIPAA.
The California Consumer Privacy Act (CCPA) hasn't even been in effect for a full month yet - enforcement by the California Attorney General (AG) doesn't even kick into until July 1, 2020 - but that isn't stopping stakeholders there from attempting to pass new bills to piggyback on the legislation.
One of those bills, AB 713, which would amend the CCPA to except additional categories of health information, was unanimously approved earlier this month by the California State Senate Health Committee.
If passed, the bill could help ease compliance for healthcare organizations – specifically those that specialize in medical research and safety – by creating an exception based on HIPAA-style expert determination.
In its current iteration, the CCPA doesn't regulate personally identifiable information (PIII) collected by HIPAA covered entities or businesses. AB 713 would except from CCPA requirements data de-identified in accordance with HIPAA, medical research data, personal data used for public health and safety activities, and patient information maintained by HIPAA business associates.
The goal of the bill to clear the air around how both HIPAA and the CCPA deidentified data.
By making it so the CCPA doesn't apply to what HIPAA considers de-identitifed information, the bill should cut down on inconsistencies made by HIPAA-regulated entities. Entities that create data sets that include de-identified data but that aren't regulated by HIPAA, like life sciences companies, healthcare businesses, and research organizations.
Under AB 713, CCPA would except de-identified health information under the following three conditions:
- When the information is de-identified in accordance with a HIPAA de-identification method
- When the information is from PHI or as HIPAA refers to it, individually identifiable health information," "medical information" under the California Confidentiality of Medical Information Act (CMIA) or “identifiable private information” under HHS Common Rule regulations.
- The business doesn't actually, or attempt to, re-identify the information.
AB 713 also adds an exemption for personal information that's used in the following purposes:
- Product registration and tracking consistent with applicable FDA regulations and guidelines.
- Public health activities and purposes detailed in 45 CFR § 164.512
- FDA-regulated quality, safety, and effectiveness activities
The bill was approved just two days after Kevin Mullin, an assemblymember who represents the 22nd California Assembly District, introduced it; it seems likely the bill will be referred to the Senate Judiciary Committee next.