WORK WITH US
AB 713 – Creates A New Healthcare-Related Exemption From The California Consumer Privacy Act. (Urgency Bill Effective Immediately On September 25, 2020)
In 2018, California lawmakers passed the California Consumer Privacy Act (CCPA), giving California residents a number of consumer privacy rights, including the right to find out what personally-identifying information for-profit companies are collecting about them, to opt-out of having such information collected, and to have that information deleted.
The CCPA only applies to for-profit companies doing business in California, that: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more Californians; or (c) derives 50 percent or more of their annual revenues from selling California residents’ personal information.
Although public agencies are not required to comply with the CCPA, when contracting with covered companies public agencies should ensure that the obligations and risks of the CCPA rest squarely with the for-profit company. Specifically, where a public entity contracts with a for-profit company and that company will be collecting information relating to the public agency, make sure to include contractual provisions that require the for-profit company to comply with all applicable privacy laws, including the CCPA.
We also recommend tracking changes in this area of law, to help in understanding what may be expected of vendors. For example, AB 713 creates a new healthcare-related exemption from certain requirements in the CCPA out of concerns that the CCPA was adversely impacting health care research and operations. Under the new exemption, information is not subject to the CCPA if it meets both of the following requirements in Civil Code Section 1798.146(4):
The information is de-identified in accordance with the de-identification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as set forth in 45 C.F.R. § 164.514; and
The information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.
This new de-identification exemption is in addition to, and separate from, the CCPA’s current language which also excludes from its scope certain de-identified information, though the definition for de-identification is different in the CCPA than it is in the HIPPA. Thus, AB 713 now provides an alternative basis to argue that patient information that has been de-identified for HIPAA purposes is also exempt from the CCPA.
The new de-identification exemption is subject to conditions. For example, AB 713 prohibits re-identification, except for specific purposes such as treatment or billing purposes. The bill also requires that contracts for the sale or license of de-identified patient information include specific provisions prohibiting the purchaser or recipient from re-identifying the information and limiting re-disclosure of the information to third parties.
AB 713 also highlights that public agencies need to keep an eye on developments in privacy laws, as this is a continually changing area of law. For example, AB 713 was passed as urgency legislation (which allowed it to go into effect immediately upon the Governor’s signature) in response to concerns about Proposition 24, an initiative on this November’s ballot. If passed, Proposition 24 will create the California Privacy Rights and Enforcement Act (CPREA) to replace the CCPA. Supporters of the proposition say that the CPREA will give consumers even more control over their personal data and make it harder for the Legislature to change privacy laws. Accordingly, AB 713 was preemptively passed in an attempt to preserve exemptions for medical information, just in case Proposition 24 impacts the CCPA’s pre-existing exemptions for de-identified information.
All of this potential change highlights that public agencies need to be on high alert for amendments, changes, and modifications to the CCPA and other California privacy laws, to ensure that they or their vendors are in compliance with this continually evolving area of the law.
(AB 713 amends Section 1793.130 of the Civil Code and adds Sections 1798.146 and 1798.148 to the Civil Code.)