CCPA Amendment Creating De-Identified Health Information Exception Will Change How We Create and Use De-Identified Data

On August 31, 2020, the California state legislature passed Assembly Bill (AB) 713 which amends the California Consumer Privacy Act (CCPA) to exempt from its compliance requirements certain health information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Bill is currently awaiting signature by Governor Gavin Newsom. Once enacted, AB 713 will more closely align CCPA, HIPAA, and Federal Policy for the Protection of Human Subjects (the Common Rule) to ease the operational and compliance challenges posed by CCPA’s existing de-identification standard. However, AB 713 sets new requirements for consumer notice and licensing de-identified data. It will also change the way entities create de-identified data regardless of whether source data is from California consumers.

Fixing the Disconnect Between HIPAA and CCPA De-Identification
CCPA currently excludes de-identified data from its broad definition of personal information, defining “de-identified” as information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business [implements certain safeguards].” However, this definition does not clarify whether information de-identified pursuant to HIPAA is considered de-identified under the CCPA.

The potential inconsistency between HIPAA and CCPA de-identification standards poses a variety of operational and compliance challenges for the health and life sciences industry, including providers, data aggregators, and other health IT companies engaged in data sharing. These challenges stem from the risk that a data set de-identified in compliance with HIPAA could be deemed to constitute personal information under CCPA, triggering CCPA compliance obligations for an industry largely reliant on CCPA exemptions and exceptions.

AB 713 eliminates this disconnect and uncertainty by expressly excepting from the CCPA personal information that is de-identified pursuant to HIPAA if certain conditions are met:

1. The information is de-identified pursuant to HIPAA (i.e., expert determination or safe harbor method);
2. The information is derived from “protected health information” or “individually identifiable information” as defined in HIPAA, “medical information” as defined in California’s Confidentiality of Medical Information Act (CMIA), or “identifiable private information” as defined in the Common Rule; and
3. The information is not re-identified.

The exemption applies to a data set de-identified in compliance with HIPAA held by entities not directly regulated under HIPAA, CMIA, or the Common Rule if the data set originated from health data originally collected by an entity subject to these regulatory schemes. This is a helpful CCPA compliance clarification for health and life sciences entities like pharmaceutical and medical device manufacturers and research sponsors that regularly engage in data sharing.

Re-Identification Prohibition
AB 713 prohibits re-identification of de-identified patient information except for:

1. A covered entity’s treatment, payment, or health care operations purposes;
2. Public health activities or purposes as defined in HIPAA;
3. Research as defined in HIPAA and conducted in compliance with the Common Rule;
4. Pursuant to a contract to conduct testing, analysis or validation of de-identification, or related statistical techniques (and only if the contract bans other uses or disclosures of the information and requires the return or destruction of the information upon completion of the contract); and
5. Where otherwise required by law.

Re-identification of de-identified data will necessarily require an analysis as to whether CCPA applies to and authorizes re-identification. While this re-identification prohibition only applies to CCPA-regulated businesses and source data from California consumers, the nature of creating and using de-identified data sets often involves comingling data from individuals across the country. Managing a separate process for data originating from California consumers will be an operational challenge.

Updated Consumer Notice Requirements
Importantly, while AB 713 exempts HIPAA de-identified information from the definition of personal information under CCPA, the bill still requires businesses that sell or disclose de-identified health information to provide a consumer-facing notice (website privacy policy) outlining whether the business: (1) sells or discloses de-identified information; and (2) used the HIPAA safe harbor or expert determination method to create the de-identified data set.

Reevaluating De-Identification Methods
As drafted, CCPA expressly allows use of either the HIPAA safe harbor or expert determination method to create de-identified data. We have seen an industry shift toward preference for the expert determination method, particularly when dealing with complex data sharing initiatives. AB 713 will likely hasten this industry preference because operationalizing CCPA’s de-identification requirements may be difficult using the safe harbor method. For example, under the expanded consumer notice requirement, businesses will need to disclose publically their de-identification methods. The expanded consumer notice requirement may heat up the debate regarding the reliability of the safe harbor method.

Going forward, businesses should request inclusion of CCPA de-identification standards in expert determination documentation in order to meet both CCPA and HIPAA de-identification obligations. In addition, entities that wish to take advantage of the de-identification exemption should consider what website privacy policy and notice of privacy practices updates are appropriate.

Licensing De-Identified Data
Under AB 713, beginning January 1, 2021, a contract for the sale or license of de-identified information must include the following:

1. A statement that the de-identified information being sold or licensed includes de-identified patient information;
2. A statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited pursuant to the CCPA; and
3. A requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

We generally advise that standard technology transfer license agreements are not always appropriate for data licensing, and AB 713 confirms that data licensing requires special contracting attention. Businesses looking to continue or begin licensing de-identified data originating from California consumers should update existing data license templates. Entities engaged in research should also analyze whether sponsor and collaborator agreements require modifications.

Research and Business Associate Exemptions
AB 713 also expands the CCPA exemption for research to personal information collected, used, or disclosed for research (as defined by HIPAA) carried out in accordance with HIPAA, the Common Rule, international good clinical practice guidelines, or FDA human subject protection requirements (i.e., not just clinical trials).

AB 713 also creates an exemption for all business associates to the extent they use, maintain, or disclose health information in the same manner as protected health information under HIPAA. This business associate exemption offers expanded options for direct-to-consumer, discount card, aggregators, and other health and life science entities collecting health information in a setting not subject to HIPAA.

For more information regarding AB 713, how it may affect your business, or creating and licensing de-identified data, contact your Quarles & Brady attorney or:

• Meghan C. O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com